Configuring Nginx with SSL for 3rd party SSL Certificate

Why Nginx with SSL ?

Recently I migrated my website from HTTP to HTTPS.This website is powered by Nginx Web Server.So I had to configure Nginx to use SSL.The change was made because Google has inlcuded HTTPS as one of the ranking factor.I have written separate tutorial on this topic.It is complete tutorial to migrate your HTTP website to HTTPS website.In fact this post also forms a step in that tutorial.

Apart from Google ranking factor you might want it if you are running eCommerce website.SSL does add extra reliability in minds of your website visitor.The information exchange is secure.So visitors tend to share information more convincingly with website implementing SSL then those who are not.

Nginx with SSL steps

Getting a SSL certificate

You can opt for a self signed certificate or for a certificate issued by CA (certified authority).If you are using self signed certificate then visitors will see message this website is not trusted.Most of the visitors will not proceed further.So it is always better to have certificate signed by Certified Authorities.The cheapest SSL plan I encountered is this link.

I have used this plan on this website.It works pretty well and is very cheap also.You just have to pay $9 for one year.Most hosting companies provide SSL certificates.So you can buy as per your requirement.In this tutorial we will refer the NameCheap plan mentioned above.You need to create account with them and buy the plan.After that follow the step mentioned below.

Creating your CSR

The SSL creation will require CSR to be created on your server.To create CSR on your server enter below commands

mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/temp.key -out /etc/nginx/ssl/test.crt
openssl rsa -in /etc/nginx/ssl/temp.key -out /etc/nginx/ssl/final.key

We are creating a new directory ssl within Nginx configuration directory /etc/nginx.This is Nginx configuration directory in Debian and Ubuntu server.You can select appropriate directory as per your operating system.You will see three new files created in ssl directory.The files are temp.key,temp.crt and final.key.Now download your temp.key and open it in any text editor.

Getting SSL files from provider

You need to paste contents of temp.key in CSR request field of your SSL provider.NameCheap asks for this information.After pasting this information you can proceed to next steps.Similar process will be in place for other SSL certificate provider.You can also ask them how to use CSR to generate the files for your domain.

After completing the steps you will get files in your mail.Download all the files send in mail and upload them to /etc/nginx/ssl directory.Note if you have created your keys and others thing in separate directory you can use them.I like to keep all the files in same directory.This is easy for maintenance and search purpose.

Creating SSL from Provider files

After uploading all the files you will have to create one file from them.This is simple task but ordering of file in the command is important.I received 4 files from them.NameCheap recommends below command format.In case you are using different SSL provider you should check their documentation or ask the support about the ordering.

cat your_domain_file intermediate_file_in_reverse_order final file

So the command will be

cat your_domain.crt COMODO*SecureServer.crt COMODO*TrustCA.crt Add*.crt > your_domain_name.pem

In case of other provider you should check with them the order files need to be concatenated.The command will remain the same.Note this command is available in all Linux distributions.

Configuring Nginx for SSL

Now it is time to tell Nginx about SSL support in your server.Assuming you already have working port 80 configuration for Nginx this task will be pretty simple.Even if you do not have working port 80 for Nginx you can read this tutorial to install and setup Nginx.

After installing and setitng up Nginx to work for port 80 we will now configure it to work for port 443.Port 443 is used by HTTPS and port 80 is used for HTTP.You need to add below changes to file under /etc/nginx/sites-available directory.

server {
	listen 80;
	listen    [::]:80 ipv6only=on;
	return 301$request_uri;

Above line will redirect http://your-domain-name requests to https://your-domain-name .In case you are using www version then you need to add www to server_name and return line.Everything else will remain as it is.

Above line will force 301 redirect to all requests made to your HTTP pages.This is good for SEO as well as visitors.If this is not used then for HTTP pages 404 error will be thrown.Search Engines see HTTP and HTTPS version of same page as different URL or locations as of now.

Now in your working port 80 configuration make below changes.I have added comments in the code for better clarity.

server {
	# llisten 80 is modified to listen 443 ssl;
	listen 443 ssl;
	#replace with your domain name
	# root line will change if your operating system is not Debian or Ubuntu
	root /usr/share/nginx/html;
	index index.php index.html index.htm;
	#replace your-domain-name.pem with your file name
	ssl_certificate /etc/nginx/ssl/your-domain-name.pem;
	ssl_certificate_key /etc/nginx/ssl/final.key;
        #keep the rest of the lines as they are and paste.
	ssl_prefer_server_ciphers On;
	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 10m;
	ssl_stapling on;
	ssl_stapling_verify on;
	add_header Strict-Transport-Security "max-age=31536000";

You can leave your existing port 80 configuration as it was earlier.You can copy paste the ssl part of code in a file and include it in Nginx configuration for better readability.Now reload the new configuration with below command.Before that you can check if configuration file is error free.So run the first command if there is no error then run the second command.

nginx -t
/etc/init.d/nginx reload

Check for port 443

This is one thing most people do not take care of.It is better to see if this port is open.If not then you will get connection reset problems.You can use this tool for that purpose.You need to enter your Server Ip address and port 443 in this case.It will output message saying port is open or close.

If the port is closed then reason mught be that your Firewall is blocking it.In that case allow connections from port 443 using below command.

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Test your configuration

You will not be able to browse your website.If you enter http version of URL it should redirect to HTTPS version of URL.Also you can use SSL server test to check your SSL setup score.The SSL setup score of this website is A+.You can view the results using this link.


I have used NameCheap as third party SSL certificate provider in this tutorial.But this should work fine for all other providers.The commands will work on most of the Linux distributions.Only part of the commands will differ.You can check your operating system for equivalent commend or configuration file location.

Consider sharing the post in case you found this useful.

Leave a Comment