I use namecheap.com and purchased PositiveSSL from Comodo
SSH into server
Make an SSL directory to hold all certificates and keys
$ sudo mkdir /etc/nginx/ssl
$ cd /etc/nginx/ssl/
Generate certificate signing request
$ sudo openssl req -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr
You will be prompted to fill in company and domain information. Follow this guide if you're having troubles.
Common Name (the domain name certificate should be issued for)
Country (two-letter code)
State (or province)
Locality (or city)
Organization
Organizational Unit (Department)
E-mail address
Two files will be generated /etc/nginx/ssl/domain.com.key
and /etc/nginx/ssl/domain.com.csr
. Copy the CSR.
$ cat domain.com.csr
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Paste the CSR here:
If using Namecheap: Namecheap > Products List > Select Your SSL Certificate and Press Activate
Enter CSR & domains PositiveSSL will cover
* Enter CSR
* Primary Domain
2) Check PositiveSSL CSR info. Ensure Domain is correct. Server is set to NGINX.
3) Confirm that you own the domain. The easiest validation method is usually email verification to admin@domain.com. To set this up using GSuite, setup a catch all email that redirects admin@domain.com to your email address.
4) Select email for verification. admin@domain.com
5) Review & submit. Domain verification request will be sent to admin@domain.com Confirm SSL will be sent to admin@domain.com.
6) You should receive an Domain Control Validation
email which contains a token and link. Open the link and enter the token to verify you control the domain. Upon successful verification, the SSL certificate will be issued and emailed to you.
7) You should receive a Your PositiveSSL Certificate for domain.com
email which contains a zip file.
- Your PositiveSSL Certificate - domaincom.crt
- Your Apache "bundle" file - domaincom.ca-bundle
Download the SSL certificates domain_com.crt
and domain_com.ca-bundle
onto your local computer and combine them into a single file called a certificate chain.
local$ cat domain.crt domain.ca-bundle > cert_chain.crt
Move cert_chain.crt
to your server
local$ scp -r cert_chain.crt deploy@ip_address:/etc/nginx/ssl/cert_chain.crt
$ deploy@my_domain:/etc/nginx/ssl$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
$ sudo nano /etc/nginx/sites-available/default
Old /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name my_domain.com;
passenger_enabled on;
rails_env production;
root /home/deploy/my_domain/current/public;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
New /etc/nginx/sites-available/default
server {
listen 80;
server_name www.my_domain.com my_domain.com;
return 301 https://my_domain.com$request_uri;
}
server {
listen 443 ssl;
server_name www.my_domain.com;
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
ssl_certificate_key /etc/nginx/ssl/my_domain.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
return 301 https://my_domain.com$request_uri;
}
server {
listen 443 ssl;
server_name my_domain.com;
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
ssl_certificate_key /etc/nginx/ssl/my_domain.com.key;
ssl_dhparam ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
passenger_enabled on;
rails_env production;
root /home/deploy/my_domain/current/public;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Restart Nginx
$ sudo service nginx restart
Open browser and test all variations and redirects of mydomain.com, www. http:// https://
Open browser and run test using https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com
https://juliansimioni.com/blog/https-on-nginx-from-zero-to-a-plus-part-2-configuration-ciphersuites-and-performance/
https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority