Installing Comodo PositiveSSL Certificates on Nginx

My short write up on how to install Comodo’s Positive SSL cert on Apache got a really great response. Well tonight I’m installing another Positive SSL cert except this time on Nginx. This will be my second time installing a cert on a server running Nginx. It’s slightly different but not very hard. This is a short guide on how to install an SSL certificate (a Comodo PositiveSSL cert to be exact) on a server running Nginx.

Like I mentioned, I won’t be going over everything here, just the basics. If you’re looking to install a Comodo certificate on Apache see the first guide – it has been updated with the changes Comodo has made to their PositiveSSL certificates and applies to any SSL certificate really.

1. Get your certificate

You should have a zip file full of 4 files. Here’s mine:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate – my_site.crt

Get rid of the Root Certificate. You don’t need it. It’s just adding bloat to your cert. If you do need, you’ll know it and you won’t be reading guides like this. Now, you’ll want to concatenate the three remaining certificates into a single file.

This is where Nginx and Apache differ. Apache requires chains to be in a separate file and Nginx wants you to put your domain cert and the chain certs into the same file. Now, just like when you create a certificate for Apache, you’ll need to concatenate them. You’ll want to do it in reverse order. That is, go from the bottom of the list above, to the top (but do not include the Root CA Certificate). Here’s how:

1
cat my_site.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > my_site.cer

Now upload the new certificate file and log back into your server:

1
2
scp my_site.cer you@your_server.com:/path/to/ssl/certificates
ssh you@your_site.com

On your server you’ll have a key file which was generated with your initial CSR (certificate signing request). Make sure to protect it with chmod 400 your_site.key.

Make sure your new certificate is where it needs to be. A good place is in /etc/ssl/localcerts (you can create that directory if its not already there).

Open up your Nginx virtual host config file and enter this in your server block:

1
2
3
ssl on;
ssl_certificate /etc/ssl/localcerts/your_site.com.cer;
ssl_certificate_key /etc/ssl/localcerts/your_site.com.key;

That’s all. Now just test to make sure there’s nothing wrong with your configuration and restart the server with sudo nginx -t && sudo service nginx restart (those commands are for Ubuntu).

Bonus! Redirect www and non-HTTPS URLs to your SSL site and enable HSTS

This sample configuration will 301 redirect all non-HTTPS and all www requests to https://your_site.com. It will also add HSTS support and should set you up to get an A+ on the Qualsys SSL Labs test. I’ll do a writeup on the rest of the configs you’ll need to get an A+ on the SSL security test.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Redirect http://your_site.com and http://www.your_site.com 
# to https://your_site.com
server {
    listen 80;
    listen [::]:80;
    server_name your_site.com www.your_site.com

    return 301 https://your_site.com$request_uri;
}

# Redirect https://www.your_site.com to https://your_site.com
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.your_site.com

    ssl on;
    ssl_certificate /etc/ssl/localcerts/your_site.com.cer;
    ssl_certificate_key /etc/ssl/localcerts/your_site.com.key;

    return 301 https://your_site.com$request_uri;
}

# HTTPS server
# This is probably the config you want - HTTPS-only no-www
server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server ipv6only=on; # If you have IPV6 enabled
    server_name your_site.com;

    root /srv/www/your_site.com/public_html;
    index index.html index.htm;
    
    charset utf-8;
    
    keepalive_timeout 70;
    
    ssl_certificate /etc/ssl/localcerts/your_site.com.cer;
    ssl_certificate_key /etc/ssl/localcerts/your_site.com.key;

    # HSTS Support with no iframe-ing of the site allowed plus MIME sniffing mitigation
    add_header Strict-Transport-Security max-age=31536000;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    error_log /srv/www/your_site.com/log/error.log;
    access_log /srv/www/your_site.com/log/access.log;
    
    # Error pages
    error_page 404 /404.html;
    
    # Set far-futures expired on static assets
    location ~* .(jpg|jpeg|png|gif|ico|css|js|ttf|woff|eot|svg|otf)$ {
        expires 365d;
    }

}

And there you go. I hope you enjoy it. I set this up on my DigitalOcean VPS running Ubuntu 14.04 and Nginx. I highly recommend DigitalOcean and use them for all my VPS needs now.

Server administration, Web development

« Keep track of the latest Grunt console output Share CSS between related projects with Git Subtrees »

Comments