DirectAdmin, Panels

How to install SSL certificate on Nginx

Open port 443 for SSL/HTTPS traffic

First of all, make sure you open port 443 on your server. HTTPS (SSL_Slotje_Google) does not work over port 80 as is the case with HTTP and it is quite possible that this port is closed. Open terminal and run the following commands to allow traffic on port 443. 

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
/etc/init.d/iptables save
/etc/init.d/iptables restart

Certificate chain genereren

To enable HTTPS on your Nginx server, you’ll need a valid certificate. Your web server uses a ‘certificate chain’, this ‘chain’ consists of your certificate and an intermediary certificate. You can freely download this intermediary certificate from the website where you requested your SSL. In the case of StartSSL: 

wget https://www.startssl.com/certs/sub.class1.server.ca.pem

For example, if you use Comodo, do a quick Google search: “Comodo Intermediate Certificate” and download the relevant file. Of course, it is also best to check whether the certificate is indeed from Comodo and not from a fake website. You now have two files, a .crt file (your certificate) and a . pem file (the intermediate certificate) from your SSL provider. We now want to merge these into 1 .crt file. Of course, replace the file names with your own. 

cat vanhoutte.be.crt sub.class1.server.ca.pem > samengevoegd.crt

Nginx configuratie aanpassen

Your web server is now listening to port 443, but now you also have to tell Nginx about your merged certificate and your decrypted private key. It’s likely that your nginx.conf configuration file is located in /etc/nginx/nginx.conf or /opt/nginx/conf/. 

server {
#alle HTTP traffic op poort 80
listen 80;
#servernaam
server_name vanhoutte.be;
#HTTP redirecten naar HTTPS via een 301 omleiding
return 301 https://$host$request_uri;
}

server {
#alle traffic op poort 443
listen 443 ssl;
#servernaam
server_name vanhoutte.be;

#ssl expliciet aanzetten
ssl on;
#aanduiden waar de certificaten zich bevinden
ssl_certificate /home/gebruiker/samengevoegd.crt;
ssl_certificate_key /home/gebruiker/mijn-private-decrypted.key;
}

You can also add a lot to this configuration, but this configuration should already get HTTPS working. Don’t forget to save the file and to see if the configuration ‘works’, run the following command:

sudo nginx -t

If there are no errors, it is time to restart Nginx so that the new configuration is loaded.

sudo service nginx restart

After this restart of Nginx, you should see the green HTTPS icon (SSL_Slotje_Google)! Maybe something went wrong and then the browser will also let you know via a crossed-out icon (https_waarschuwing). Then it’s time to check all the steps again and find out any errors.

AVOIDING BEAST attacks

Once you’ve established a working HTTPS connection with your server, it’s time to make some minor adjustments to the configuration file. For example, to avoid BEAST attacks, you can add the following two lines to your conf file: 

ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Leave a Reply

Your email address will not be published. Required fields are marked *