This guide covers everything about managing SSL/TLS certificates in Panelica — from enabling HTTPS on your first domain to uploading custom certificates and configuring security headers.
There are two ways to manage SSL certificates:
- SSL Management Page — Go to SSL in the main navigation. This shows all your domains with their SSL status in one place.
- Domain Edit > SSL Tab — Go to Domains > click Edit on any domain > select the SSL tab. This manages SSL for a single domain.
Both views offer the same features — use whichever is more convenient.
---
The SSL page has a two-panel layout:
Left Panel — Domain List
- Searchable list of all your domains
- Each domain shows its SSL status with a colored icon:
- Green shield — Let's Encrypt certificate (trusted, free)
- Orange file — Self-signed certificate (browsers show warning)
- Blue file — Custom certificate (from your CA)
- Gray lock — SSL not enabled
- Status badge shows: Active (green), Expiring (yellow, < 30 days), Expired (red), or Disabled (gray)
- Days remaining counter with color coding
- Click any domain to view its SSL details in the right panel
Right Panel — Certificate Details
Shows the selected domain's certificate information, HTTPS settings, and available actions.
---
Step 1: Select your domain from the left panel (or go to Domain Edit > SSL tab).
Step 2: In the HTTPS & Security Settings card, check Enable SSL/TLS.
Step 3: Click Save Settings.
Step 4: The SSL Actions panel appears. Click Issue Certificate to get a free Let's Encrypt certificate.
Step 5: Wait 1-2 minutes. The system will:
- Create an ACME account (first time only)
- Place a challenge file in your domain's
.well-known/acme-challenge/directory - Let's Encrypt verifies your domain via HTTP
- Download and install the certificate (valid for 90 days)
Step 6: Once complete, the Certificate Status card shows your certificate details — issuer, validity dates, and days remaining.
Important: Your domain's DNS A record must point to your server's IP address before Let's Encrypt can issue a certificate. Check with
dig yourdomain.com +short. Port 80 must also be open.---
Panelica supports three certificate types:
| Type | Cost | Validity | Auto-Renew | Browser Trust |
|---|---|---|---|---|
| Let's Encrypt | Free | 90 days | Yes (30 days before expiry) | Trusted by all browsers |
| Self-Signed | Free | 365 days | No | Not trusted (shows warning) |
| Custom | Varies | Varies | No | Trusted (if from valid CA) |
Recommendation: Use Let's Encrypt for all domains. It's free, trusted, and auto-renews.
---
After enabling SSL, you can configure these options:
1. Force HTTPS Redirect
Automatically redirects all HTTP (port 80) requests to HTTPS (port 443). Visitors who type
http://yourdomain.com are sent to https://yourdomain.com.2. Enable HSTS (HTTP Strict Transport Security)
Tells browsers to always use HTTPS for your domain. Once a browser sees this header, it will never connect via HTTP again (until the max-age expires).
HSTS Max Age options:
- 5 minutes — For testing
- 1 day — Short trial
- 1 week — Medium trial
- 30 days — Standard
- 1 year — Recommended for production sites
- 2 years — Maximum protection
Warning: Only enable HSTS after confirming HTTPS works correctly. Once set, browsers will refuse to load your site over HTTP until the max-age period expires.
3. Auto-Renew SSL
Automatically renews Let's Encrypt certificates 30 days before they expire. Enabled by default. A background job checks daily.
---
The SSL Actions panel provides three operations:
1. Renew Certificate (Let's Encrypt only)
Extends the certificate's validity. Use this to manually trigger renewal if auto-renew hasn't run yet.
- Only available for Let's Encrypt certificates
- Generates a fresh 90-day certificate
- Your site stays accessible during renewal
2. Reissue / Switch to Let's Encrypt
Creates a brand-new certificate. If you currently have a self-signed or custom certificate, this button says "Switch to Let's Encrypt" and replaces your current certificate with a free Let's Encrypt one.
- Backs up your existing certificate automatically
- If the new certificate fails, the backup is restored
- Takes 1-2 minutes
3. Generate Self-Signed Certificate
Creates a self-signed certificate valid for 365 days. Browsers will show a security warning. Use this only as a temporary solution — for example, while waiting for DNS propagation before switching to Let's Encrypt.
---
If you purchased a certificate from a Certificate Authority (CA) like DigiCert, Comodo, or GlobalSign:
Step 1: Scroll down to the Upload Custom Certificate section.
Step 2: Upload three files:
- Certificate File (required) — Your certificate in
.crtor.pemformat - Private Key File (required) — The private key in
.keyor.pemformat - CA Bundle File (optional) — Intermediate certificates from your CA in
.pemor.ca-bundleformat
Step 3: Click Install Certificate.
The system validates:
- Certificate and private key match (cryptographic check)
- Certificate is valid for your domain (CN or SAN)
- Certificate has not expired
If validation fails, an error message explains exactly what went wrong.
Supported key formats: RSA, ECDSA, PKCS8.
---
| Status | Color | Meaning |
|---|---|---|
| Active | Green | Valid certificate installed and working |
| Expiring Soon | Yellow | Less than 30 days until expiry |
| Expired | Red | Certificate has expired — renew immediately |
| Disabled | Gray | SSL is not enabled for this domain |
| No Certificate | Yellow | SSL enabled but no certificate file installed yet |
The days-remaining counter uses the same color scheme:
- Green — More than 30 days remaining
- Orange — 8-30 days remaining
- Red — 7 days or less remaining
---
Certificates are stored in each domain's SSL directory:
Code:
/home/{username}/{domain.com}/ssl/
├── fullchain.pem # Certificate + chain (Let's Encrypt / Self-signed)
├── privkey.pem # Private key (mode 600 — owner only)
├── certificate.crt # Custom certificate
└── ca_bundle.crt # CA chain (custom certs only)All files are owned by the domain's system user. You generally don't need to touch these files directly — the panel manages them.
---
Problem: Let's Encrypt certificate fails to issue
- Check DNS:
dig yourdomain.com +shortmust return your server's IP - Check port 80 is open:
curl -I http://yourdomain.com - Wait for DNS propagation (up to 48 hours after changes)
- Check rate limits: Let's Encrypt allows 5 duplicate certs per domain per week
- Check logs:
/opt/panelica/var/logs/backend/backend.log— search for "acme"
Problem: Certificate and private key don't match
Verify they match by comparing MD5 hashes:
Code:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5Problem: Browser shows "Not Secure" despite valid certificate
- Mixed content: Your site loads some resources (images, scripts) over HTTP. Fix by updating all URLs to HTTPS.
- Enable "Force HTTPS Redirect" in HTTPS Settings.
Problem: Certificate expired and auto-renew didn't work
- Check that auto-renew is enabled in HTTPS Settings
- The backend service must be running:
pn-service status backend - Manually renew from the SSL Actions panel
---
- Always use Let's Encrypt — It's free, trusted, and auto-renews. No reason to use self-signed in production.
- Enable Force HTTPS — All sites should redirect HTTP to HTTPS.
- Enable HSTS — After confirming HTTPS works, set HSTS to 1 year for maximum security.
- Keep auto-renew enabled — Let's Encrypt certificates expire every 90 days. Auto-renew handles this.
- Monitor the SSL page — Periodically check for any domains with expiring or missing certificates.
- Point DNS before enabling SSL — Let's Encrypt requires HTTP validation. DNS must be configured first.
---
- Troubleshooting — Common Issues & Solutions — SSL section with more debugging steps
- First Steps After Setup — Initial domain and SSL configuration
---
Questions? Ask in General Discussion.
Last edited: