Install SSL certificate for Nginx

Recently I bought an SSL certificate for this blog from MegaSSLStore. My website is hosted on a FreeBSD machine and served by Nginx web server. In order to install the certificate on this machine, I downloaded from MegaSSLStore the certificate and CSR+private key and I copied them on my server in /usr/local/etc/nginx/ssl

# scp -P22 * root@razvantudorica.com:/usr/local/etc/nginx/ssl

root@RTU001 /usr/local/etc/nginx/ssl # ls -lh
total 32
-r-------- 1 root wheel 5.5K Dec 14 11:39 razvantudorica.com.ca-bundle
-r-------- 1 root wheel 1.9K Dec 14 11:39 razvantudorica.com.crt
-r-------- 1 root wheel 1.1K Dec 14 11:39 razvantudorica.com.csr
-r-------- 1 root wheel 1.7K Dec 14 11:39 razvantudorica.com.key

Because I have an .crt certificate and also a ca-bundle I need to combine these two files in one certificate:

cd /usr/local/etc/nginx/ssl
cat razvantudorica.com.crt razvantudorica.com.ca-bundle > razvantudorica.com-bundle.crt

After this, I changed the nginx website configuration file, in order to redirect all the traffic that is coming on http (port 80) on https (port 443).

In my website .conf file, I added a new server section in which I specified to redirect all the traffic that comes on port 80 to https, using the http response code 301 (Moved Permanently). Also in the old server section I removed the “listen 80” directive and I added “listen 443 ssl”.

server {
    server_name razvantudorica.com www.razvantudorica.com;
    listen         80;
    return 301 https://$host$request_uri;
}

server {
    server_name razvantudorica.com www.razvantudorica.com;
    listen 443 ssl;
# ...

The next step is to add the certificates into the configuration file. So, again in the nginx configuration of the website:

server {
 server_name razvantudorica.com www.razvantudorica.com;
 listen 443 ssl;

 ssl_certificate /usr/local/etc/nginx/ssl/razvantudorica.com-bundle.crt;
 ssl_certificate_key /usr/local/etc/nginx/ssl/razvantudorica.com.key;
# ...

If you use the a default nginx config file, probably you will have a line like:

ssl_protocols SSLv2 SSLv3 TLSv1;

I replaced this line with:

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  # don't use SSLv3 ref: POODLE

in order to avoid some vulnerabilities old versions of SSL and I removed the old line ‘ssl_ciphers’ that was containing some weak ciphers and I replaced with:

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

After this I reloaded the nginx config file with:

service nginx reload

In my case, I was using a CDN to deliver some assets (js, css files or images), but because it was over http I disabled it in order to not have mixed content on the same page, until I will add the certificates also to the CDN subdomain.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.