How do I add a custom/not-LE SSL certificate in v4?

I recently tried EE4 on a fresh Ubuntu 18.04 LTE. I have a wildcard SSL certificate from Comodo which I want to use, so I don’t want to use the Let’s Encrypt options. The site domain is and it’s a wp multisite subdir install. The http version of the site works but, not https. I’m just getting a ERR_CONNECTION_REFUSED in the browser when navigating to

I went through these steps after installing EE v4:

  1. ee site create --type=wp --mu=subdir --cache
  2. After a successful installation (http works), I added and to /opt/easyengine/services/nginx-proxy/certs/
  3. I copied /opt/easyengine/services/nginx-proxy/conf.d/default.conf to a new conf:
  4. I altered so it looks like this:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
error_log /dev/stderr;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
upstream {
        # Cannot connect to network of this container
        server down;
        ## Can be connected with "ee-global-frontend-network" network
        # elanderswallmanderio_nginx_1
        # Cannot connect to network of this container
        server down;
server {
        listen 443 ;
        access_log /var/log/nginx/access.log vhost;
        ssl on;
        ssl_certificate /opt/easyengine/services/nginx-proxy/certs/;
        ssl_certificate_key /opt/easyengine/services/nginx-proxy/certs/;
        location / {
        location /ee-admin/ {
                auth_basic      "Restricted  Admin Tools";
                auth_basic_user_file    /etc/nginx/htpasswd/default_admin_tools;
                include /etc/nginx/vhost.d/default_acl;
  1. ee site reload
  2. ee service restart nginx-proxy

The result is that both the http and https URL:s show ERR_CONNECTION_REFUSED

What am I doing wrong? I couldn’t find a guide for configuring v4 for a custom SSL so I just made a wild guess how to do it.

1 Like

Did anyone manage to install any other certificate than Let’s Encrypt? How did you do it? I can only see information about LE in the docs, but there are soo many other kinds of certificates.

After reading a little, maybe I’m getting closer to the truth. So I need to enable ssl at the time of creating a new site? Does it mean that the ssl flag needs to be specified? And read something about ssl=inherit. Could that be the answer? Like so:

ee site create --type=wp --mu=subdir --cache --ssl=inherit --wildcard

The wildcard flag, I guess it must be there to support subdomains like

And if the above is correct, where do I add the ssl keys and configure nginx to find them? Do I need to do that before creating the site?

The LE certs are located in /var/lib/docker/volumes/global-nginx-proxy_certs/_data, and the global nginx.conf in /var/lib/docker/volumes/global-nginx-proxy_confd/_data/default.conf.

You could try creating an SSL site, then put the replacement certs in the above directory and change the paths in /var/lib/docker/volumes/global-nginx-proxy_confd/_data/default.conf:

ssl_certificate /etc/nginx/certs/example.com_replacement.crt;
ssl_certificate_key /etc/nginx/certs/example.com_replacement.key;
ssl_trusted_certificate /etc/nginx/certs/example.com_replacement.chain.pem;

I’m sure someone with a better understanding of SSL/EE’s SSL setup can help further… I’m just guessing. One problem I can see with doing the above is EE’s auto LE renewal feature might mess it up down the line.

hello @purbeckpixels,
I did this change of uploading the certificates to the location /var/lib/docker/volumes/global-nginx-proxy_certs/_data and updated the links in /var/lib/docker/volumes/global-nginx-proxy_confd/_data/default.conf. When i reloaded the site, it was showing connection refused. restarting nginx-proxy service shows up as successful, but site does not load. When i reverted the changes back to the lets-encrypt certificates, the site loaded.
So how can we use custom ssl certificates in place of letsencrypt ones?

Hey guys,

AFAIK, the way to use custom SSL certs is to create your site with the --ssl=self option and then replace the self-signed certificates with your own.

You can find the location of the self-signed certs for your site here:


Replace those with your custom certs, and then reload the global NGiNX proxy using the command ee service reload nginx-proxy and you’ll be good to go.


By your directive, it mean that, at creating n of the site, one need to use self signed certificate flag. What about site that has already been created using letsencrypt flag, do I need to recreate the site to use self signed certificate?

is there Anyone known the way to update SSL LE to SLL custom certificate for exist sites. please help me.