How to run a website on nginx with a SSL certificate from PositiveSSL
Offering a secure connection has become a good practice in previous years. It has also been a ranking signal for Google lately. Here is a short guide on how to install a cheap but trustworthy certificate on nginx.
Create an SSL directory
First of all, create a directory where all the requests and certificates belong to:
sudo mkdir /etc/nginx/ssl && cd /etc/nginx/ssl
Create a Server Key
The next step is to create a key for the certificate you're installing later on:
sudo openssl genrsa -des3 -out {domainname}.key 2048
Replace {domainname} with the real domain name of your website and remember the password you have to provide here.
Create a Certificate Signing Request
sudo openssl req -new -key {domainname}.key -out {domainname}.csr
Important: The requested common name should be the domain name you want to secure (at least in most cases).
Remove the Password from the Server Key
If your key file is password protected, that password must be provided each time the key file is used (on each (re-)start of nginx, for example). So it's probably a good compromise to remove it.
sudo cp {domainname}.key {domainname}.key.org
sudo openssl rsa -in {domainname}.key.org -out {domainname}.key
Order your Certificate
Now go and order your certificate. I have made good experiences with the cheap PositiveSSL certificates; they are currently as cheap as 7,55 EUR/year at namecheap.com and maybe even less expensive elsewhere.
Install the Positive SSL Certificate for nginx
Copy the files you got to /etc/nginx/ssl
The zip archive you received via email should contain the following files.
- AddTrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
- {domainname}.crt
Copy them all to the SSL directory.
Chain the Certificates
Your {domainname}.crt will work out of the box for most browsers. However, some will reject the certificate, which results in an unusable site for your users. That occurs especially on current Android devices (tested with Android 5.0).
The reason for that is, frankly speaking, that these browsers don't know the source of the certificate. That can easily be changed by providing the information. To do so, chain the certificates you just copied to /etc/nginx/ssl.
sudo bash -c 'cat {domainname}.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > {domainname}-chained.crt'
Configure your nginx server
Now add or edit your server's configuration and provide the following:
server {
listen 443;
server_name {yourdomain};
location / {
# Configuration as usual
}
ssl on;
ssl_certificate /etc/nginx/ssl/{domainname}-chained.crt;
ssl_certificate_key /etc/nginx/ssl/{domainname}.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
}
That's it
Now you should be able to connect through HTTPS to your website - congratulations!
PS: If you want to make sure everything is configured correctly from a security standpoint, check out the Qualsys SSL Server Test.
Update
Thilo pointed out that there is even a serious offer of free certificates provided by StartSSL. I will give it a try in the future.
What do you think? Drop me a line and let me know!