Fancy Green Locks – NGINX and Certificates

Being a new blog in the realm of tech, I figure it would make sense to write some articles about what it took to set up this site. While certainly not necessary for your average blog, I found myself with a GoDaddy coupon and an opportunity to get a cert on the cheap, so I figured why not add that “fancy green lock” to this site.

FancyGreenLock

The process of acquiring an SSL certificate from GoDaddy was pretty straightforward. I don’t generally use their services, but combined with the coupon code they sent me, it was by far the cheapest option at just over $40 out the door. Like other CA’s, GoDaddy/McAfee does require an annual renewal.

Checkout was as simple as buying a pair of fancy socks from Amazon. Once you’ve paid your dues, there are some hoops you need to jump through to verify you are who claim to be. Wouldn’t want you impersonating FruitLoops.com after all. But first I had to create my certificate request and upload it.

To create a certificate request you will need to login to your server. From the shell, you will create your request and key files.

openssl req -new -newkey rsa:2048 -nodes -keyout getninjad.key -out getninjad.csr

Use the cat command to print the contents of the CSR file to the screen.

cat getninjad.csr

You will need to copy the contents of this fill into the interface on GoDaddy.com to submit your request. Once you have completed this you will be prompted to perform one of a number of possible actions to verify your identity.

Again this process is pretty straightforward, and after about 10 minutes or so I was ready to download my brand spanking new certificate. So now on to the fun stuff.

First off, I extracted the zip archive on my local machine and just FTP’d the contents on over to the server.

NGINX will require the  SSL cert, and the intermediate certs to be concatenated into a single file.

cat CertFile.pem IntermediateBundle.pem >> CombinedCerts.pem

Simple enough, right? And yes, those aren’t the actual names of the files I received from GoDaddy.

Now we are finally ready to configure the web server. The default port for HTTPS is 443, so this is the port we will want NGINX to listen on.

We will need to edit the NGINX config file located in the /etc/nginx directory. In my case, I have my configs broken out by site, and the individual configs are located in conf.d.

vim /etc/nginx/conf.d/getninjad.conf

We’ll need to set up a new server block for port 443 (https) and redirect the existing port 80 (http) to the new secure site. This should look as follows…

# HTTP to HTTPS redirect
server {
    listen 80;
    server_name getninjad.com;
    return 301 https://$server_name$request_uri;
} 

# Secure site config
server {
    listen 443 ssl;
    server_name getninjad.com; 

    ssl_certificate /path/to/ssl/getninjad.crt;
    ssl_certificate_key /path/to/ssl/getninjad.key; 

...

I am not showing my complete configuration above, thus the “…” at the end, but as you can see the configuration is pretty simple as well. On port 80 we are doing a basic redirect, and on the port 443 listener, we are adding two new lines.

ssl_certificate is the path to the concatenated certificate file we created earlier.

ssl_certificate_key is the path to the key file we generated at the beginning of this article alongside our certificate request.

Once this has been completed all we need to do is restart the NGINX service and we are off to the races.

There are more directives/settings we can add to our config file to further secure our site, but these aren’t within the scope of this article. I do recommend having a closer look at the NGINX documentation for complete list of these directives.

http://nginx.org/en/docs/http/configuring_https_servers.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s