Skip to content

Instantly share code, notes, and snippets.

@bertabus-zz

bertabus-zz/install-comodo-ssl-cert-for-nginx.md

Forked from bradmontgomery/install-comodo-ssl-cert-for-nginx.rst
Last active August 29, 2015 14:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bertabus-zz/b1333ea22aff71970a33 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bertabus-zz/b1333ea22aff71970a33 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
install-comodo-ssl-cert-for-nginx.md

Setting up a SSL Cert from Comodo

I use Namecheap.com <https://namecheap.com>_ as a registrar, and they resale SSL Certs from a number of other companies, including Comodo <http://www.comodo.com/>_.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

::

cd /srv/ssl/ #or other directory
sudo openssl req -new -newkey rsa:2048 -days 1095 -nodes -keyout example.com.key -out example.com.csr

This gives you two files:

* ``example_com.key`` -- your Private key. You'll need this later to configure ngxin.
* ``example_com.csr`` -- Your CSR file.

Now, purchase the certificate [1]_, wait forever for them to review your purchase. You'll eventually get an email with your PositiveSSL Certificate. It contains a zip file with the following:

* Root CA Certificate - `AddTrustExternalCARoot.crt`
* Intermediate CA Certificate - `PositiveSSLCA2.crt`
* Your PositiveSSL Certificate - `example_com.crt`

Install the Commodo SSL cert

Combine everything for nxinx [2]_:

  1. Combine the above crt files into a bundle (the order matters, here)::

    cat example_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

    or

    cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

  2. Store the bundle wherever nginx expects to find it::

    mkdir -p /etc/nginx/ssl/example_com/ mv ssl-bundle.crt /etc/nginx/ssl/example_com/

  3. Make sure your nginx config points to the right cert file and to the private key you generated earlier::

    server { listen 443;

     ssl on;
 ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
 ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;

 # ...

    }

  4. Restart nginx.

My Settings

https://www.ssllabs.com/ssltest/index.html test next cert with openssl x509 -noout -text -in mydomain.crt which will point to the next file and then you can do it on that file typically it is Mydomain->Domain->Addtrust->externalCAroot also add nginx config from ssllabs website

add something similar to the following

# /etc/nginx/ssl_strong.conf
ssl_ciphers "AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 5s;

then to setup ssl its only:

 server {
        listen       443 ssl;
        server_name  www.bertab.us;

        include /etc/nginx/ssl_strong.conf;
        ssl_certificate      /srv/ssl/www.bertab.us.crt;
        ssl_certificate_key  /srv/ssl/www.bertab.us.key;

        location / {
           root   /usr/share/nginx/html;
           index  index.html index.htm;
        }
        }

        server {
            server_name = www.bertab.us
            listen         80;
            return 301 https://$host$request_uri;
        }

.. [1] I purchased mine through the Namecheap.com website. .. [2] Based on these instructions: http://goo.gl/4zJc8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment