Opterius uses Let's Encrypt and Certbot to issue free, trusted SSL certificates for every domain. The panel automates the entire lifecycle: issuance, Nginx configuration, and renewal.
How a Certificate Gets Issued
When you click "Issue Certificate" for a domain:
- The panel sends a signed request to the Agent
- The Agent runs
certbot --nginx -d domain.com(or with--non-interactiveflags) - Certbot contacts Let's Encrypt and completes an HTTP-01 challenge — Let's Encrypt checks that a specific file exists at
http://domain.com/.well-known/acme-challenge/... - Nginx serves this challenge file from the domain's document root
- Let's Encrypt verifies the challenge, issues the certificate
- Certbot saves the certificate to
/etc/letsencrypt/live/{domain}/ - The Agent updates the Nginx vhost to use the new certificate and enables HTTPS
- Nginx is reloaded
The whole process takes a few seconds. If it takes longer than ~30 seconds, something went wrong — check the SSL troubleshooting guide.
Async Issuance for Multiple Domains
When you issue certificates for many domains at once from the SSL Overview page (Server Mode), the Agent runs Certbot in the background for each domain concurrently (/ssl/issue-async endpoint). The panel polls for completion and updates the status as each cert is issued. This avoids timeouts when processing a large batch.
Automatic Renewal
Let's Encrypt certificates expire after 90 days. Certbot installs a systemd timer (certbot.timer) that runs certbot renew twice daily. This checks all issued certificates and renews any that are within 30 days of expiry.
The panel tracks certificate expiry dates and shows warnings in the SSL overview when a cert is expiring soon. If renewal fails (e.g., because the domain's DNS changed), you'll see the error in the SSL status page.
What Domain Ownership Verification Requires
For the HTTP-01 challenge to succeed:
- Port 80 must be open and reachable from the internet. Let's Encrypt makes an external HTTP request — your server must be reachable.
- The domain's DNS must point to this server — the A record must resolve to your server's IP. You can't issue a cert before DNS propagates.
- Port 80 is not blocked by a cloud firewall or upstream provider
If you're behind Cloudflare's proxy, Cloudflare intercepts the HTTP-01 challenge. Either temporarily disable the Cloudflare proxy (orange cloud → grey cloud) while issuing, or use a DNS-01 challenge (manual, requires Cloudflare API credentials).
Certificate Storage
Certificates are stored by Certbot at:
/etc/letsencrypt/live/{domain.com}/
fullchain.pem ← certificate + intermediates
privkey.pem ← private key
cert.pem ← certificate only
chain.pem ← intermediate chain only
The Nginx vhost references fullchain.pem and privkey.pem.