Skip to content

Instantly share code, notes, and snippets.

@drparham

drparham/install-comodo-ssl-cert-for-nginx.rst

Forked from bradmontgomery/install-comodo-ssl-cert-for-nginx.rst
Last active November 12, 2015 22:09
Show Gist options
  • Save drparham/9151ec86588496e287fa to your computer and use it in GitHub Desktop.
Save drparham/9151ec86588496e287fa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
install-comodo-ssl-cert-for-nginx.rst

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
mv ssl-bundle.crt /etc/nginx/ssl/example_com/

  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/

  4. Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
    listen 443;

    ssl on;
    ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;

    # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # ...

}
  1. Restart nginx.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8
@drparham
Copy link
Author

https://gist.github.com/bradmontgomery/6487319#gistcomment-1559180

@drparham
Copy link
Author 

server {
  listen 80;
  server_name stage.westcottcourses.com;
  return 301 https://stage.westcottcourses.com$request_uri;
}

server {
   listen 443 ssl;
   server_name stage.westcottcourses.com;
   root /home/forge/stage.westcottcourses.com/current/public;

# FORGE SSL (DO NOT REMOVE!)
ssl_certificate         /etc/nginx/ssl/stage.westcottcourses.com/15548/bundle.crt;
ssl_certificate_key     /etc/nginx/ssl/stage.westcottcourses.com/15548/server.key;
ssl_trusted_certificate     /etc/nginx/ssl/stage.westcottcourses.com/15548/trusted.crt;
ssl_dhparam         /etc/nginx/ssl/certs/dhparam.pem;

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers    on;
ssl_stapling                 on;
ssl_stapling_verify          on;

ssl_session_cache        shared:SSL:10m;
ssl_session_timeout          10m;

index index.html index.htm index.php;

charset utf-8;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

access_log off;
error_log  /var/log/nginx/stage.westcottcourses.com-error.log error;

error_page 404 /index.php;

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
}

location ~ /\.ht {
    deny all;
}
}

@drparham
Copy link
Author

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment