10ninox/_posts/2014-02-12-ssl-nginx.markdown

---
layout: post
status: publish
published: true
title: SSL with Nginx
author:
  display_name: sipp11
  login: sipp11
  email: sipp11@gmail.com
  url: ''
author_login: sipp11
author_email: sipp11@gmail.com
wordpress_id: 908
wordpress_url: http://blog.10ninox.com/?p=908
date: '2014-02-12 07:08:24 +0700'
date_gmt: '2014-02-12 00:08:24 +0700'
categories:
- linux
- server
tags:
- ssl
---
`https` is pretty much preferred protocol over bare <code>http</code> nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don't really have to do that frequent.

Depending on where you purchase SSL certificate, I pick namecheap. I don't have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay--they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I'm using openSSL.

    # openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr

A series of question will be asked:

    Country Name (2 letter code) [AU]: US
    State or Province Name (full name) [Some-State]: NH
    Locality Name (eg, city) []: Atkinson
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd
    Organizational Unit Name (eg, section) []: 
    Common Name (eg, YOUR name) []: 10ninox.com
    Email Address []:

    A challenge password []: 
    An optional company name []:


Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you <strong>should leave challenge password empty</strong>, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file <code>mywhatever.key</code> and <code>whatever.csr</code>

Back to namecheap, issue your SSL, then paste content of <code>whatever.csr</code> to the form. Wait for a verification step via email. Then you would get <code>your_site.zip</code> with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.

Now you have to extract <code>your_site.zip</code> which contains several files something like 

* 10ninox_com.crt
* PositiveSSLCA2.crt
* AddTrustExternalCARoot.crt

Merge those files into one, <code>10ninox-ssl-bundle.csr</code> or whatever name you want.

    $ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr

Then copy the bundle file and <code>mywhatever.key</code> we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be <code>/etc/nginx/sites-available/10ninox.com</code> for Debian)

This is an example how to configure one:

    server {
        listen 443;

        ssl on;
        ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;
        ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;
        ssl_protocols SSLv3 TLSv1;
        ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

        server_name 10ninox.com;
    }

optional lines:

* <code>ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;</code> _means disables all weak ciphers_
* <code>ssl_protocols SSLv3 TLSv1;</code> _means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used._

It's better to test it first with

    # service nginx configtest

If pass,

    # service nginx restart

=)