Setting up Nginx Web Server with an SSL Certificate

Learn how to properly configure your Nginx web server for HTTPS.

“How did it get so late so soon?” ― Dr. Seuss

 

1. Introduction

Nginx is a fast-growing web server which is known for its small size and speed. According to the Netcraft February 2018 Web Server Survey, nginx held a 25.92% of the total web server market share. If you need to host a web server, you would do very well with using Nginx.

In this article, we show you how to install an SSL certificate with Nginx. This is a follow-up to the previous articles in the series: creating a Certificate Signing Request (CSR) and installing an SSL certificate into Apache.

2. Pre-requisites

We assume the following:

  1. You have setup your web host with a web hosting company.
  2. You have installed Nginx on that web server and are able to load your pages with HTTP
  3. You have console and root access to your web server.
  4. You also have completed the process of obtaining an SSL certificate and are ready to install it.

For the purpose of the discussion below, we assume that you have the following files related to your SSL certificate.

2.1. The SSL Certificate

The actual SSL Certificate is issued by a Certificate Authority such as Thawte, Comodo CA, etc. Name this file something like example.com.cer. The file looks like this:

-----BEGIN CERTIFICATE-----
MIIFDTCCA/WgAwIBAgISA9Nv6Uw1MoDf0Jl9Mbc7LfxHMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAyMjMwODA4MTZaFw0x
ODA1MjQwODA4MTZaMBcxFTATBgNVBAMTDHRlcmFtaW5lLmNvbTCCASIwDQYJKoZI
...
-----END CERTIFICATE-----

2.2. The RSA Private Key

Next you need the RSA private key with which you signed the CSR. We assume this file is named example.com.key. It looks like this:

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDRN+NeIUjwTxkE
nxKPkH8AXKGVSPTmYjAsW4j0fWeYEFjFgyfpQIhVEYc0OC2eYhNyCtasfzGjrIHN
AhvOZo0/Jxc30yoYDAIgcyfFaHCM/r5fCIC67DxzC74E727w19FXhHax3gi0i9Pf
yXNk5TKmI73x6jztPBCMYSnghHjo9ZHH5a+/2aQznSV0m9/blRBaigMz//9gKMq/
...
-----END PRIVATE KEY-----

This file should be safeguarded well. If this file is compromised (or even in doubt), you should create a new one and re-issue the certificate too.

2.3. Remove Password From Private Key

It is essential that the password be removed from the key if one has been used.

This is very important since, if a password has been used, you will need to enter the password at server startup.

Remove the password with this command. This assumes that your Linux system has openssl installed.

openssl rsa -in example.com.key -out example.com.keynopass

In the server configuration below, we use the pathname of this file, example.com.keynopass.

2.4. Intermediate CA Certificate

This is an optional file which may be required if the Certifying Authority issuing the certificate is not very well known. If the SSL certificate issuer makes this file available with the certificate, it may need to be installed too. Let us assume this file is named ca-certs.cer. It looks like the SSL certificate, but may have multiple entries.

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

2.6. Bundle SSL Certificates

You should now bundle your SSL certificate with your CA certificates (if you have it) so the server can send your certificate as well as the CA certificates in one trip to the browser. This will reduce round-trip time and result in a faster experience for your users.

Create the bundle with this command:

cat example.com.cer ca-certs.cer > example.com.bundle.cer

We will use this file (example.com.bundle.cer) below in the server configuration.

2.5. Installation

Install these files into the paths shown below. Create the directory /etc/nginx/ssl if it does not exist.

/etc/nginx/ssl/example.com.bundle.cer
/etc/nginx/ssl/example.com.keynopass

Let us now move on to server configuration.

3. Server Configuration

In this section, we assume that you already have configured nginx for HTTP and it is running normally. This is so we can concentrate on adding SSL support to your web server.

3.1. Default Site File

This is a file located at /etc/nginx/sites-available/default and normally holds the configuration for your default site, running on port 80. Whatever it is named in your configuration, it is the file containing the following block.

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        ...
}

3.2. Enable SSL

The first step is to turn on SSL and have Nginx listen on port 443, the port for the HTTPS protocol. The lines may already be present in the config file but may be commented out. Uncomment them or add them as necessary.

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ...
}

3.3. Load SSL Configuration

We store the SSL configuration in a separate file located at /etc/nginx/snippets/ssl.conf and include it in the server block.

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        include /etc/nginx/snippets/ssl.conf;

        ...
}

4. SSL Configuration

The actual SSL configuration file (/etc/nginx/snippets/ssl.conf) begins like this:

ssl_certificate /etc/nginx/ssl/example.com.bundle.cer;
ssl_certificate_key /etc/nginx/ssl/example.com.keynopass;

And that is all the configuration required to get SSL running on your nginx web server. You can now go ahead and test your web site using HTTPS.

5. Restart Server and Check

Let us now restart the server and check that SSL is working.

Restart the server on Ubuntu 14.04 as follows:

service nginx restart

Restart the server on Ubuntu 16.04 with this command:

systemctl restart nginx

If you get no error messages from the restart, you can check the status of the ports. The presence of 80 and 443 shows that Nginx is listening to them for connections.

netstat -an -t tcp | grep LISTEN
# prints
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN

Just to be sure, check your nginx logs for errors. If you see any errors or suspicious messages, you will need to investigate further.

tail -f /var/log/nginx/error.log

6. Very Important! Harden Your Server

The above SSL configuration is very basic and serves to get HTTPS running on your server. It is very important to harden the server against various vulnerabilities discovered in recent years.

We cover this in the next article.

Please do not skip this step as this is important for the health of your web server.

7. Verifying SSL Using Online Tools

There are several very good online tools which verify your HTTPS configuration and point out various problems. You should check against these tools anytime you make a change to the server configuration.

  • A basic checker is located at SSL Checker. It goes through common problems and suggests workarounds.
  • The gold standard in online SSL check is the Qualys SSL Labs checker. It provides a thorough overview of your SSL configuration.

Don’t be alarmed if the Qualys SSL checker reports many problems. See the next article on hardening Nginx SSL for solutions.

Conclusion

In this article, we covered basic aspects of configuring SSL on your nginx web server. We have setup the various files for improving the configuration in the next article.