Applying an SSL cert to a Laravel Forge site's www. domain
!Warning: This post is over a year old. I don't always update old posts with new information, so some of this information may be out of date.
Important Note: Many SSL certificate providers now generate certs which work on both the www. and the non-www. version of your domain. If you have a provider that does this (RapidSSL does, and I've heard that Comodo does as well), follow these instructions, but instead of buying two certs, just use the same Forge cert ID in both locations.
I ran into an issue this week that ended up with some visitors to Karani seeing security errors in their browsers when they visited via a particular URL. Not good!
In Forge, if you set up karaniapp.com as a site, www.karaniapp.com will forward there. But if you buy a non-wildcard SSL cert for karaniapp.com, it won't work for www.karaniapp.com, so if someone types https://www.karaniapp.com/, it'll give a security error.
The fix? Add an SSL cert for www.karaniapp.com too.
Your site's second cert
Just like normal, generate a CSR in Forge, order a cert for www.karaniapp.com, and install it, but don't activate it (because if you activated this new SSL cert, that would deactive your primary SSL cert for karaniapp.com).
Instead, ssh into your server. sudo vim /etc/nginx/sites-available/www.karaniapp.com (or whichever domain you're adding the non-primary SSL cert to). What we're doing here is using vim (a command line editor; you can use pico or emacs or whatever else) to edit the Nginx configuration file for this site.
By default you'll just see the non-HTTPS config for a site redirect:
server {
listen 80;
server_name www.karaniapp.com;
return 301 $scheme://karaniapp.com$request_uri;
}
You'll want to add the HTTPS redirect config in here, just below the closing brace, manually.
server {
listen 80;
server_name www.karaniapp.com;
return 301 $scheme://karaniapp.com$request_uri;
}
server {
listen 443 ssl;
server_name www.karaniapp.com;
# FORGE SSL (DO NOT REMOVE!)
ssl on;
ssl_certificate /etc/nginx/ssl/karaniapp.com/12345/server.crt;
ssl_certificate_key /etc/nginx/ssl/karaniapp.com/12345/server.key;
return 301 $scheme://karaniapp.com$request_uri;
}
Notice that there's a number (12345 in this example) in the middle of the ssl_certificate and ssl_certificate_key paths. Where do you get the number from?
Log into Forge, edit your site, click the SSL Certificates tab, and scroll down to the bottom. Find the Cert Path for your non-primary SSL cert and grab the number from there.
Save that file and restart Nginx. You can either sudo service nginx restart from the command line, or visit the server in Forge, and click the refresh icon, and choose "restart Nginx".
That's it!
Comments? I'm @stauffermatt on Twitter
Tags: forge • laravel • https • ssl