Thursday, April 23, 2015

Applying SSL Certificate to Nginx

I. Requirements


This procedure is applicable only to Nginx on Ubuntu (or other Linux servers). For my own purpose, I had the following:
  • Ubuntu Server with Nginx installed
  • SSH Client to access the server
Also, to be able to apply SSL Certificate to your server you should already have purchased a domain and has an access to your domain records via your domain provider's control panel.

II. Procedure

1. Generate Server's Private Key and Certificate Signing Request (CSR)

To generate a private key and CSR, you need to be on your server's SSH terminal and logged-in as a sudoer user to be able to execute the following command:


sudo openssl req -new -newkey rsa:2048 -nodes -keyout sudocode.key -out sudocode.crt


The above command would create sudocode.key and sudocode.crt.

The command will ask you to provide the following information. Please change the values with your own.

Country Name (2 letter code) [AU]:PH
State or Province Name (full name) [Some-State]:Rizal
Locality Name (eg, city) []:Antipolo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Happy Birthday Company
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name) []:sudocodesystems.com
Email Address []:rmaranan@sudocodesystems.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You may skip inputting values on the challenge password field and optional company name field by pressing enter key.

Copy sudocode.crt and sudocode.key to /etc/nginx/ssl.

Warning: Make sure you secure a copy of your private key and CSR somewhere safe. Losing one of two means you have to create them again. I don't know how much that will cost to re-upload a CSR to the CA Provider. But, probably it will be very inconvenient for you to talk to your CA Provider for re-issuance of CA cert.

2. Upload CSR to CA Provider

My CA Provider is Comodo. They are providing free trial SSL Certificate for 90-days - not bad for a first timer in SSL Certification. Most CA Providers offer only 30 to 60 days of free trial.

The CSR is the one we generate at Step 1 - /etc/nginx/ssl/sudocode.crt.
We need to upload its content to our provider.

On the terminal, we may display the contents of the CSR by using cat command.


cat /etc/nginx/ssl/sudocode.crt


The contents of the CSR should look like the following:


-----BEGIN CERTIFICATE REQUEST-----
MIIDUDCCArkCAQAwdTEWMBQGA1UEAxMNdGVzdC50ZXN0LmNvbTESMBAGA1UECxMJ
TWFya2V0aW5nMREwDwYDVQQKEwhUZXN0IE9yZzESMBAGA1UEBxMJVGVzdCBDaXR5
(more encoded data).......
Rq+blLr5X5iQdzyF1pLqP1Mck5Ve1eCz0R9/OekGSRno7ow4TVyxAF6J6ozDaw7e
GisfZw40VLT0/6IGvK2jX0i+t58RFQ8WYTOcTRlPnkG8B/uV
-----END CERTIFICATE REQUEST-----

We paste the CSR file contents to the Free SSL Certificate request form at Comodo.




3. Domain Validation


Domain Validation in Comdo can be done in several ways.


The easiest and most convenient for me is through CSR Hash which will be configured at the domain provider's control panel. My domain provider is EApps.

We add a CNAME DNS entry.

Comodo gives two hash values: one is created through MD5 and the other through SHA-1. The CNAME DNS entry should look like as shown below:

<Value of MD5 hash of CSR>.yourdomain.com. CNAME <value of SHA1 hash of CSR>.comodoca.com



4. Set-up SSL Certificate at Nginx

4.1. Create Certificate Bundle File

Comodo (or your own CA Provider) will send you the certificates you need to verify your server's identity. 

Here are the sample certificates sent by Comodo:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your Free SSL Certificate - sudocodesystems_com.crt
We need to create a certificate bundle by putting all contents of the given certs in one file. Note that the contents must be put in a reverse order as listed above. The last cert to include is the Root CA Certificate and the first one is your SSL Certificate. We may use the cat command again for this.


cat sudocodesystems_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > /etc/nginx/ssl/sudocode.crt


No that you might have to log-in as root to execute the command above.


4.2. Configure Nginx

Your nginx server configuration may look like the following:

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name your_domain.com;

        location / {
                try_files $uri $uri/ =404;
        }
}
By applying SSL, it should look like the following:

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name sudocodesystems.com;
        ssl_certificate /etc/nginx/ssl/sudocode.crt;
        ssl_certificate_key /etc/nginx/ssl/sudocode.key;

        location / {
                try_files $uri $uri/ =404;
        }
}
Notice we added the following above:

listen 443 ssl;
server_name sudocodesystems.com
ssl_certificate /etc/nginx/ssl/sudocode.crt
ssl_certificate_key /etc/nginx/ssl/sudocode.key


When configuration is done, restart Nginx and access your website at your favorite browser.