Fancy Green Locks – NGINX and Certificates

Being a new blog in the realm of tech, I figure it would make sense to write some articles about what it took to set up this site. While certainly not necessary for your average blog, I found myself with a GoDaddy coupon and an opportunity to get a cert on the cheap, so I figured why not add that “fancy green lock” to this site.

FancyGreenLock

The process of acquiring an SSL certificate from GoDaddy was pretty straightforward. I don’t generally use their services, but combined with the coupon code they sent me, it was by far the cheapest option at just over $40 out the door. Like other CA’s, GoDaddy/McAfee does require an annual renewal.

Checkout was as simple as buying a pair of fancy socks from Amazon. Once you’ve paid your dues, there are some hoops you need to jump through to verify you are who claim to be. Wouldn’t want you impersonating FruitLoops.com after all. But first I had to create my certificate request and upload it.

To create a certificate request you will need to login to your server. From the shell, you will create your request and key files.

[code language=”bash”]
openssl req -new -newkey rsa:2048 -nodes -keyout getninjad.key -out getninjad.csr
[/code]

Use the cat command to print the contents of the CSR file to the screen.

[code language=”bash”]
cat getninjad.csr
[/code]

You will need to copy the contents of this fill into the interface on GoDaddy.com to submit your request. Once you have completed this you will be prompted to perform one of a number of possible actions to verify your identity.

Again this process is pretty straightforward, and after about 10 minutes or so I was ready to download my brand spanking new certificate. So now on to the fun stuff.

First off, I extracted the zip archive on my local machine and just FTP’d the contents on over to the server.

NGINX will require the  SSL cert, and the intermediate certs to be concatenated into a single file.

[code language=”bash”]
cat CertFile.pem IntermediateBundle.pem >> CombinedCerts.pem
[/code]

Simple enough, right? And yes, those aren’t the actual names of the files I received from GoDaddy.

Now we are finally ready to configure the web server. The default port for HTTPS is 443, so this is the port we will want NGINX to listen on.

We will need to edit the NGINX config file located in the /etc/nginx directory. In my case, I have my configs broken out by site, and the individual configs are located in conf.d.

[code language=”bash”]
vim /etc/nginx/conf.d/getninjad.conf
[/code]

We’ll need to set up a new server block for port 443 (https) and redirect the existing port 80 (http) to the new secure site. This should look as follows…

[code language=”bash”]
# HTTP to HTTPS redirect
server {
listen 80;
server_name getninjad.com;
return 301 https://$server_name$request_uri;
}

# Secure site config
server {
listen 443 ssl;
server_name getninjad.com;

ssl_certificate /path/to/ssl/getninjad.crt;
ssl_certificate_key /path/to/ssl/getninjad.key;


[/code]

I am not showing my complete configuration above, thus the “…” at the end, but as you can see the configuration is pretty simple as well. On port 80 we are doing a basic redirect, and on the port 443 listener, we are adding two new lines.

ssl_certificate is the path to the concatenated certificate file we created earlier.

ssl_certificate_key is the path to the key file we generated at the beginning of this article alongside our certificate request.

Once this has been completed all we need to do is restart the NGINX service and we are off to the races.

There are more directives/settings we can add to our config file to further secure our site, but these aren’t within the scope of this article. I do recommend having a closer look at the NGINX documentation for complete list of these directives.

http://nginx.org/en/docs/http/configuring_https_servers.html

Leave a Reply