SSL (HTTPS) is mandatory for any helpdesk — you're handling customer data, passwords, and conversations. This guide covers the fastest way to add SSL to FreeScout using Let's Encrypt (free).
Why SSL?
- ✅ Security: Encrypts all traffic between client and server
- ✅ Trust: Users see the green lock icon
- ✅ SEO: Google ranks HTTPS sites higher
- ✅ Compliance: GDPR, PCI-DSS require SSL
- ✅ Free: Let's Encrypt provides free certificates
Without SSL, every email password, ticket, and customer message is sent in plain text.
Prerequisites
You need:
- FreeScout already installed on a VPS
- A domain name pointing to your server's IP
- SSH access to your server
nginxorapache2web server configured
Method 1: Let's Encrypt with Certbot (Recommended)
This is the easiest and most automated method.
Step 1: Install Certbot
sudo apt install -y certbot python3-certbot-nginx
# (for Apache, use: python3-certbot-apache)
Step 2: Get Your Certificate
If using NGINX:
sudo certbot --nginx -d your-domain.com -d www.your-domain.com
If using Apache:
sudo certbot --apache -d your-domain.com -d www.your-domain.com
Certbot will:
- Verify you own the domain (via DNS challenge)
- Download the certificate from Let's Encrypt
- Automatically update your web server config
- Set up auto-renewal
Important: Your domain must be pointing to your server's IP before running this. If certbot fails, wait 15–30 minutes for DNS to propagate and try again.
Step 3: Verify SSL is Working
Visit https://your-domain.com in your browser. You should see a green lock icon.
Check certificate details:
sudo certbot certificates
You should see:
- Certificate path:
/etc/letsencrypt/live/your-domain.com/fullchain.pem - Expiry date: 90 days from today (Let's Encrypt certs expire in 90 days)
Step 4: Auto-Renewal (Automatic)
Certbot automatically sets up a cron job to renew certificates before they expire:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
Verify it's running:
sudo systemctl status certbot.timer
Test renewal (dry-run):
sudo certbot renew --dry-run
If this succeeds, you're set. Certbot will automatically renew your certificate 30 days before expiry.
Method 2: Manual Let's Encrypt Certificate (Advanced)
If you want more control, you can manually manage Let's Encrypt certificates.
Step 1: Generate Certificate
sudo certbot certonly --webroot -w /var/www/freescout/public \
-d your-domain.com -d www.your-domain.com
This places the certificate in /etc/letsencrypt/live/your-domain.com/
Step 2: Configure NGINX Manually
Edit your NGINX server block:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your-domain.com www.your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
# Security best practices
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Rest of your config...
root /var/www/freescout/public;
index index.php;
# ... rest of location blocks ...
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name your-domain.com www.your-domain.com;
return 301 https://$server_name$request_uri;
}
Reload NGINX:
sudo nginx -t
sudo systemctl reload nginx
Step 3: Set Up Manual Renewal
Since you're managing it manually, you'll need a cron job to renew:
sudo crontab -e
Add:
0 3 * * * certbot renew --noninteractive --post-hook "systemctl reload nginx"
This runs renewal at 3 AM daily.
Troubleshooting SSL Issues
Issue: "Failed to verify domain ownership"
Cause: Your domain doesn't point to your server yet.
Fix:
- Check your DNS A record:
dig your-domain.com - Verify it points to your server's IP
- Wait 15–30 minutes for DNS propagation
- Try certbot again
Issue: "Port 80 is blocked"
Cause: Your firewall blocks port 80 (used for Let's Encrypt validation).
Fix:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Issue: "Certificate expires in X days"
Cause: Auto-renewal failed.
Fix:
sudo certbot renew --force-renewal
sudo systemctl restart nginx
Issue: "Wildcard certificate not working"
Wildcard certificates (*.your-domain.com) require DNS validation, not HTTP validation.
Use this instead:
sudo certbot certonly --dns-route53 -d your-domain.com -d '*.your-domain.com'
# (replace route53 with your DNS provider's certbot plugin)
For other DNS providers, install the appropriate plugin:
# Cloudflare
sudo apt install -y python3-certbot-dns-cloudflare
# DigitalOcean
sudo apt install -y python3-certbot-dns-digitalocean
# Others: check Certbot docs
SSL Security Best Practices
1. Use Strong Cipher Suites
In your NGINX config:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
2. Enable HSTS (HTTP Strict Transport Security)
Add to NGINX:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
This tells browsers to always use HTTPS for your domain.
3. Redirect HTTP to HTTPS
In NGINX:
server {
listen 80;
server_name your-domain.com www.your-domain.com;
return 301 https://$server_name$request_uri;
}
4. Enable OCSP Stapling
In NGINX:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/your-domain.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
Verify Your SSL Configuration
Use SSL Labs test:
- Go to https://www.ssllabs.com/ssltest/
- Enter your domain
- Grade should be A or A+ (not B or C)
Common issues that lower your grade:
- ❌ Old TLS versions (use TLS 1.2+)
- ❌ Weak ciphers (use strong ciphers list above)
- ❌ Missing HSTS header
- ❌ Self-signed certificates (use Let's Encrypt)
Certificate Expiry Tracking
Check Certificate Expiry
echo | openssl s_client -servername your-domain.com -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -dates
Or with certbot:
sudo certbot certificates
Set Up Email Reminders
Certbot sends email reminders 30 days before expiry. If you're using certbot, you're already set.
If managing manually:
# Check expiry weekly
0 9 * * 1 /usr/local/bin/check-cert-expiry.sh
Costs
- Let's Encrypt: FREE (renewals are also free)
- Commercial SSL (Comodo, DigiCert): $10–$100/year
There's no reason to pay for commercial SSL anymore. Let's Encrypt is trusted by all browsers and is completely free.
Summary
| Method | Setup Time | Cost | Auto-Renewal | Best For | |---|---|---|---|---| | Certbot + NGINX | 2 min | Free | ✅ Yes | Most teams | | Manual Let's Encrypt | 5 min | Free | ❌ Manual | Advanced users | | Commercial SSL | 10 min | $50+/yr | Varies | Enterprises |
Recommendation: Use certbot. It's the fastest, cheapest, and most automated method.
Want FreeScout SSL configured and verified working on day one?
We handle the full FreeScout installation on your server — SSL, email, security hardening, and a 1-hour onboarding call. Done in 24 hours.
One-time fee · 30-day support · Money-back guarantee
Next Steps
- Test SSL: Visit https://your-domain.com and verify the lock icon
- Update FreeScout settings: Go to Settings → Mail and set
APP_URL=https://your-domain.com - Force HTTPS: Update NGINX config to redirect all HTTP to HTTPS
- Monitor: Run
certbot certificatesmonthly to verify expiry dates
You now have a secure, encrypted FreeScout installation. All customer data is protected.
Resources
- Let's Encrypt — free, automated SSL certificates
- Certbot — automatic SSL certificate tool
- SSL Labs Test — verify your SSL configuration
- Mozilla SSL Config Generator — recommended SSL configurations
- HSTS Preload List — submit your domain for browser preloading