My short write up on how to install Comodo’s Positive SSL cert on Apache got a really great response. Well tonight I’m installing another Positive SSL cert except this time on Nginx. This will be my second time installing a cert on a server running Nginx. It’s slightly different but not very hard. This is a short guide on how to install an SSL certificate (a Comodo PositiveSSL cert to be exact) on a server running Nginx.
Like I mentioned, I won’t be going over everything here, just the basics. If you’re looking to install a Comodo certificate on Apache see the first guide – it has been updated with the changes Comodo has made to their PositiveSSL certificates and applies to any SSL certificate really.
1. Get your certificate
You should have a zip file full of 4 files. Here’s mine:
- Root CA Certificate – AddTrustExternalCARoot.crt
- Intermediate CA Certificate – COMODORSAAddTrustCA.crt
- Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
- Your PositiveSSL Certificate – my_site.crt
Get rid of the Root Certificate. You don’t need it. It’s just adding bloat to your cert. If you do need, you’ll know it and you won’t be reading guides like this. Now, you’ll want to concatenate the three remaining certificates into a single file.
This is where Nginx and Apache differ. Apache requires chains to be in a separate file and Nginx wants you to put your domain cert and the chain certs into the same file. Now, just like when you create a certificate for Apache, you’ll need to concatenate them. You’ll want to do it in reverse order. That is, go from the bottom of the list above, to the top (but do not include the Root CA Certificate). Here’s how:
Now upload the new certificate file and log back into your server:
On your server you’ll have a key file which was generated with your initial CSR (certificate signing request). Make sure to protect it with
chmod 400 your_site.key.
Make sure your new certificate is where it needs to be. A good place is in
/etc/ssl/localcerts (you can create that directory if its not already there).
Open up your Nginx virtual host config file and enter this in your server block:
1 2 3
That’s all. Now just test to make sure there’s nothing wrong with your configuration and restart the server with
sudo nginx -t && sudo service nginx restart (those commands are for Ubuntu).
Bonus! Redirect www and non-HTTPS URLs to your SSL site and enable HSTS
This sample configuration will 301 redirect all non-HTTPS and all www requests to https://your_site.com. It will also add HSTS support and should set you up to get an A+ on the Qualsys SSL Labs test. I’ll do a writeup on the rest of the configs you’ll need to get an A+ on the SSL security test.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
And there you go. I hope you enjoy it. I set this up on my DigitalOcean VPS running Ubuntu 14.04 and Nginx. I highly recommend DigitalOcean and use them for all my VPS needs now.