heihachi88
7/3/2015 - 9:31 AM

SSL certificate nginx

SSL certificate nginx

ssl
content_copyfile_download
Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

example_com.key -- your Private key. You'll need this later to configure ngxinx.
example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  Root CA Certificate - AddTrustExternalCARoot.crt
  Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

    Combine the above crt files into a bundle (the order matters, here):

    cat example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA     .crt AddTrustExternalCARoot.crt > ssl-bundle.crt
    
    Note! If you have downloaded a complete CABundle file for your certificate, replace chain files' names with the name of your downloaded file. It will look like:

$ cat *yourdomainname*.crt yourdomainname.ca-bundle >> ssl-bundle-yourdomainname.crt

    Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
    mv ssl-bundle.crt /etc/nginx/ssl/example_com/

    Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/

# http to https redirect

server {
    listen 80;
    server_name sportusbet.com www.sportusbet.com;
    return 301 https://sportusbet.com$request_uri;
}

# ssl www to non www redirect

server {
    listen 443 ssl;
    server_name www.sportusbet.com;

    ssl_certificate      /etc/nginx/ssl/sportus/ssl-bundle-sportusbet.crt;
    ssl_certificate_key  /etc/nginx/ssl/sportus/sportusbet_com.key;

    return 301 https://sportusbet.com$request_uri;
}

# main ssl config

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle-yourdomainname.crt;
    ssl_certificate_key /etc/nginx/ssl/example_com/yourdomainname.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;
    add_header Strict-Transport-Security 'max-age=15638400';

    # ...

}

# generate dhparam (you can use it for any ssl)

openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048