DEV Community

PRADEEP KUMAR
PRADEEP KUMAR

Posted on

How to buy SSL Certificate and Install on Server using Nginx on Ubuntu 14.04.

How to buy SSL Certificate and Install on Server using Nginx on Ubuntu 14.04.

When I was developing a Rails Application and deploying on DigitalOcean server, had to install SSL Certificate but I had no prior knowledge how to buy SSL and install on the server but after lots of research finally, I successfully added SSL on my server.

This guide will describe to you:

i. What are the steps you have to follow to buy SSL from the domain provider.
ii. Install SSL certificate on the server.

i. To buy SSL from the domain provider first you will have to generate Certificate Signing Request (CSR).

I am going to generate CSR using OpenSSL.

Steps to Proceed with:-

  1. Log in to your server via terminal using ssh.

    $ ssh XYZ@xx.xx.xx.xxx

    1. It would be better to first create the directory inside /etc and switch into this.

suppose my working directory is “/etc/ssl/ssl-certs”.

$ cd /etc/ssl/ssl-certs
Enter fullscreen mode Exit fullscreen mode

Then type the below command on the terminal and press enter.

$ openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
Enter fullscreen mode Exit fullscreen mode

Note: Make sure to replace mydomain with the name of your domain like mydomain.com

  1. You will be prompted to answer a series of questions, explained below.

Country Name — This is the two-letter abbreviation for your country. For example, the United States would be the US and Great Britain would be GB.
State or Province Name — This is the full name of the state your organization operates from. For example, this might be “California” or “Michigan”.
Locality Name — Name of the city your organization operates from. Examples might include “Lansing” or “Phoenix”. Don’t use abbreviations in this field. For example, “St. Helena” should be “Saint Helena”
Organization Name — The name of your organization. must use your legal name.
Organizational Unit Name — If applying as a business, you can enter your “Doing Business As” (DBA) name here. Alternately, you can use a department name here. For example, “IT Department” or “Web Administration”.
Common Name — The domain name that you are purchasing an SSL certificate for. This must be a fully qualified domain name (FQDN). An example might be mydomain.com.

Note:- If you are applying for a special wildcard SSL certificate, you will need to enter an asterisk for the subdomain. An example in that case might be **.mydomain.com*. Never include the “http://”, “https://”, or any other special characters in this field. Never include text after the top level domain at the end. For example, your common name should end in .com, .net, (or whatever other extension you are applying for.)

Email Address — An email address that can be used as a point of contact for your domain. Be sure the address is valid!
A challenge password — An optional password to further secure your certificate. Be sure to remember this password if you choose to use it. It must be at least 4 characters long. You can skip this step if you like.
*An optional company name *— Another optional step. Fill in your company name if you wish. This is not required for web SSL certificates.

sample screenshot to generate CSR in Ubuntu terminal

Yeah, Your CSR file has been generated!

To find your CSR type the following command in the current working directory.

my current working directory is “/etc/ssl/ssl-certs”

$ ls
Enter fullscreen mode Exit fullscreen mode

then you will get two new files ending with “.csr” and “.key” respectively.

The .key file should be kept private on your server. The .csr file is your certificate signing request and can be sent to a Certificate Authority(like GoDaddy).

Now to open the mydomain.com.csr file type the below command.

$ cat *mydomain.com.csr*
Enter fullscreen mode Exit fullscreen mode

and you will get below CSR generated.

generated CSR

You will need to copy and paste the entire contents of the CSR file to your Certificate Authority when ordering an SSL certificate.

Note: Be sure that you include the lines that read “BEGIN CERTIFICATE REQUEST” and “END CERTIFICATE REQUEST”.

if you want to decode this you can visit this link.

Download Certificate:

After verifying to GoDaddy that you control the domain, check your email (the one that you registered with GoDaddy with) for a message that says that your SSL certificate has been issued. Open it, and follow the download certificate link (or click the Launch button next to your SSL certificate in the GoDaddy control panel).

Now click the Download button.

Select the server software that you are using from the Server type dropdown menu–if you are using Apache HTTP or Nginx, select “Nginx”–then click the Download Zip File button.

Extract the ZIP archive. It should contain two .crt files; your SSL certificate (which should have a random name like 146b99449cc43104.crt) and the GoDaddy intermediate certificate bundle (gd_bundle-g2–1.crt). Copy both two your web server.

So now my current working directory(“/etc/ssl/ssl-certs”) has four files listed below.

