aakhtar3

Posted on Sep 26, 2020

Add SSL Cert to Nginx

#tutorial #beginners #devops #security

Add SSL Cert to Nginx

This tutorial will go over how to add a Namecheap ssl certification to your nginx web server.

Prerequisites

Purchased Namecheap Domain name + SSL

Server is remote accessible with proper software installed

Create SSL Certification

Path

The path the to certs will need to be referenced later in the nginx config.

This example will be using /root as the path.

# Key
/root/example.com.key

# CSR
/root/example.com.key.com.csr

# SSL Bundle
/root/example.com.key_com.crt
/root/intermediate.crt

# SSL Cert
/root/example.com.key.com.chained.crt

Generate CSR

A certificate signing request (CSR) generated by openssl will be used to initialize the process.

newKey rsa:2048
- Generates new private key and cert
- Using rsa:2048
nodes
- Does not encrypt private key
keyout /$PATH/example.com.key
out /$PATH/example.com.key.com.csr

openssl req \
    -newkey rsa:2048 \ 
    -nodes \
    -keyout example.com.key \
    -out example.com.key.com.csr

Submit to Namecheap

Use cat to output the value of the csr.

Copy the content and paste it to the Namecheap SSL Vendor CSR step.

cat example.com.key.com.csr

Download SSL Bundle

The SSL vendor will email you a SSL bundle which will used to create your SSL cert.

inermediate.crt

Copy the content form example.com.ca-bundle and paste it into your server to a file called inermediate.crt using nano

nano intermediate.crt

key_com.crt

Copy the content form example.com.crt and paste it into your server to a file called example.com.key_com.crt

nano example.com.key_com.crt

chained.crt

Combine the content from both certs into one file by using cat and the redirect > commands

cat example.com.key_com.crt intermediate.crt > example.com.key.com.chained.crt

Nginx Default Config

Run cat /etc/nginx/sites-enabled/default to see the config that will be edited.

Redirect HTTP:80 -> HTTPS:443

server_name $IP_ADDRESS $DOMAIN_NAME;
rewrite ^/(.*) https://example.com/$1 permanent;
- pcre regular expression
- HTTPS URI
- permanent 301 redirect

server {
    listen 80;
    server_name 192.168.0.1 example.com;
    rewrite ^/(.*) https://example.com/$1 permanent;
}

Listen HTTPS:443

ssl_certificate /$PATH/example.com.chained.crt;
ssl_certificate_key /$PATH/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- Supported OpenSSL protocols
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
- openssl ciphers
ssl_prefer_server_ciphers on;
- User Server ciphers over client with SSLv3 and TLS

server {
    listen 443 ssl;
    server_name 192.168.0.1 example.com;

    ssl_certificate /root/example.com.chained.crt;
    ssl_certificate_key /root/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;

    root /var/www;
    index index.html;

    location / {}
}

Restart Nginx

Verify your changes

nginx -t

Restart Server

service nginx restart

DEV Community

Add SSL Cert to Nginx

Add SSL Cert to Nginx

Prerequisites

Create SSL Certification

Path

Generate CSR

Submit to Namecheap

Download SSL Bundle

inermediate.crt

key_com.crt

chained.crt

Nginx Default Config

Redirect HTTP:80 -> HTTPS:443

Listen HTTPS:443

Restart Nginx

Verify your changes

Restart Server

Top comments (0)

Read next

Scraping New Telegram Channels

Multitenancy Is Fundamental to Shift-Left Testing

Ignite 2024 - Book Of News - DevOps Edition

Evaluating Medical Retrieval-Augmented Generation (RAG) with NVIDIA AI Endpoints and Ragas