How to Setup SSL for Nginx Using OpenSSL and Comodo PositiveSSL Certificate at Ubuntu Linux Server

I write down here the steps I used to setup SSL / Https on Nginx server using Comodo PositiveSSL Certificate from NameCheap on Ubuntu Linux Server.

Before starting anything, make sure u already bought the certificate so you can login and manage your certificate.

First, we need to Generate CSR that is required to activate Certificate from Namecheap.

Run this command to generate CRS in Linux (Ubuntu for me) :

> openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

And for my case that use Url/FQHD www.rickyanto.com, the command can looks like:

openssl req -new -newkey rsa:2048 -nodes -keyout rickyanto.key -out rickyanto.csr

Answer the questions relate to your personal Information, like Country, City, Company name when we run above command accordingly, but we can skip these questions: “A challenge password” and “An optional company name” by pressing Enter to skip.

The most important question you need to answer correctly is: “Common Name (e.g. server FQDN or YOUR name)”.
For my case I answer that question: www.rickyanto.com

This openssl command will generate 2 files, .key and .csr.
Copy the content of .csr using cat command or go inside the file using vi or other text editor and copy the content inside.

Note: Don’t delete the .key file because we will use it to setup SSL on Nginx configuration.

Second, Submit CSR and Activate Certificate

Copy the content of .csr file and submit to certificate provider which is Namecheap in my case to activate the PositiveSSL Certificate

On this step, Namecheap again ask me to fill the required information like company, address, city, country, postalcode. Fill accordingly and to finish activation step, we need to do Domain Control Validation(DCV) procedure that have 3 ways, they are: DNS, Email or HTTP-based DCV and I choosed Http that ask me to upload file to root path of my site that can be accessed publicly so it can be validated by the Certificate Provider.

Download Certificate and Combine/Chain the Cert

After the certificate is activated, we need to download it from the seller/provider (Namecheap in my case) .

PositiveSSL certificate provides 3 files:

yourdomain.crt,yourdomain.ca-bundle and yourdomain.p7b

We need to combine the .crt and .ca-bundle files to one in correct order, and the .crt must go first.

We can combine using cat command like below:

cat yourdomain.crt yourdomain.ca-bundle > yourdomain-chain.crt

Upload and Place Chained Crt File and Private Key To Server

Upload the chain/combined crt file to your server and place to your /etc/ssl or other place you want.

Also don’t forget to copy the Private Key (.key) file we got when we generate CSR to /etc/ssl or same path you place the chained .crt file.

Edit Nginx configuration

Replace or comment listen 80 line from your virtual host configuration with config below:

server {

        #listen 80;

        listen 443;

        ssl on;

        ssl_certificate /etc/ssl/yourdomain-chained.crt;

        ssl_certificate_key /etc/ssl/yourdomain.key;

Reload/Restart NGINX

Save then run nginx -t to check and validate the configuration, if the test is successful you can restart Nginx by command to implement the change:

nginx -s reload

Open browser and use https to access your site 

If it is running well, the https icon in browser will show “green” color and show “lock” icon.

Redirect http request to https

If we don’t want to keep http we need to make sure all request is done via https protocol.

We can add more configuration to redirect http request without or with www to https version with www with additional config lines like below:

server {

       listen         80;

       server_name    yourserver.com www.yourserver.com;

       return         301 https://$server_name$request_uri;

}

 

Leave a comment

Your email address will not be published. Required fields are marked *