Matt Howlett

Matt Howlett

Software Development and Mathematics Blog

Setting up https - Nginx / Ubuntu 14.04 / Comodo

2014-11-10

A quick recipe for setting up a site for https.

Create somewhere appropriate to store the ssl information:

mkdir /etc/nginx/ssl

Create the SSL key and certificate signing request:

openssl req -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

Many people include the -new parameter. The example on the comodo support page omits this and from "man req", it does infact appear to be redundant:

-new - this option generates a new certificate request.

-newkey - this option creates a new certificate request and a new private key.

The comodo support page also states the last three fields are not required:

The fields email address, optional company name and challenge password can be left blank for a webserver certificate.

The common name should not include https:// and should include www. if that is the domain you are going to use the certificate with.

With this done, submit the CSR to comodo (in my case via namecheap)

Wait for the Domain Control Validation email and follow the instructions to confirm.

Wait for the email containing the SSL Certificate (not immediate, but close) and copy the attached .zip file to the server.

Do the following:

cat www_mydomain_ext.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > /etc/nginx/ssl/nginx.crt

Note: if you just use www_mydomain_ext.crt, it may appear to work but will not work everywhere. You need to include the intermediate certificates. Evidently the root certificate is not required but does not hurt.

Here is an appropriate nginx configuration for a static site:

server {
  server_name www.mydomain.com;
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;

  listen 443 ssl;

  location / {
    root /var/www/mydomain.com;
  }
}

Non http requests can be forwarded to https counterparts as follows:

server {
  listen 80;
  server_name www.mydomain.com;
  rewrite ^(.*) https://www.mydomain.com$1 permanent;
}