Set Up
SSL Setup
Secure XyraPanel with a free SSL certificate using Certbot and Let's Encrypt.
The one-line installer handles SSL automatically. Only follow this guide if you installed manually or need to re-issue a certificate.
Before you start
- Your domain's A record must point to the server IP and be fully propagated
- Ports 80 and 443 must be open:
ufw allow 80/tcp && ufw allow 443/tcp
Install Certbot
sudo apt install -y certbot python3-certbot-nginx
Issue a certificate
Webroot method (recommended)
Works without stopping Nginx. Your Nginx config must already serve the ACME challenge:
location /.well-known/acme-challenge/ { root /var/www/certbot; }
Then run:
sudo mkdir -p /var/www/certbot
sudo certbot certonly --webroot -w /var/www/certbot \
-d panel.yourdomain.com \
--email you@example.com \
--agree-tos --no-eff-email
Nginx plugin method
Certbot modifies your Nginx config automatically:
sudo certbot --nginx -d panel.yourdomain.com
Enable HTTPS in Nginx
After the certificate is issued, reload Nginx to activate the 443 ssl block:
sudo nginx -t && sudo systemctl reload nginx
Certificate files are saved to:
/etc/letsencrypt/live/panel.yourdomain.com/fullchain.pem/etc/letsencrypt/live/panel.yourdomain.com/privkey.pem
Set up auto-renewal
Verify renewal works:
sudo certbot renew --dry-run
Add a cron post-hook to reload Nginx after each renewal:
( crontab -l 2>/dev/null | grep -v "certbot renew"; echo "0 3 * * * certbot renew --quiet --post-hook 'systemctl reload nginx'" ) | crontab -
Update .env
Ensure your panel URLs use https://:
.env
BETTER_AUTH_URL=https://panel.yourdomain.com
BETTER_AUTH_TRUSTED_ORIGINS=https://panel.yourdomain.com
NUXT_PUBLIC_APP_URL=https://panel.yourdomain.com
PANEL_PUBLIC_URL=https://panel.yourdomain.com
PANEL_INTERNAL_URL=http://127.0.0.1:3000
pm2 restart xyrapanel