Open in app

Sign in

Write

Sign in

Forge + SSL

Christopher Pitt
Laravel 4 Tutorials
Published in
4 min readJun 2, 2014

--

Laravel Forge is awesome. It’s never been easier to ship Laravel applications, even with zero sysadmin knowledge. It’s even easy to set up SSL for your site. That is what we’re going to talk about, in this article.

Disclaimer

Forge is very dynamic. It’s new, and Taylor is adding features quicker than people can document. That makes this article subject to changes in Forge. Some of it may no longer be needed, by the time you encounter it. I will try to keep it updated though. Leave comments, or hit me up on Twitter, if you spot any changes.

Step 1: Provisioning Your Application

To get the ball rolling, you need to provision your application.

  1. Get an account at https://forge.laravel.com
  2. Add your server provider credentials, at https://forge.laravel.com/user/profile
  3. Create a new server
  4. Delete the default site
  5. Create a new site

For https://rebuildinglaravel.com I used Digital Ocean and Github. It’s very important that you delete the default site (which is created on new servers). When you have a certificate, you’ll want to redirect non-SSL requests to the main SSL landing page. If you used the default site to host your application, the redirect will not work.

Step 2: Request An SSL Certificate

Getting SSL certificates requires generating what is called a Certificate Signing Request (CSR), and sending this to a certificate authority. The authority creates the corresponding SSL certificate, and that’s what you then install on the server.

Head over to the SSL Certificates tab, on the site edit page (something like https://forge.laravel.com/servers/[server id]/sites/[site id]) and create a Signing Request.

The values you enter should be specific to you. Authorities aren’t usually picky about this data, but use the best information you can.

Once the signing request is created, you can view it by clicking View CSR. The data between BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST is the signing request, but you will want to copy all the text (including the header and footer) for when you need to submit it to the authority.

Next, you will need to decide which authority to go with. I decided to apply for an open-source certificate, with https://www.globalsign.com. You can find application details at https://www.globalsign.com/ssl/ssl-open-source. They were kind enough to grant me a certificate, for https://rebuildinglaravel.com.

Once you know who you’re going with, you’ll need to follow their processes for submitting the CSR. They’ll take a few days to approve the certificate, and probably charge a small fee (unless they’re nice like Global Sign was).

Step 3: Installing the CSR

Once the certificate has been approved, you’ll get an email (or whatever method the authority uses), and the certificate will look similar to the CSR. Go back to where you created the CSR, and click Install Certificate.

When you’re ready to switch the application over to SSL, click Activate Certificate.

Step 4: Redirects

If you want to support https://example.com as well as https://www.example.com formats, you’ll need to add some redirects to the Nginx config files. If not, skip to the next step.

Currently, adding multiple domain names to a single site (in Forge) requires some manual configuration. When you provisioned the new server, you should have received an email; containing login details for the server.

Use these to log in:

$ ssh forge@123.123.123.123
 
The authenticity of host 'example.com (123.123.123.123)' can't be established.
RSA key fingerprint is a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,123.123.123.123' (RSA) to the list of known hosts.
 
forge@example.com's password:

Once you input the correct password, you should see something resembling:

Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
 
 * Documentation: https://help.ubuntu.com/
 
 System information as of Mon Jun 2 12:19:05 SAST 2014
 
 System load: 0.0 Processes: 82
 Usage of /: 12.0% of 19.56GB Users logged in: 0
 Memory usage: 27% IP address for eth0: 123.123.123.123
 Swap usage: 0% IP address for eth1: 123.123.123.123
 
 Graph this data and manage this system at:
 https://landscape.canonical.com/
 
Last login: Mon Jun 2 09:52:25 2014 from 123.123.123.123

Obviously, all the IP addresses and domains names will be specific to your context. Please don’t ask me why your IP (123.123.123.123) isn’t working. I’ll throw a trout at you!

Thankfully Forge boxes already have an assortment of Linux utilities installed. Edit the configuration file (for your application), similarly to:

$ sudo vim /etc/nginx/sites-available/example.com

With the certificate installed (and activated), you should see something like:

server {
  listen 80;
  server_name example.com;
  return 301 https://example.com$request_uri;
}
 
server {
  listen 443 ssl;
  server_name example.com;
  root /home/forge/example.com/public;

Add the www version inline:

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://example.com$request_uri;
}
 
server {
  listen 443 ssl;
  server_name example.com www.example.com;
  root /home/forge/example.com/public;

These changes tell the server to respond to both formats, and to redirect both formats from http to https.

Depending on the kind of certificate you got, you may also need to redirect from www URLs to URLs without. In that case, add the following:

server {
  listen 443 ssl;
  server_name example.com www.example.com;
  root /home/forge/example.com/public;
 
  if ($host = 'www.example.com') {
    rewrite ^/(.*)$ https://example.com/$1 permanent;
  }

Step 5: Back Up Keys

Certificates are generated according to a private key file. If you want to move the SSL certificate to another machine, and you don’t have the key file, you’re out of luck!

Just below the redirects we added, you should see a few lines resembling:

# FORGE SSL (DO NOT REMOVE!)
ssl on;
ssl_certificate /etc/nginx/ssl/example.com/123/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/123/server.key;

A quick ls reveals three files in that folder:

  1. The original CSR
  2. The approved certificate
  3. A private key (used to generate the CSR, and checked against the approved certificate).

Back these three files up somewhere, so you can get to them in an emergency. An easy way to do this (without much bash-foo), is:

$ cat /etc/nginx/ssl/example.com/123/*

This will output all three files, and you can copy/paste them to somewhere secure. Don’t go spreading these around.

--

--

Christopher Pitt
Laravel 4 Tutorials

Written by Christopher Pitt

3K Followers

Programming → Robotics → Minecraft

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams