Blog

Blog Post

Setting up PositiveSSL w/nginx
Posted By nick, March 3, 2015

So you have a working site running behind nginx, and you want to secure traffic to it.

We use Namecheap for domain name registration and SSL certificates. They sell Comodo PositiveSSL certificates for a great price, and they’re perfect for general sites needing legitimate SSL certificates.

First you must simply purchase the certificate, from Namecheap this is easy and there’s no reason to describe it here.

Generate the private key and CSR

Assuming you don’t already have a private key generated, you can both generate that and the CSR (Certificate Signing Request) at the same time:

$ openssl req -nodes -newkey rsa:2048 -keyout example_com.key -out example_com.csr

You will be prompted to answer several questions about the certificate being requested. Rackspace has a decent description of each.

Submit the request to Comodo

YMMV, but for Namecheap, the process is to go to the SSL Certificates management page and “activate” the certificate you previously purchased. Select “nginx” as the server type, and paste the previously-generated CSR contents into the form.

Get the CSR contents into your clipboard (for pasting into the form) from your terminal by:

$ pbcopy < example_com.csr                     # OS X
$ cat example_com.csr | xclip -selection c     # Linux
$ cat example_com.csr | /dev/clipboard         # cygwin

Before submitting, you’ll likely need to verify some information, it will vary by provider. Once the request is submitted, you’ll receive a verification email from Comodo, complete that. The certificate should then be generated and emailed to you.

Create the combined certificate

The certificate will come as a ZIP file with your certificate and several intermediate ones. You need to smash these together into a single file. Order matters with this file, pay attention!

$ cat example_com.crt \
      COMODORSADomainValidationSecureServerCA.crt \
      COMODORSAAddTrustCA.crt \
      AddTrustExternalCARoot.crt \
      > example_com.combined

Install the certificate and private key

You now have 2 important files:

example_com.combined  # certificate
example_com.key       # private key

Copy these to your server. Common locations are:

/etc/nginx/ssl
/etc/ssl/private

It doesn’t matter too much where it is, but you probably want the directory to have 750 permissions and be owned by root. As for the private key, being owned by root and 640 permissions are also recommended.

Configure nginx

Within your site’s nginx configuration file, change the listen port to 443, and enable SSL.

server {
  listen 443;
  ssl on;
  ssl_certificate /etc/nginx/ssl/example_com.combined;
  ssl_certificate_key /etc/nginx/ssl/example_com.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ...
}

The ssl_protocols change is a result of the POODLE attack, and restricts nginx to use a more secure set of protocols. This may exclude some older browsers from accessing your site, so heads up.

After that, restart nginx and test it out!

Contact

Say Hello!

Contact
hello@codelever.com
(402) 885-9521
14301 FNB Parkway, Suite 100, Omaha, NE 68154
Interact