Install SSL certificate for Nginx

Recently I bought an SSL certificate for this blog from MegaSSLStore. My website is hosted on a FreeBSD machine and served by Nginx web server. In order to install the certificate on this machine, I downloaded from MegaSSLStore the certificate and CSR+private key and I copied them on my server in /usr/local/etc/nginx/ssl

# scp -P22 *

root@RTU001 /usr/local/etc/nginx/ssl # ls -lh
total 32
-r-------- 1 root wheel 5.5K Dec 14 11:39
-r-------- 1 root wheel 1.9K Dec 14 11:39
-r-------- 1 root wheel 1.1K Dec 14 11:39
-r-------- 1 root wheel 1.7K Dec 14 11:39

Because I have an .crt certificate and also a ca-bundle I need to combine these two files in one certificate:

cd /usr/local/etc/nginx/ssl
cat >

After this, I changed the nginx website configuration file, in order to redirect all the traffic that is coming on http (port 80) on https (port 443).

In my website .conf file, I added a new server section in which I specified to redirect all the traffic that comes on port 80 to https, using the http response code 301 (Moved Permanently). Also in the old server section I removed the “listen 80” directive and I added “listen 443 ssl”.

server {
    listen         80;
    return 301 https://$host$request_uri;

server {
    listen 443 ssl;
# ...

The next step is to add the certificates into the configuration file. So, again in the nginx configuration of the website:

server {
 listen 443 ssl;

 ssl_certificate /usr/local/etc/nginx/ssl/;
 ssl_certificate_key /usr/local/etc/nginx/ssl/;
# ...

If you use the a default nginx config file, probably you will have a line like:

ssl_protocols SSLv2 SSLv3 TLSv1;

I replaced this line with:

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  # don't use SSLv3 ref: POODLE

in order to avoid some vulnerabilities old versions of SSL and I removed the old line ‘ssl_ciphers’ that was containing some weak ciphers and I replaced with:


After this I reloaded the nginx config file with:

service nginx reload

In my case, I was using a CDN to deliver some assets (js, css files or images), but because it was over http I disabled it in order to not have mixed content on the same page, until I will add the certificates also to the CDN subdomain.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.