10ninox/_posts/2014-02-12-ssl-nginx.markdown

---
layout: post
status: publish
published: true
title: SSL with Nginx
author:
  display_name: sipp11
  login: sipp11
  email: sipp11@gmail.com
  url: ''
author_login: sipp11
author_email: sipp11@gmail.com
wordpress_id: 908
wordpress_url: http://blog.10ninox.com/?p=908
date: '2014-02-12 07:08:24 +0700'
date_gmt: '2014-02-12 00:08:24 +0700'
categories:
- linux
- server
tags:
- ssl
---
<p><code>https</code> is pretty much preferred protocol over bare <code>http</code> nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don't really have to do that frequent.</p>
<p>Depending on where you purchase SSL certificate, I pick namecheap. I don't have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay--they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I'm using openSSL.</p>
<pre># openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr</pre>
<p>A series of question will be asked:</p>
<pre>Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: NH
Locality Name (eg, city) []: Atkinson
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []: 10ninox.com
Email Address []:

A challenge password []: 
An optional company name []:
</pre>
<p>Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you <strong>should leave challenge password empty</strong>, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file <code>mywhatever.key</code> and <code>whatever.csr</code></p>
<p>Back to namecheap, issue your SSL, then paste content of <code>whatever.csr</code> to the form. Wait for a verification step via email. Then you would get <code>your_site.zip</code> with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.</p>
<p>Now you have to extract <code>your_site.zip</code> which contains several files something like </p>
<ul>
<li>10ninox_com.crt</li>
<li>PositiveSSLCA2.crt</li>
<li>AddTrustExternalCARoot.crt</li>
</ul>
<p>Merge those files into one, <code>10ninox-ssl-bundle.csr</code> or whatever name you want.</p>
<pre>$ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr</pre>
<p>Then copy the bundle file and <code>mywhatever.key</code> we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be <code>/etc/nginx/sites-available/10ninox.com</code> for Debian)</p>
<p>This is an example how to configure one:</p>
<pre>
server {
    listen 443;

    ssl on;
    ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;
    ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;
    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

    server_name 10ninox.com;
}
</pre>
<ul>optional lines:</p>
<li><code>ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;</code> <em>means disables all weak cipher</em>s</li>
<li><code>ssl_protocols SSLv3 TLSv1;</code> <em>means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.</em></li>
</ul>
<p>It's better to test it first with</p>
<pre># service nginx configtest</pre>
<p>If pass,</p>
<pre># service nginx restart</pre>
<p>=)</p>
init migration 10 years ago			`---`
			`layout: post`
			`status: publish`
			`published: true`
			`title: SSL with Nginx`
			`author:`
			`display_name: sipp11`
			`login: sipp11`
			`email: sipp11@gmail.com`
			`url: ''`
			`author_login: sipp11`
			`author_email: sipp11@gmail.com`
			`wordpress_id: 908`
			`wordpress_url: http://blog.10ninox.com/?p=908`
			`date: '2014-02-12 07:08:24 +0700'`
			`date_gmt: '2014-02-12 00:08:24 +0700'`
			`categories:`
			`- linux`
			`- server`
			`tags:`
			`- ssl`
			`---`
			`<p><code>https</code> is pretty much preferred protocol over bare <code>http</code> nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don't really have to do that frequent.</p>`
			`<p>Depending on where you purchase SSL certificate, I pick namecheap. I don't have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay--they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I'm using openSSL.</p>`
			`<pre># openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr</pre>`
			`<p>A series of question will be asked:</p>`
			`<pre>Country Name (2 letter code) [AU]: US`
			`State or Province Name (full name) [Some-State]: NH`
			`Locality Name (eg, city) []: Atkinson`
			`Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd`
			`Organizational Unit Name (eg, section) []:`
			`Common Name (eg, YOUR name) []: 10ninox.com`
			`Email Address []:`

			`A challenge password []:`
			`An optional company name []:`
			`</pre>`
			`<p>Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you <strong>should leave challenge password empty</strong>, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file <code>mywhatever.key</code> and <code>whatever.csr</code></p>`
			`<p>Back to namecheap, issue your SSL, then paste content of <code>whatever.csr</code> to the form. Wait for a verification step via email. Then you would get <code>your_site.zip</code> with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.</p>`
			`<p>Now you have to extract <code>your_site.zip</code> which contains several files something like </p>`
			`<ul>`
			`<li>10ninox_com.crt</li>`
			`<li>PositiveSSLCA2.crt</li>`
			`<li>AddTrustExternalCARoot.crt</li>`
			`</ul>`
			`<p>Merge those files into one, <code>10ninox-ssl-bundle.csr</code> or whatever name you want.</p>`
			`<pre>$ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr</pre>`
			`<p>Then copy the bundle file and <code>mywhatever.key</code> we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be <code>/etc/nginx/sites-available/10ninox.com</code> for Debian)</p>`
			`<p>This is an example how to configure one:</p>`
			`<pre>`
			`server {`
			`listen 443;`

			`ssl on;`
			`ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;`
			`ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;`
			`ssl_protocols SSLv3 TLSv1;`
			`ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;`

			`server_name 10ninox.com;`
			`}`
			`</pre>`
			`<ul>optional lines:</p>`
			`<li><code>ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;</code> <em>means disables all weak cipher</em>s</li>`
			`<li><code>ssl_protocols SSLv3 TLSv1;</code> <em>means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.</em></li>`
			`</ul>`
			`<p>It's better to test it first with</p>`
			`<pre># service nginx configtest</pre>`
			`<p>If pass,</p>`
			`<pre># service nginx restart</pre>`
			`<p>=)</p>`