Installing an SSL Certificate on Nginx

Update April 2018: I’d suggest using Let’s Encrypt for this instead.

How to create and install an SSL certificate for Nginx 1.10 on Ubuntu 16. (Apache setup here.) This setup also gets you an A on the SSL Labs SSL Server Test.

Part I: Create and Obtain your SSL Cert

1. Create your key and certificate signing request:

root@ubuntu:/# openssl req -new -newkey rsa:2048 -nodes -keyout mysite.com.key -out mysite.com.csr

2. Move the .key file to your keys directory, readable only by root, e.g., /etc/ssl/keys:

root@ubuntu:/# mv mysite.com.key /etc/ssl/keys/.
root@ubuntu:/# chmod 400 /etc/ssl/keys/mysite.com.key

3. Purchase a certificate from InCommon, GeoTrust, etc. You’ll need to send them the contents of the .csr file generated in step 1. If they ask what kind of cert you want, select OpenSSL.

4. The cert (.crt file) will be emailed to the technical contact in your WHOIS record. If the vendor also sends you an intermediate file, add it to your cert:

root@ubuntu:/# cat intermediate.ca-bundle >> mysite.com.crt

5. Create a fix for the weak Diffie-Hellman problem:

root@ubuntu:/# openssl dhparam -out dhparams.pem 2048

6. Place both your mysite.com.crt and dhparams.pem files in /etc/ssl/certs/ .

Part II: Set Up Nginx

1. Create your /etc/nginx/sites-available/mysite.com-ssl file:

# For SSL only
server {
        listen 80;
        listen [::]:80;
        server_name www.mysite.com mysite.com;   # redirects http://www and http://non-www to https://non-www
        return 301 https://mysite.com$request_uri;
}

# Redirects https://www to https://non-www
server {
        listen 443 ssl;
        server_name www.mysite.com;
        return 301 https://mysite.com$request_uri;
}

server {
        listen 443 ssl;

        server_name mysite.com;
        root /var/www/mysite.com;

        index index.html index.php;

        # Point these to your .key and .crt files from Part I
        ssl_certificate /etc/ssl/certs/mysite.com.crt;
        ssl_certificate_key /etc/ssl/private/mysite.com.key;

        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        ssl_prefer_server_ciphers on;
        # Point this to your dhparams file from Part I
        ssl_dhparam /etc/ssl/certs/dhparams.pem;

}
[/code]

2. Create a symlink in sites-enabled, and restart Nginx:

root@ubuntu:/# ln -s /etc/nginx/sites-available/mysite.com-ssl /etc/nginx/sites-enabled/mysite.com-ssl
root@ubuntu:/# systemctl restart nginx

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *