“How did it get so late so soon?” ― Dr. Seuss
Contents
1. Introduction
Nginx is a fast-growing web server which is known for its small size and speed. According to the Netcraft February 2018 Web Server Survey, nginx held a 25.92% of the total web server market share. If you need to host a web server, you would do very well with using Nginx.
In this article, we show you how to install an SSL certificate with Nginx. This is a follow-up to the previous articles in the series: creating a Certificate Signing Request (CSR) and installing an SSL certificate into Apache.
2. Pre-requisites
We assume the following:
- You have setup your web host with a web hosting company.
- You have installed Nginx on that web server and are able to load your pages with HTTP
- You have console and root access to your web server.
- You also have completed the process of obtaining an SSL certificate and are ready to install it.
For the purpose of the discussion below, we assume that you have the following files related to your SSL certificate.
2.1. The SSL Certificate
The actual SSL Certificate is issued by a Certificate Authority such as Thawte, Comodo CA, etc. Name this file something like example.com.cer. The file looks like this:
-----BEGIN CERTIFICATE----- MIIFDTCCA/WgAwIBAgISA9Nv6Uw1MoDf0Jl9Mbc7LfxHMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAyMjMwODA4MTZaFw0x ODA1MjQwODA4MTZaMBcxFTATBgNVBAMTDHRlcmFtaW5lLmNvbTCCASIwDQYJKoZI ... -----END CERTIFICATE-----
2.2. The RSA Private Key
Next you need the RSA private key with which you signed the CSR. We assume this file is named example.com.key. It looks like this:
-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDRN+NeIUjwTxkE nxKPkH8AXKGVSPTmYjAsW4j0fWeYEFjFgyfpQIhVEYc0OC2eYhNyCtasfzGjrIHN AhvOZo0/Jxc30yoYDAIgcyfFaHCM/r5fCIC67DxzC74E727w19FXhHax3gi0i9Pf yXNk5TKmI73x6jztPBCMYSnghHjo9ZHH5a+/2aQznSV0m9/blRBaigMz//9gKMq/ ... -----END PRIVATE KEY-----
This file should be safeguarded well. If this file is compromised (or even in doubt), you should create a new one and re-issue the certificate too.
2.3. Remove Password From Private Key
It is essential that the password be removed from the key if one has been used.
This is very important since, if a password has been used, you will need to enter the password at server startup.
Remove the password with this command. This assumes that your Linux system has openssl installed.
openssl rsa -in example.com.key -out example.com.keynopass
In the server configuration below, we use the pathname of this file, example.com.keynopass.
2.4. Intermediate CA Certificate
This is an optional file which may be required if the Certifying Authority issuing the certificate is not very well known. If the SSL certificate issuer makes this file available with the certificate, it may need to be installed too. Let us assume this file is named ca-certs.cer. It looks like the SSL certificate, but may have multiple entries.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
2.6. Bundle SSL Certificates
You should now bundle your SSL certificate with your CA certificates (if you have it) so the server can send your certificate as well as the CA certificates in one trip to the browser. This will reduce round-trip time and result in a faster experience for your users.
Create the bundle with this command:
cat example.com.cer ca-certs.cer > example.com.bundle.cer
We will use this file (example.com.bundle.cer) below in the server configuration.
2.5. Installation
Install these files into the paths shown below. Create the directory /etc/nginx/ssl if it does not exist.
/etc/nginx/ssl/example.com.bundle.cer /etc/nginx/ssl/example.com.keynopass
Let us now move on to server configuration.
3. Server Configuration
In this section, we assume that you already have configured nginx for HTTP and it is running normally. This is so we can concentrate on adding SSL support to your web server.
3.1. Default Site File
This is a file located at /etc/nginx/sites-available/default and normally holds the configuration for your default site, running on port 80. Whatever it is named in your configuration, it is the file containing the following block.
server {
listen 80 default_server;
listen [::]:80 default_server;
...
}
3.2. Enable SSL
The first step is to turn on SSL and have Nginx listen on port 443, the port for the HTTPS protocol. The lines may already be present in the config file but may be commented out. Uncomment them or add them as necessary.
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
...
}
3.3. Load SSL Configuration
We store the SSL configuration in a separate file located at /etc/nginx/snippets/ssl.conf and include it in the server block.
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include /etc/nginx/snippets/ssl.conf;
...
}
4. SSL Configuration
The actual SSL configuration file (/etc/nginx/snippets/ssl.conf) begins like this:
ssl_certificate /etc/nginx/ssl/example.com.bundle.cer; ssl_certificate_key /etc/nginx/ssl/example.com.keynopass;
And that is all the configuration required to get SSL running on your nginx web server. You can now go ahead and test your web site using HTTPS.
5. Restart Server and Check
Let us now restart the server and check that SSL is working.
Restart the server on Ubuntu 14.04 as follows:
service nginx restart
Restart the server on Ubuntu 16.04 with this command:
systemctl restart nginx
If you get no error messages from the restart, you can check the status of the ports. The presence of 80 and 443 shows that Nginx is listening to them for connections.
netstat -an -t tcp | grep LISTEN # prints tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN
Just to be sure, check your nginx logs for errors. If you see any errors or suspicious messages, you will need to investigate further.
tail -f /var/log/nginx/error.log
6. Very Important! Harden Your Server
The above SSL configuration is very basic and serves to get HTTPS running on your server. It is very important to harden the server against various vulnerabilities discovered in recent years.
We cover this in the next article.
Please do not skip this step as this is important for the health of your web server.
7. Verifying SSL Using Online Tools
There are several very good online tools which verify your HTTPS configuration and point out various problems. You should check against these tools anytime you make a change to the server configuration.
- A basic checker is located at SSL Checker. It goes through common problems and suggests workarounds.
- The gold standard in online SSL check is the Qualys SSL Labs checker. It provides a thorough overview of your SSL configuration.
Don’t be alarmed if the Qualys SSL checker reports many problems. See the next article on hardening Nginx SSL for solutions.
Conclusion
In this article, we covered basic aspects of configuring SSL on your nginx web server. We have setup the various files for improving the configuration in the next article.