Now we need to actually configure Nginx for the certificates. So open up your Nginx configuration file and we’ll copy the configuration of the domain you wish to secure resulting in something like this (I’ve removed some extra stuff to concentrate mainly on the SSL options here).
server { listen 80; server_name subdomain-if-used.your-domain.com; # ... rest of your stuff here } server { # to ensure you do not cause issues with certificates, # explicitly bind the domain to its intended IP. listen 1.1.1.1:443; server_name subdomain-if-used.your-domain.com; # the next three lines enables the SSL Certificate to be served ssl on; ssl_certificate certs/domain.pem; ssl_certificate_key certs/domain.key; # ... rest of your stuff here }
With the exception of the listening IP/Port, and SSL options the two configurations could remain identical.
Once saved you’ll need to restart Nginx. You’ll notice when you restart it’ll ask for your PEM passphrase, the same one that was used when creating the private key.
If you are using a subdomain such as billing.your-domain.com and you want to revert ALL traffic to the secure domain, you can use a configuration like this:
server { listen 1.1.1.1:80; server_name billing.domain.com; rewrite ^(.*) https://$server_name$1 permanent; } server { listen 1.1.1.1:443; server_name billing.domain.com; ssl on; ssl_certificate certs/domain.pem; ssl_certificate_key certs/domain.key; # ... rest of your stuff here }
The above will redirect all requests at the unsecured location to the secure location.
If you would rather control the destination via links on your site, you can actually simplify your configuration by merging both the unsecured and secured configuration into a single server { } block.
server { listen 1.1.1.1:80; listen 1.1.1.1:443 default ssl; server_name billing.domain.com; #ssl on; this can be turned off since the above will automatically enable it ssl_certificate certs/domain.pem; ssl_certificate_key certs/domain.key; # ... rest of your stuff here }
From there it’ll automatically serve up the certificate when someone comes in on port 443 (https).
To remove the passphrase from your server key, so that you don’t have to re-enter it every time you restart Nginx.
$ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key $ chmod 400 server.key
The last line makes it where only root can read the new unencrypted server key (very important that someone doesn’t get ahold of this, or they can imitate you). If you are not running Nginx as root, adjust the permissions accordingly.
Thanks fro the great write up – this really helped. Brilliant work.
I’m not sure why – but nginx didn’t actually ask me for the passphrase. Do you know whether removing the passphrase a security issue worth worrying about?
If other users besides yourself have access to the file, it can be a huge security risk. If Nginx doesn’t ask and you set a passphrase on the key, double check to see if you’re actually getting a padlock on your site and that it is correct information.
Actually, thinking about this – the prompt might be being suppressed due to the upstart script that I’m using to start nginx. I’ll investigate and post any result here, in case it helps anyone else.
I followed your tutorial but when I restart nginx, it still ask for me PEM password… am I suppose to change server.key to domain.key for this part:
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ chmod 400 server.key
Basically if your key is called MyKey.key, then you’d change out the file name [server] to whatever it is that you’re using. The purpose of the second command in your paste there is to output a decrypted key which doesn’t require a passcode (thus also why you lock down the file permission as well).
Hello. Just found this tutorial via Google. Excellent, I have to say! It helped me install my namecheap’s free SSL cert on my nginx box instantly. Thank you.