Enable Auto SSL (Let’s Encrypt) or add your Own Certificate to make your website reachable over HTTPS. Nowadays, this is considered good practice and should be enabled on all websites. When SSL is enabled, access to the website by HTTP is not possible anymore but redirectet to HTTPS instead (Advanced Configuration for details).

Auto SSL (Let’s Encrypt)

We support the automatic certificat issuance by Let’s Encrypt. The certificates are automatically renewed 30 days before expiration.

Debug validation problems

In order to debug validation issues, you can use autossl-status for an easy overview. Or take a look at the global Apache error logfile at /var/log/apache2/error.log with the Generic Admin User for a detailed information. Its also possible to get an overview for the Managed Certificates on the Apache Status page.

  • Make sure that all hosts added to Server name point to the correct server (A and AAAA DNS records).

  • Let’s Encrypt will try to reach your website at the endpoint /.well-known/acme-challenge/ for validation purposes. Make sure that you do not overwrite this path somehow.


With apache-reload its possible to force a revalidation, but be aware that Let’s Encrypts limits failed validations to 5 failures per server and hour.


Certificates from Let’s Encrypt will be valid for 90 days. They are renewed automatically as soon as they expire in under 30 days. Furthermore, we check all certificates from our monitoring and will contact you if there are certificates expiring in less than 21 days.


Existing Let’s Encrypt certificates can be viewed with the Generic Admin User by running letsencrypt-show. This is useful if you want to temporarily use the old certificate on a new server.

Own Certificate

You can add your own certificate by using the SSL cert and SSL key fields within the desired websites Advanced tab.

Before installing a custom certificate, please make sure that:

  • your key matches your certificate

  • all required intermediate certificates are included

  • you used up-to-date settings to generate your key and signing request


Please contact us if you are not proficient with this topic. We are happy to guide you through the process and can also order and install custom certificates on your behalf.

Advanced Configuration

We will make sure that all required settings do match the state of the art configuration. Usually it is not required to change those settings, nevertheless it is possible and might be required in certain use cases.

Cipher Suite

Configure your desired cipher suite trough website::ssl_ciphers within the Custom JSON Server Level Configuration:

  "website::ssl_ciphers": "desired-cipher-suites"


We configure and update this value with sane defaults. Overwrite only when really required, and if you are aware of the consequences.

Diffie-Hellman parameters

Diffie-Hellman parameters are used for perfect forward secrecy. We supply default Diffie-Hellman parameters and update them on a regular schedule. If you want to use your own Diffie-Hellman parameters, you can generate them:

openssl dhparam -out /tmp/dhparam.pem 4096

and configure them trough website::ssl_dhparam within the Custom JSON Server Level Configuration:

  "website::ssl_dhparam": "-----BEGIN DH PARAMETERS-----\nMIICCAKCAgEAoOePp+Uv2M34IA+basW9CBHp/jsZihB3FI8KVRLVFJPIUJ9Llm8F\n...\n-----END DH PARAMETERS-----"

HSTS Header

By default, we add a HTTP Strict Transport Security (HSTS) header to each SSL enabled website:

Strict-Transport-Security max-age=63072000 always;

You can alter or remove the supplied defaults by editing the .htaccess file.


See the OWASP HTTP Strict Transport Security Cheat Sheet for details.


We recommend the following online services for testing: