No image

Adding a TLS cert for Apache and NGINX on aMiSTACX


There are many ways to proceed with implementing HTTPS on aMiSTACX. For the purpose of this article we will discuss four basic options: Free Self-Signed Placeholder, Cloudflare Free Origin Certificates, Let’s Encrypt Free Wildcard Certificates, and installing a paid certificate.


Almost ALL stacks have a placeholder self-signed cert ready to use out-of-the-box. All you have to do is use https in your URL, add the exception to your browser, and you are good to go.

You can even leverage the placeholder certs even further by using Cloudflare and using their FULL TLS option to point to the placeholder cert, thus enabling end-to-end encryption, and avoiding the need to add an exception. As long as their CDN is ON, everything will be valid and secure.

Cloudflare Free Origin Certificates

aMiSTACX started to use CF origin certificates in 2020, and have been very pleased with ease of use and security. The main benefit besides that they are provided at no cost is their default expiration is set to 15 years. Let’s Encrypt has to be renewed every three months, and paid certificates at least every year.

How to install Cloudflare Origin Certs >>

Tip: Area 51 has Cloudflare API integration so it makes sense to make use of Cloudflare for your CDN, WAF, and DNS.

Let’s Encrypt Free Wildcard Certificates

Let’s Encrypt has been offering wildcard TLS certificates since the January 2018, and aMiSTACX has the Let’s Encrypt agent certbot-auto [G3, G4] or certbot [G5] pre-installed.

This should cover all aMiSTACX G3/G4/G5s running on Ubuntu 16, 18, & 20 LAMP and LEMP stacks.

How to install Let’s Encrypt Wildcard Certificates >>

Installing a Paid Certificate

How to generate a CSR for paid certificates >>


HTTP to HTTPS Redirection

NGINX HTTP to HTTPS Redirection

There are many ways to accomplish HTTP to HTTPS redirection, so we’ll discuss two simple options that work!

  1. Use Cloudflare to handle HTTP to HTTPS redirects via a page rule or their Always HTTPS. This process is actually more efficient as it keeps redirection processing at the CDN edge.
  2. Local server processing. To enable local HTTP to HTTPS server processing, you will need to remove the comment “#” from these sections.

    NGINX Http to Https

  3. Save file! And from from CLI: sudo service nginx restart


Overall all of the above are easy to implement, with the most cumbersome solution being the paid certificate option. Should you require any assistance, please check our site or make use of our bot first, before contacting support. It’s just humans are slower to respond.

~ Lead_Robot