TrexzactylTrexzactyl Installer

SSL/TLS Configuration

Secure your Trexzactyl installation with SSL/TLS certificates using Let's Encrypt.

Automatic SSL Setup

The installer includes automatic SSL certificate generation using Certbot and Let's Encrypt.

Prerequisites

Before setting up SSL:

  1. Domain Name: You need a valid domain name
  2. DNS Configuration: Domain must point to your server's IP address
  3. Ports Open: Ports 80 and 443 must be accessible
  4. Valid Email: Required for Let's Encrypt notifications

Installation with SSL

When running the installer:

bash <(curl -s http://installer.trexz.xyz/install.sh)

Select 1. Install Panel and follow the prompts:

  1. Enter your domain name (e.g., panel.example.com)
  2. Enter your email address
  3. The installer will automatically:
    • Install Certbot
    • Generate SSL certificate
    • Configure Nginx with SSL
    • Set up auto-renewal

Manual SSL Setup

If you need to set up SSL manually:

Install Certbot

sudo apt update
sudo apt install -y certbot python3-certbot-nginx

Generate Certificate

sudo certbot --nginx -d panel.example.com

Follow the prompts to:

  • Enter your email address
  • Agree to terms of service
  • Choose whether to redirect HTTP to HTTPS (recommended: yes)

Certificate Renewal

Let's Encrypt certificates expire after 90 days.

Automatic Renewal

Certbot automatically sets up a renewal timer:

sudo systemctl status certbot.timer

Manual Renewal

Test renewal:

sudo certbot renew --dry-run

Force renewal:

sudo certbot renew --force-renewal

Renewal Hooks

The installer configures automatic service reload after renewal:

sudo certbot renew --deploy-hook "systemctl reload nginx"

Nginx SSL Configuration

The installer creates an optimized SSL configuration:

server {
    listen 443 ssl http2;
    server_name panel.example.com;

    ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
    ssl_prefer_server_ciphers on;

    # ... rest of configuration
}

Wildcard Certificates

For multiple subdomains, use a wildcard certificate:

sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

You'll need to add DNS TXT records as instructed.

Custom SSL Certificates

If you have your own SSL certificate:

Install Certificate

  1. Copy certificate files to the server:
/etc/ssl/certs/your-cert.crt
/etc/ssl/private/your-key.key
  1. Update Nginx configuration:
ssl_certificate /etc/ssl/certs/your-cert.crt;
ssl_certificate_key /etc/ssl/private/your-key.key;
  1. Reload Nginx:
sudo systemctl reload nginx

Cloudflare SSL

If using Cloudflare:

Full (Strict) Mode

  1. Generate Origin Certificate in Cloudflare dashboard
  2. Install certificate on server
  3. Set SSL mode to "Full (Strict)" in Cloudflare

Configuration

# Add Cloudflare real IP
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;

SSL Testing

Test your SSL configuration:

Online Tools

Command Line

openssl s_client -connect panel.example.com:443 -servername panel.example.com

Troubleshooting

Certificate Generation Failed

  1. Verify DNS is pointing to server:
nslookup panel.example.com
  1. Check firewall:
sudo ufw status
  1. Verify ports are open:
sudo netstat -tlnp | grep -E ':(80|443)'

Rate Limits

Let's Encrypt has rate limits:

  • 50 certificates per domain per week
  • 5 duplicate certificates per week

If you hit the limit, wait or use staging environment for testing:

sudo certbot --staging --nginx -d panel.example.com

Certificate Not Trusted

Ensure you're using the fullchain certificate:

ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;

Not just the certificate:

# Wrong - don't use this
ssl_certificate /etc/letsencrypt/live/panel.example.com/cert.pem;

Security Best Practices

  1. Use Strong Ciphers: Modern TLS 1.2+ only
  2. Enable HSTS: Force HTTPS
  3. Disable Old Protocols: No SSLv3, TLS 1.0, TLS 1.1
  4. Regular Updates: Keep Certbot updated
  5. Monitor Expiry: Set up alerts for certificate expiration

HSTS Configuration

Add to Nginx configuration:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Certificate Locations

Important file locations:

  • Certificates: /etc/letsencrypt/live/your-domain/
  • Renewal configs: /etc/letsencrypt/renewal/
  • Logs: /var/log/letsencrypt/