How to configure SSL Certificate on Nginx server

Configure SSL on Nginx
Configure SSL on Nginx

STEPS TO INSTALL SSL CERTIFICATE

In this article, we are going to install an SSL certificate on Nginx Webserver.

Also, I am going to explain each and every step like the creation of CSR and Key, submitting the CSR to GoDaddy, download the SSL certificate, etc in detail.

If you don’t know how to buy SSL from Godaddy then read my article on How to buy the SSL certificate from Godaddy.

Let’s start with the installation of the SSL certificate on the Nginx Webserver.

Step 1: Generate the CSR Certificate on the server

Now do the SSH login on a server and make sure you have the OpenSSL command installed on the server. 

OpenSSL command helps to generate the CSR and Key file on the server.

What is CSR?

  • CSR Or Certificate Signing Request is a block of encrypted text which is generated on the server. It will contain information such as Organization name, common name, locality, etc.

Run the following commands to generate the CSR Certificate,

$ mkdir -p /etc/nginx/ssl & cd /etc/nginx/ssl

First, we need to create a key which we going to use to generate the CSR,

$ openssl genrsa -out www.linuxgrow.com.key 2048
$ openssl req -new -key www.linuxgrow.com.key -out www.linuxgrow.com.csr

while performing the above command it will ask you some questions which we need to fill very carefully otherwise Godaddy may reject your CSR certificate.

Below are the things you need to fill as per your SSL requirement,

  • Country Name (2 letter code) [AU]: IN
  • State or Province Name (full name) [Some-State]: MAHARASHTRA
  • Locality Name (eg, city) []MUM
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxgrow
  • Organizational Unit Name (eg, section) []:LG
  • Common Name (e.g. server FQDN or YOUR name) []:linuxgrow.com
  • Email Address []:[email protected]

Note: In the Common Name section give your website name for which you want an SSL certificate.

Step 2: Verify CSR & Key

To verify CSR & Key, we need to match the MD5 no. with each other. If the MD5 no. match then the CSR & Key generated properly.

Run the following command to check MD5 no.

TO CHECK KEY : openssl rsa -noout -modulus -in www.linuxgrow.com.key | openssl md5

(stdin)= 806f035dd9c7dc1771fe804c7d9460fb

TO CHECK CSR : openssl req -noout -modulus -in www.linuxgrow.com.csr | openssl md5

(stdin)= 806f035dd9c7dc1771fe804c7d9460fb

Step 3: Submit CSR on Godaddy

Now we will be submitting the CSR certificate on the Godaddy panel. 

Once you login to the Godaddy, Go to the “Manage SSL” and click on the “Set Up” button.

After this GoDaddy submits an SSL certificate to your account then Click on the “Manage” button.

CSR godaddy

Now open the CSR file with the below command and paste it into Godaddy CSR submit box on the GoDaddy panel.

$ cat www.linuxgrow.com.csr

Copy encrypted test from CSR file and paste it to submit box.

Step 4: CSR Verification

Once you upload the CSR then for verification Godaddy will generate one “.html” file that file you need to store or put under the document root of the website on the server.

ssl-csr-verification

With help of this .html file, they will verify your domain name. Once the verification process complete you will get the SSL Certificate for download.

Please check the below screenshot for reference.

Download SSL certificate
SSL certificate

Note: Refresh the browser page if verification progress showing stuck. After refreshing the page, you will see that the verification process is completed successfully

Step 5: Configure SSL in Nginx

Now, copy the downloaded SSL zip file to the server where we have generated the CSR certificate on the server.

$ cd /etc/nginx/ssl && unzip sslcert.zip

After unzipping the file we will get the below files. We merged these files to create the final SSL certificate for use.

- 12552dc03.crt
- gd_bundle-g2-g1.crt

Now we need to merge the above two files to create the final “.crt” certificate.

cat 12552dc03a661ad4.crt gd_bundle-g2-g1.crt > www.linuxgrow.com.final.crt

We have all the required certificates Key file and certificate file to configure under the Nginx.

Add below SSL configuration in Nginx file,

vim /etc/nginx/nginx.conf

#Add below block in your nginx.conf file or create seprate .conf file as per your requirement.
server {
  listen 443 ssl;
  root  /mnt/data/linuxgrow;
  server_name  linuxgrow.com www.linuxgrow.com;
  access_log  /var/log/nginx/access_website_SSL.log main;
  error_log /var/log/nginx/error_website_SSL.log;
  client_max_body_size 200M;
  client_header_buffer_size 32k;
  large_client_header_buffers 8 32k;

#SSL Configuration
    ssl on;
    ssl_certificate    /etc/nginx/ssl_certs/www.linuxgrow.com.final.crt;
    ssl_certificate_key /etc/nginx/ssl_certs/www.linuxgrow.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers      AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
    ssl_prefer_server_ciphers on;

}

Save the file and Reload the Nginx service.

$ nginx -t {To check the syntax error}

$ /etc/init.d/nginx reload

That’s it your SSL certificate configuration has been done.

I hope you like the post and understand it very well.

If you have any doubts or queries regarding this post then please give a comment under the comment box.

Read More about SSL commands in the below article,

Important OpenSSL Commands Every SysAdmin Should Know

Thank You 🙂

Prashant

Welcome to Linuxgrow. I'm Prashant, a tech-blogger from Mumbai, India. I started Linuxgrow as a passion and to share my knowledge about technologies. Here at Linuxgrow, I write about Linux technologies, Aws Cloud, Wordpress blogging and scripting knowledge. You can read more about me at About us page. Thank You :)

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Facebook