Note: Please go to to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > FAQs > How do I set up SSL?

How do I set up SSL?

Note: These instructions only apply to the 11H1 ServerTemplates. SSL is supported by default in the newer LTS and Infinity ServerTemplates. See 3 Tier Deployment Setup (PHP) for an example.


To enable SSL (TLS) with your load-balancer server(s), you must add a RightScript to your load balancer's ServerTemplate, which will:

  • Create an HTTPS virtual host (vhost) on the Apache HTTP server.
  • Perform SSL termination on the load-balancer server for incoming client connections.
  • Forward plain/unencrypted HTTP requests to application servers via HAProxy.

Note: Unencrypted HTTP requests are forwarded to the application servers on the internal network. To perform SSL termination on the application servers (behind your load balancers), please refer to the Stunnel documentation (

  1. Ensure that your load-balancer server(s) are using a security group with TCP port 443 open for SSL/TLS connections.
  2. If you would like to enable SSL on boot, ensure that you are using an editable (cloned or private) ServerTemplate. If your servers are using an imported ServerTemplate, clone the ServerTemplate and update your server(s) to use the cloned one instead.
  1. Locate your SSL server certificate and private key (in X.509/PEM format). For development and testing purposes, you may generate a self-signed certificate using a tool such as OpenSSL.

    • openssl req -new -x509 -nodes -out /tmp/public.pem -keyout /tmp/private.pem -days 365
  2. Retrieve the created files from the /tmp directory.

  3. Create credentials (Design -> Credentials) for your certificate and private key (e.g. "TLS Self-Signed Cert" and "TLS Self-Signed Key") using the certificate and key contents.

  4. Import the WEB apache FrontEnd https vhost RightScript from the MultiCloud Marketplace and add it as a boot script to your ServerTemplate, after or replacing the existing "WEB Apache frontend http vhost" boot script. (Replace the existing "http vhost" RightScript if you want to enable HTTPS connections only and disallow connections via port 80; otherwise, simply add the "https vhost" RightScript after the "http vhost" script.)

  5. Edit and save the the required input values (if not already set for your ServerTemplate, deployment, or server). 

    Set optional (OPT) inputs to "ignore" if not used.

    APPLICATION The directory for your application's web files (/home/webapps/APPLICATION/current/); e.g. testapp.

    Maintenance URI to indicate whether the page exists (based on document root).

    OPT_SSL_PASSPHRASE If your SSL certificate requires a password, you must enter it here.
    SSL_CERTIFICATE The contents of the server SSL certificate, from the certificate file; e.g. cred:TLS Self-Signed Cert.
    SSL_KEY The contents of the SSL private key file; e.g. cred:TLS Self-Signed Key.
    WEBSITE_DNS Fully qualified domain name that clients use to connect to the server; e.g.


  6. The server is now ready to launch. You can test the SSL/TLS connection by navigating to https://<WEBSITE_DNS>/ in your web browser.

Viewing 1 of 1 comments: view all
11H1 - Not edited
Posted 12:06, 24 Oct 2013
Viewing 1 of 1 comments: view all
You must to post a comment.
Last modified
21:23, 16 May 2013



This page has no classifications.



© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.