Contact Us:
07002007332
CheapDeveloper
CheapDeveloper » Webmaster » Articles » How to Configure SSL Certificate on Nginx

How to Configure SSL Certificate on Nginx

09 December 2021, Thursday By Priyanka Boruah
145
0

The reputation of web resources largely depends on the level of security and the level of protection of personal data on the server. In the case of websites, we are talking about enabling the HTTPS protocol, and this requires connecting an SSL certificate.

Today we will take a look at setting up SSL using the example of the most popular web server Nginx. Most hosting providers support this.

On this page

Setting up SSL in Nginx with Let's Encrypt

Renewing the certificate

Setting up SSL in Nginx

Setting up SSL in Nginx with Let's Encrypt

We will be installing a free certificate from Let's Encrypt, a non-profit CA. A ready-to-use web server must be prepared for further SSL installation: before starting the procedure, you need to register a domain and bind it to a specific hosting account. The certificate is issued for a specific site name.

Related: SSL certificates: what is the use of them?

Step 1: Configuring a Virtual Host

If a virtual host has not yet been configured on the web server, this must be done manually, otherwise you will not be able to install SSL on Nginx. For example, for the site test.com, the configuration will look like the following example. View command:

$ sudo vi /etc/nginx/conf.d/test.conf

The simplest content looks like this:

server {

listen 80;

server_name test.com www.test.com;

access_log /var/log/nginx/test.access.log main;

root /var/www/test.com/public_html/;

index index.html index.htm;

location / {

try_files $uri $uri/ =404;

}

}

After creating the file, it is recommended to check the web server configuration with the command:

$ nginx -t

If no errors are thrown, the next step is to restart Nginx:

$ sudo systemctl restart nginx

Now you need to make sure that the /var/www/test.com/public_html/ directory really exists. If it is not there, it is manually created before the subsequent steps. A file should be placed in it to check its availability, for example index.html with the content "Hi user". The command will help to do this:

$ sudo mkdir -p /var/www/test.com/public_html/

$ sudo vi /var/www/test.com/public_html/index.html

The correctness of actions is checked through the browser or the CURL utility:

$ curl test.com

Step 2: Installing Certbot

It is recommended to obtain SSL certificates through the Certbot client. It automates some of the work of setting up the HTTPS protocol. It should be installed only from the official repository in order to exclude the risks of receiving malicious programs on the server. Download command:

$ sudo apt install certbot certbot-python-nginx

The first package contains the utility itself, and the second includes an extension that allows you to work with the Nginx web server. After installation, the program is immediately ready for use, so you can continue with the configuration.

Step 3: Getting a certificate

The Certbot application is capable of installing the certificate automatically. But in our instructions, it will only be used to generate a key, and the installation in Nginx is done manually. To create and sign SSL, you need to enter the command:

$ sudo certbot certonly --nginx -d test.com -d test.com

After the launch, the administrator's email is requested for the first time. Letters about the expiration of the certificate will be sent there (along with the project news). After entering the address, you should agree to the license agreement and answer the question whether it is allowed to transfer the contact to partner organizations. After specifying the necessary details, an SSL certificate will be created.

It is important to note that the generated certificate files will be saved in the /etc/letsencrypt/live/test.com/ directory. There is the following list of modules:

  • cert.pem - the certificate itself;
  • chain.pem - chain file;
  • privkey.pem - private key, it is written in the ssl_certificate_key field;
  • fullchain.pem - the combined content of the first two files.

The latter is entered in the ssl_certificate field. It remains to install the security key into the web server system and check the connection of the new protocol.

Step 4: Configuring a Virtual Host for SSL

For this purpose, a virtual host configuration file is created. It activates the functionality of listening on port 443. It also contains a number of directives for configuring SSL. Command to create:

$ sudo vi /etc/nginx/conf.d/test-ssl.conf

Sample file content:

server {

listen 443 ssl;

server_name test.com www.test.com;

access_log /var/log/nginx/test.com.access.log main;

root /var/www/test.com/public_html/;

index index.html index.htm;

ssl on;

ssl_certificate /etc/letsencrypt/live/test.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/test.com/privkey.pem;

location / {

try_files $uri $uri/ =404;

}

}

After saving the changes in the newly created file, a reboot of the web server is required with the command:

$ sudo systemctl restart nginx

That's it, the certificate is connected. You can start further work on the creation and publication of the site. It will be protected by the most modern standards (traffic encryption).

You can check the connection using the SSLlabs website. You need to open a browser and enter a link in which you should replace the domain name with your own: https://www.test.com/ssltest/analyze.html?d=test.com&latest.

Step 5: Additional security

By default, all available communication protocols remain enabled in the system. Therefore, to increase the security level, it is recommended to manually disable a number of them, while forcibly activating the most effective mode. The ssl_protocols directive is needed here:

$ sudo vi /etc/nginx/conf.d/test-ssl.conf

ssl_protocols TLSv1.2 TLSv1.3;

This example enables support for TSL protocol family versions 1.2 and 1.3. With high security requirements, it is recommended to activate all existing encryption methods and manually add the ciphers that you want to use.

ssl key

At the final stage, it remains to tell the server that it is necessary to use them, and not those offered by the client:

ssl_prefer_server_ciphers on;

Before further use, it is worth restarting the web server and once again making sure that all the changes made are accepted and the SSL certificate is detected without errors.

Renewing the certificate

If you plan to use Let'S Encrypt SSL certificate for more than 90 days, you will have to systematically renew it. And it is recommended to do this in advance, at least 30 days before the expiration date. Otherwise, there are risks of temporary inoperability of the SSL protocol, when the site stops opening on the previous links (browsers warn of an error).

The update procedure is performed with the command:

$ certbot renew

After entering it, all certificates that were previously issued and installed in the system will be checked and those for which the deadlines are coming to an end will be recreated. If you want to set up automatic SSL reissue, you need to enter the cron command:

$crontab -e

30 2 * * 1 /usr/bin/certbot renew >> /var/log/renew-ssl.log

In this form, it will check the relevance of all SSL every Monday at 2:30 and write the result to a file with the specified name.

Read also: Free Apache Security with Let's Encrypt on Ubuntu
Discuss

Read also:

What is hosting and why is it needed
30 November 2021, Tuesday
What is hosting and why is it needed
AWS re:Invent 2021: Keynotes
02 December 2021, Thursday
AWS re:Invent 2021: Keynotes
What is DHCP protocol
07 December 2021, Tuesday
What is DHCP protocol
Add a comment
Comments (0)
Comment
Partners