10ninox/_posts/2014-02-12-ssl-nginx.markdown

---
layout: post
status: publish
published: true
title: SSL with Nginx
author:
  display_name: sipp11
  login: sipp11
  email: sipp11@gmail.com
  url: ''
author_login: sipp11
author_email: sipp11@gmail.com
wordpress_id: 908
wordpress_url: http://blog.10ninox.com/?p=908
date: '2014-02-12 07:08:24 +0700'
date_gmt: '2014-02-12 00:08:24 +0700'
categories:
- linux
- server
tags:
- ssl
---
`https` is pretty much preferred protocol over bare <code>http</code> nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don't really have to do that frequent.

Depending on where you purchase SSL certificate, I pick namecheap. I don't have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay--they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I'm using openSSL.

  # openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr

A series of question will be asked:

  Country Name (2 letter code) [AU]: US
  State or Province Name (full name) [Some-State]: NH
  Locality Name (eg, city) []: Atkinson
  Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd
  Organizational Unit Name (eg, section) []: 
  Common Name (eg, YOUR name) []: 10ninox.com
  Email Address []:

  A challenge password []: 
  An optional company name []:


Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you <strong>should leave challenge password empty</strong>, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file <code>mywhatever.key</code> and <code>whatever.csr</code>

Back to namecheap, issue your SSL, then paste content of <code>whatever.csr</code> to the form. Wait for a verification step via email. Then you would get <code>your_site.zip</code> with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.

Now you have to extract <code>your_site.zip</code> which contains several files something like 

* 10ninox_com.crt
* PositiveSSLCA2.crt
* AddTrustExternalCARoot.crt

Merge those files into one, <code>10ninox-ssl-bundle.csr</code> or whatever name you want.

  $ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr

Then copy the bundle file and <code>mywhatever.key</code> we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be <code>/etc/nginx/sites-available/10ninox.com</code> for Debian)

This is an example how to configure one:

  server {
      listen 443;

      ssl on;
      ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;
      ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;
      ssl_protocols SSLv3 TLSv1;
      ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

      server_name 10ninox.com;
  }

optional lines:

* <code>ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;</code> _means disables all weak ciphers_
* <code>ssl_protocols SSLv3 TLSv1;</code> _means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used._

It's better to test it first with

  # service nginx configtest

If pass,

  # service nginx restart

=)
init migration 10 years ago			`---`
			`layout: post`
			`status: publish`
			`published: true`
			`title: SSL with Nginx`
			`author:`
			`display_name: sipp11`
			`login: sipp11`
			`email: sipp11@gmail.com`
			`url: ''`
			`author_login: sipp11`
			`author_email: sipp11@gmail.com`
			`wordpress_id: 908`
			`wordpress_url: http://blog.10ninox.com/?p=908`
			`date: '2014-02-12 07:08:24 +0700'`
			`date_gmt: '2014-02-12 00:08:24 +0700'`
			`categories:`
			`- linux`
			`- server`
			`tags:`
			`- ssl`
			`---`
style edit 10 years ago			`https` is pretty much preferred protocol over bare <code>http</code> nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don't really have to do that frequent.

			`Depending on where you purchase SSL certificate, I pick namecheap. I don't have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay--they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I'm using openSSL.`

			`# openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr`

			`A series of question will be asked:`

			`Country Name (2 letter code) [AU]: US`
			`State or Province Name (full name) [Some-State]: NH`
			`Locality Name (eg, city) []: Atkinson`
			`Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd`
			`Organizational Unit Name (eg, section) []:`
			`Common Name (eg, YOUR name) []: 10ninox.com`
			`Email Address []:`

			`A challenge password []:`
			`An optional company name []:`


			`Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you <strong>should leave challenge password empty</strong>, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file <code>mywhatever.key</code> and <code>whatever.csr</code>`

			`Back to namecheap, issue your SSL, then paste content of <code>whatever.csr</code> to the form. Wait for a verification step via email. Then you would get <code>your_site.zip</code> with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.`

			`Now you have to extract <code>your_site.zip</code> which contains several files something like`

			`* 10ninox_com.crt`
			`* PositiveSSLCA2.crt`
			`* AddTrustExternalCARoot.crt`

			`Merge those files into one, <code>10ninox-ssl-bundle.csr</code> or whatever name you want.`

			`$ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr`

			`Then copy the bundle file and <code>mywhatever.key</code> we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be <code>/etc/nginx/sites-available/10ninox.com</code> for Debian)`

			`This is an example how to configure one:`

			`server {`
			`listen 443;`

			`ssl on;`
			`ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;`
			`ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;`
			`ssl_protocols SSLv3 TLSv1;`
			`ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;`

			`server_name 10ninox.com;`
			`}`

			`optional lines:`

			`* <code>ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;</code> _means disables all weak ciphers_`
			`* <code>ssl_protocols SSLv3 TLSv1;</code> _means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used._`

			`It's better to test it first with`

			`# service nginx configtest`

			`If pass,`

			`# service nginx restart`

			`=)`