Add SSL Cert to Nginx

This tutorial will go over how to add a Namecheap ssl certification to your nginx web server.

Prerequisites

Purchased Namecheap Domain name + SSL

Server is remote accessible with proper software installed

Create SSL Certification

Path

The path the to certs will need to be referenced later in the nginx config.

This example will be using /root as the path.

# Key
/root/example.com.key

# CSR
/root/example.com.key.com.csr

# SSL Bundle
/root/example.com.key_com.crt
/root/intermediate.crt

# SSL Cert
/root/example.com.key.com.chained.crt

Generate CSR

A certificate signing request (CSR) generated by openssl will be used to initialize the process.

• newKey rsa:2048
  • Generates new private key and cert
  • Using rsa:2048
• nodes
  • Does not encrypt private key
• keyout /$PATH/example.com.key
• out /$PATH/example.com.key.com.csr

openssl req \
    -newkey rsa:2048 \ 
    -nodes \
    -keyout example.com.key \
    -out example.com.key.com.csr

Submit to Namecheap

Use cat to output the value of the csr.

Copy the content and paste it to the Namecheap SSL Vendor CSR step.

cat example.com.key.com.csr

Download SSL Bundle

The SSL vendor will email you a SSL bundle which will used to create your SSL cert.

inermediate.crt

Copy the content form example.com.ca-bundle and paste it into your server to a file called inermediate.crt using nano

nano intermediate.crt

key_com.crt

Copy the content form example.com.crt and paste it into your server to a file called example.com.key_com.crt

nano example.com.key_com.crt

chained.crt

Combine the content from both certs into one file by using cat and the redirect > commands

cat example.com.key_com.crt intermediate.crt > example.com.key.com.chained.crt

Nginx Default Config

Run cat /etc/nginx/sites-enabled/default to see the config that will be edited.

Redirect HTTP:80 -> HTTPS:443

• server_name $IP_ADDRESS $DOMAIN_NAME;
• rewrite ^/(.*) https://example.com/$1 permanent;
  • pcre regular expression
  • HTTPS URI
  • permanent 301 redirect

server {
    listen 80;
    server_name 192.168.0.1 example.com;
    rewrite ^/(.*) https://example.com/$1 permanent;
}

Listen HTTPS:443

• ssl_certificate /$PATH/example.com.chained.crt;
• ssl_certificate_key /$PATH/example.com.key;
• ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  • Supported OpenSSL protocols
• ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  • openssl ciphers
• ssl_prefer_server_ciphers on;
  • User Server ciphers over client with SSLv3 and TLS

server {
    listen 443 ssl;
    server_name 192.168.0.1 example.com;

    ssl_certificate /root/example.com.chained.crt;
    ssl_certificate_key /root/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;

    root /var/www;
    index index.html;

    location / {}
}

Restart Nginx

Verify your changes

nginx -t

Restart Server

service nginx restart