Contents
Buy
Buy an SSL cert, I'm getting a PositiveSSL Wildcard for 5 years ($39 USD/yr): https://www.ssls.com/
- Let them generate the key and CSR, it's easier
Get the domain ownership verification email sent to admin@thighhighs.top and follow the steps to enter the verification code
- Wait for domain validation to happen on their backend
- Download the archive containing the cert and CA chain bundle
Install
Updated for November 2025, there's some small changes to my environment, and the files that I get from the provider. Notably, the trust root is now "Sectigo Public Server Authentication Root R46" (a completely different chain compared to last year). And although that root is trusted by my browser, the cert bundle actually includes a higher CA that has signed it for trust: USERTrust RSA Certification Authority. That cert is self-signed and included in the bundle. What's also interesting is that last year, the bundle included a CA about that one, being signed by AAA Certificate Services. Anyway it doesn't matter now.
Copy the new key, cert, and chain ("bundle") to the server, probably illustrious, to /etc/ssl using date-based filenames:
STAR_thighhighs_top.key.2025 STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025
Concatenate the cert and the chain/bundle, in that order, this is a general purpose cert file now (apps that only want the leaf cert will just read the first cert in the file)
cat STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025 > STAR_thighhighs_top.crtbundled.2025
Generate the .p12 file for things that might need it, one of these will do. I only just figured out how to include the chain in the p12
# no chain in P12 openssl pkcs12 -export -legacy \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifi # with chain in P12 openssl pkcs12 -export -legacy \ -chain -untrusted STAR_thighhighs_top.ca-bundle.2025 \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifiUpdate all the symlinks for apps that use certs
ln -sf STAR_thighhighs_top.ca-bundle.2025 STAR_thighhighs_top.ca-bundle ln -sf STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.crt ln -sf STAR_thighhighs_top.crtbundled.2025 STAR_thighhighs_top.crtbundled ln -sf STAR_thighhighs_top.key.2025 STAR_thighhighs_top.key ln -sf STAR_thighhighs_top.p12.2025 STAR_thighhighs_top.p12
- Go fix up configs or restart services that use the cert
Pihole with lighttpd: servers/calico#TLS_support
Caddy: systemctl restart caddy
nginx support
server { listen 80; listen 443 ssl; server_name thighhighs.top ; ... ssl on; ssl_certificate /etc/ssl/STAR_thighhighs_top.combined.pem; ssl_certificate_key /etc/ssl/STAR_thighhighs_top.key; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; include /etc/nginx/fragment/gzip; }Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
Fix up the Unifi controller, these notes are a bit stale as it's not containerised, but it's basically correct: UnifiController#A_real_signed_SSL_cert_for_the_controller
- The Synology NAS uses individual key/cert/chain files; instead of Action-Renew just use Add-Replace; set it as the default system cert
- Update fenny as well, the Asustor Flashstor NAS. Its interface is surprisingly almost identical to Synology: Add, Replace, Import, upload the three files
- Test:
Improvements
Useful site: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/
Now figured out what to make of...
OCSP stapling
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Exactly which certs need to be where is unclear
HSTS
Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always.