Issue and Renew SSL Certificates for Sites
Who this is for
Users who want to enable HTTPS on a site by issuing a free SSL certificate, or who need to renew an expired certificate.
Prerequisites
- The site has a domain configured (see KB-03-03: Domain and DNS).
- The domain's DNS A record already points to the server's IP address.
- The site's current
sslStatusisnoneorexpired. - The server is running and SSH-accessible.
How SSL Works in CloudAIPilot
CloudAIPilot uses Let's Encrypt via Certbot to issue free SSL certificates for your sites. When you request SSL:
- CloudAIPilot runs Certbot on the server.
- Certbot performs an HTTP-01 challenge — Let's Encrypt visits
http://yourdomain.com/.well-known/acme-challenge/…to verify that you control the domain. - On success, Certbot installs the certificate and updates the Nginx config to redirect HTTP → HTTPS.
- CloudAIPilot updates the
sslStatustoactiveand records thesslExpirydate.
SSL Status Values
| Status | Meaning |
|---|---|
none | No SSL certificate — site is HTTP only |
pending | Certificate issuance is in progress |
active | SSL is configured and the certificate is valid |
expired | Certificate has expired — HTTPS will show browser warnings |
How to Issue SSL
- Open the site detail.
- Confirm that the site's Domain field shows your domain (not blank).
- Confirm that visiting
http://yourdomain.comin a browser shows your site (DNS is working). - Click Issue SSL (shown on the site overview when sslStatus is
none). - Confirm in the dialog.
The sslStatus changes to pending immediately. Progress is shown in the Activity Center. Certbot typically completes within 30–60 seconds.
How to Renew an Expired Certificate
If sslStatus is expired:
- Open the site detail.
- An Renew SSL or Fix SSL button appears on the overview.
- Click it and confirm.
The renewal process is identical to initial issuance — Certbot will re-issue and reinstall the certificate.
Automatic Renewal
Let's Encrypt certificates are valid for 90 days. CloudAIPilot sets up a cron job on the server to auto-renew certificates before they expire (typically 30 days before expiry). Most certificates renew automatically without any action from you.
If a certificate expires unexpectedly, it usually means:
- The auto-renew cron job failed.
- The domain's DNS changed and no longer points to this server.
- The server was offline when renewal was attempted.
What Success Looks Like
sslStatus shows active. Visiting https://yourdomain.com in a browser shows a valid padlock and no certificate warnings.
Common Issues and Fixes
| Issue | Likely cause | Fix |
|---|---|---|
| "NO_DOMAIN" error | Site has no domain set | Add a domain in site settings first. |
| "ALREADY_ACTIVE" error | SSL is already working | No action needed. |
| "ALREADY_PENDING" error | Another SSL job is running | Wait for it to complete and check Activity Center. |
| Certbot fails with "DNS not resolving" | DNS hasn't propagated | Wait and retry. Use dnschecker.org to verify DNS. |
| Certbot fails with "Too many requests" | Hit Let's Encrypt rate limit (5 failures/hour per domain) | Wait 1 hour before retrying. |
| Certbot fails with "connection refused" | Port 80 is blocked on server firewall | Open port 80 in the firewall (needed temporarily for HTTP-01 challenge). |
| Certificate expires despite auto-renew | Cron job failed or domain DNS changed | Manually renew via the Renew SSL button. |
Using Cloudflare Proxy
If your domain uses Cloudflare's orange-cloud proxy, the HTTP-01 challenge will succeed because Cloudflare forwards port 80. However, ensure Cloudflare's SSL/TLS mode is set to Full (strict) to prevent redirect loops after SSL is installed.