***146b99449cc43104.crt *gd_bundle-g2–1.crt mydomain.com.csr mydomain.com.key**
Enter fullscreen mode Exit fullscreen mode

The certificate is now ready to be installed on your web server. This involves adding a few SSL-related lines to your web server software configuration.
note: If you have a firewall enabled, be sure that it allows port 443 (HTTPS)

Here I will do Nginx configurations on Ubuntu 14.04.

ii. Install Certificate on Server

you must create a single “chained” certificate file using these two files **146b99449cc43104.crt *and** gd_bundle-g2–1.crt*

$ cat 146b99459cc43104.crt gd_bundle-g2–1.crt > mydomain.chained.crt
Enter fullscreen mode Exit fullscreen mode

Now go to your Nginx server block configuration directory. Assuming that is located at /etc/nginx/sites-enabled, use this command to change to it:

$ cd /etc/nginx/sites-enabled
Enter fullscreen mode Exit fullscreen mode

Assuming want to add SSL to your default server block file, open the file for editing:

$ sudo vi default
Enter fullscreen mode Exit fullscreen mode

Find and modify the listen directive, and modify it so it looks like this:

listen 443 ssl;
Enter fullscreen mode Exit fullscreen mode

Then find the server_name directive, and make sure that its value matches the common name of your certificate. Also, add the ssl_certificate and ssl_certificate_key directives to specify the paths of your certificate and private key files

server_name mydomain.com;
ssl_certificate /etc/ssl/*ssl-certs*/mydomain.com.chained.crt;
ssl_certificate_key /etc/ssl/*ssl-certs*/mydomain.com.key;
Enter fullscreen mode Exit fullscreen mode

To allow only the most secure SSL protocols and ciphers, add the following lines to the file:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
add_header Strict-Transport-Security max-age=63072000;
Enter fullscreen mode Exit fullscreen mode

If you want HTTP traffic to redirect to HTTPS, you can add this additional server block at the top of the file.

server {
    listen 80;
    server_name mydomain.com;
    return 301 https://$host$request_uri;
}
Enter fullscreen mode Exit fullscreen mode

Then save and quit.

Now restart Nginx to load the new configuration and enable TLS/SSL over HTTPS!

$ sudo service nginx restart
Enter fullscreen mode Exit fullscreen mode

Test it out by accessing your site via HTTPS, e.g. https://mydomain.com.

while restarting the server if you are getting fail then see the log using the following command in terminal and fix it.

$ nginx -t
Enter fullscreen mode Exit fullscreen mode

OK, now We have nice green lock icon showing up in the web browser, but it turns out it was not enough. As I Checked with the SSL Server Test, some SSL ciphers like RC4 are vulnerable, and SSL 3 is broken (my initial test score was B-…).

To fix this I changed the *ssl_ciphers *like:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';/etc/ssl/ssl-certs
Enter fullscreen mode Exit fullscreen mode

My next vulnerability according to the test was my weak Diffie-Hellman keys. Diffie-Hellman key exchange is a protocol providing the pretty cool property that, even if some attackers get their hands on your server’s private key, it will be exponentially hard for them to decipher the communication between the server and its clients. However, the default key size in OpenSSL is 1024 bits, which seems breakable with the computing power of a nation-state. So, you let’s generate some better parameters.

First, generate your DH parameters with OpenSSL:

Let's switch into the directory where .crt and .key extended files are present.

$ cd /etc/ssl/*ssl-certs*
Enter fullscreen mode Exit fullscreen mode

Then run the below command to generate DH parameters. this might take a longer time.

$ openssl dhparam -out dhparam.pem 4096
Enter fullscreen mode Exit fullscreen mode

Again open the server configuration file.

$ cd /etc/nginx/sites-enabled
$ sudo vi default
Enter fullscreen mode Exit fullscreen mode

and add the following line.

ssl_dhparam /etc/ssl/*ssl-certs*/dhparam.pem;
Enter fullscreen mode Exit fullscreen mode

Now save the editor and restart the server.

$ sudo service nginx restart
Enter fullscreen mode Exit fullscreen mode

Yeah! SSL successfully install on your server and test it out by accessing your site.*
Now you check with SSL Server Test.*

References:-

  1. For Apache server go to DigitalOcean documentation

  2. Improve SSL configuration

I hope, it was helpful to you. If you liked this article you are invited to leave some claps.

Top comments (0)