I write down here the steps I used to setup SSL / Https on Nginx server using Comodo PositiveSSL Certificate from NameCheap on Ubuntu Linux Server.
Before starting anything, make sure u already bought the certificate so you can login and manage your certificate.
First, we need to Generate CSR that is required to activate Certificate from Namecheap.
Run this command to generate CRS in Linux (Ubuntu for me) :
> openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
And for my case that use Url/FQHD www.rickyanto.com, the command can looks like:
openssl req -new -newkey rsa:2048 -nodes -keyout rickyanto.key -out rickyanto.csr
Answer the questions relate to your personal Information, like Country, City, Company name when we run above command accordingly, but we can skip these questions: “A challenge password” and “An optional company name” by pressing Enter to skip.
The most important question you need to answer correctly is: “Common Name (e.g. server FQDN or YOUR name)”.
For my case I answer that question: www.rickyanto.com
This openssl command will generate 2 files, .key and .csr.
Copy the content of .csr using cat command or go inside the file using vi or other text editor and copy the content inside.
Note: Don’t delete the .key file because we will use it to setup SSL on Nginx configuration.
Second, Submit CSR and Activate Certificate
Copy the content of .csr file and submit to certificate provider which is Namecheap in my case to activate the PositiveSSL Certificate
On this step, Namecheap again ask me to fill the required information like company, address, city, country, postalcode. Fill accordingly and to finish activation step, we need to do Domain Control Validation(DCV) procedure that have 3 ways, they are: DNS, Email or HTTP-based DCV and I choosed Http that ask me to upload file to root path of my site that can be accessed publicly so it can be validated by the Certificate Provider.
Download Certificate and Combine/Chain the Cert
After the certificate is activated, we need to download it from the seller/provider (Namecheap in my case) .
PositiveSSL certificate provides 3 files:
yourdomain.crt,yourdomain.ca-bundle and yourdomain.p7b
We need to combine the .crt and .ca-bundle files to one in correct order, and the .crt must go first.
We can combine using cat command like below:
cat yourdomain.crt yourdomain.ca-bundle > yourdomain-chain.crt
Upload and Place Chained Crt File and Private Key To Server
Upload the chain/combined crt file to your server and place to your /etc/ssl or other place you want.
Also don’t forget to copy the Private Key (.key) file we got when we generate CSR to /etc/ssl or same path you place the chained .crt file.
Edit Nginx configuration
Replace or comment listen 80 line from your virtual host configuration with config below:
server {
#listen 80;
listen 443;
ssl on;
ssl_certificate /etc/ssl/yourdomain-chained.crt;
ssl_certificate_key /etc/ssl/yourdomain.key;
Reload/Restart NGINX
Save then run nginx -t to check and validate the configuration, if the test is successful you can restart Nginx by command to implement the change:
nginx -s reload
Open browser and use https to access your site
If it is running well, the https icon in browser will show “green” color and show “lock” icon.
Redirect http request to https
If we don’t want to keep http we need to make sure all request is done via https protocol.
We can add more configuration to redirect http request without or with www to https version with www with additional config lines like below:
server {
listen 80;
server_name yourserver.com www.yourserver.com;
return 301 https://$server_name$request_uri;
}