Install https certificate on nginx

Recently i got my vps corrupted and restored it from a snap shot. Unfortunately, the snap shot doesn't contain my previous https certificate and ssl certificate key. So i have to reissue all the stuff. Below is the steps about installing https certificate bought from namecheap on nginx machine.

  • To activate an SSL certificate you need to submit a CSR (Certificate Signing Request) to namecheap. use the following command to generate it:
    openssl req -new -newkey rsa:2048 -nodes -keyout *your-domain*.key -out *your-domain*.csr

    change your-domain to your own domain name.
    During generation, you will be asked for some infomation, fill them as you like. But in the Common Name field you need to enter the domain name the certificate should be issued for.

    See more details here: Generating CSR on Apache + OpenSSL/ModSSL/Nginx + Heroku

  • Use the csr code generated in above step to issue a new ssl certificate.
    This page describes the process about it.
    Normally, you would choose http-based method to complete the DCV(Domain Control Validation).
    When completing reissue process, you can download a file from namecheap dashboard. Download the file and upload it to your vps. Typically, you need to put the file to *your wordpress home directory*/.well-known/pki-validation directory. Two things you must notice:

    • The owner of the .well-known directory must conform to wordpress home owner, usually www-data, don't create these directories with root permission.
    • Check your nginx configuration file(usually in /etc/nginx/nginx.conf or /etc/nginx/sites-available/your-domain.conf), look up something like this:

      location ~ /\. {
               deny all;
               access_log off;
               log_not_found off;
      }
      

      this instruction will block any request like http://your-domain/.well-known/..., so in order to access the file you need to comment out the instruction temporally.

  • If DCV completed, you will get an email containing a .crt file and a .ca-bundle file. Upload the two files to your server. then combine the two files into a single file:

    cat *yourdomainname*.crt *yourdomainname*.ca-bundle >> cert_chain.crt
    

    then put the cert_chain.crt file and *your-domain*.key file to /etc/ssl directory or other directories as you like.

  • Update your nginx configuration file:

    server {
          listen         80;
          server_name    ax1951.com;
          return         301 https://$server_name$request_uri;
    }
    server {
           listen 443 ssl;
           index index.php index.html index.htm;
           root /wordpress;
           server_name ax1951.com;
           ssl on;
           ssl_certificate_key /etc/ssl/www_ax1951_com.key;
           ssl_certificate /etc/ssl/cert_chain.crt;
           ...
    }
    

    These configurations will enable https connection on your server and redirect http connection to https connection. Also don't forget to restart your nginx service.

  • If there are http contents in your websites, you may get a warning from chrome browser complaining that the connection has mixed content and is not secure. One way to solve this problem is to install a plugin called SSL Insecure Content Fixer in wordpress, and setFix level to content.

  • Also, if you like, you can install a comodo ssl secure icon to your websites. Like this:
    comodo_secure_seal_100x85_transp
    Upload the icon to your server and put these javascripts to your wordpress footer.php:

    <script type="text/javascript"> //<![CDATA[ 
    var tlJsHost = ((window.location.protocol == "https:") ? "https://secure.comodo.com/" : "http://www.trustlogo.com/");
    document.write(unescape("%3Cscript src='" + tlJsHost + "trustlogo/javascript/trustlogo.js' type='text/javascript'%3E%3C/script%3E"));
    //]]>
    </script>
    <script language="JavaScript" type="text/javascript">
    TrustLogo("https://ax1951.com/comodo_secure_seal_100x85_transp.png", "CL1", "none");
    </script>
    <a href="https://ssl.comodo.com" id="comodoTL">SSL Certificates</a>
    

References:
https://www.namecheap.com/support/knowledgebase/article.aspx/9637/68/how-can-i-complete-the-domain-control-validation-dcv-for-my-ssl-certificate
https://www.namecheap.com/support/knowledgebase/article.aspx/9446/0/apache-opensslmodsslnginx
https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx
https://www.namecheap.com/support/knowledgebase/article.aspx/811/70/how-do-i-reissue-my-ssl-certificate
https://ssl.comodo.com/site-seal.php

发表评论

电子邮件地址不会被公开。 必填项已用*标注