Students tutorial – Installing SSL/TLS Certificates on Nginx

When running Nginx on Ubuntu 16.10, one question that keeps popping up is how to install SSL/TLS certificates for Nginx webservers. This brief tutorial is going to show students and new users how to easily install SSL certificates for Nginx web servers on Ubuntu 16.10.

To learn how to do this, continue below

Nginx is a powerful webserver. I am now hosting all my WordPress blogs and websites on Nginx webservers. Apache2 severed me well, but I’ve found a new friend in Nginx.

When you want to run Nginx over SSL/TLS HTTPS protocol, continue below to learn how it’s done.

Step 1: Get Nginx Working on Ubuntu

Before you can install and use SSL/TLS on Nginx, you should get get Nginx installed and functioning. The webserver should be able to serve web pages over HTTP from its root directory. If you can’t pass that test, I’m afraid you won’t be far with this post.

To install Nginx on Ubuntu, run the commands below.

sudo apt-get update

sudo apt-get install nginx

The commands above install Nginx packages from Ubuntu default repositories. if you want the latest and greatest of Nginx, you’ll have to install it from Nginx’s own repositories. To add that repository to your Ubuntu machine, run the commands below:

sudo sh -c 'echo "deb http://nginx.org/packages/ubuntu/ `lsb_release -cs` nginx" >> /etc/apt/sources.list.d/Nginx.list'

After adding the repository, run the commands below to add the repository key to your system. This authenticate the repository.

cd /tmp/ && wget http://nginx.org/keys/nginx_signing.key

sudo apt-key add nginx_signing.key

After that, run the commands below to install the latest version of Nginx for your Ubuntu machine.

sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get autoremove

When Nginx is installed, you should be able to access its default test page over HTTP from the root directory as shown below:

nginx default home page test

Step 2: Create a SSL/TLS Self-Signed certificate

Now that Nginx is installed and functioning, go and create a self-signed certificate. To do that, run the commands below to create a certificate folder

sudo mkdir /etc/nginx/ssl/

Then changing into that folder and run the following commands

cd /etc/nginx/ssl/

Run the commands below to generate the server private key. You will be prompted to type and confirm a password for the private key.

sudo openssl genrsa -des3 -out server.key 2048

Nginx run the commands below to generate a certificate signing request  (CSR) using the server’s private key. You’ll be prompted to type the server private’s key.

sudo openssl req -new -key server.key -out server.csr

When you run the command above to create a CSR file, you’ll be prompted to answer the following questions.. complete it and you should be good.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Minnesota
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Blog Page
Organizational Unit Name (eg, section) []:SSL Unit
Common Name (e.g. server FQDN or YOUR name) []:myblogexample.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  DO NOT TYPE PASSWORD HERE, LEAVE BLANK
An optional company name []:

Next, run the commands below to generate a certificate that will be valid for 1 year or 365 days. You can increase the date it expires as you wish.

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Finally, run the last commands below so that you’re not always prompted each time you restart the webserver. You’ll be prompted to type the server private key, type it.

sudo cp server.key server.key.orig
sudo openssl rsa -in server.key.orig -out server.key

Step 3: Install the Certificate

The last step in the process is to add the certificate to Nginx’s configuration so that it serves pages over HTTPS. Find the example configurations below to implement on your own servers. There are two important files we’ll be using from the /etc/nginx/ssl directory. They’re the server.key and the server.crt.

Open your Nginx configuration file for the default site and make the following highlighted changes:

server {
	#listen 80 default_server;
	#listen [::]:80 default_server;

	# SSL configuration
	#
	 listen 443 ssl default_server;
	 listen [::]:443 ssl default_server;
         
         ssl_certificate /etc/nginx/ssl/server.crt;
         ssl_certificate_key /etc/nginx/ssl/server.key;
         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
         ssl_prefer_server_ciphers on;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}

This is the basic settings that will get you started. After making the above changes, run the commands below to test if the configuration is good.

sudo nginx -t

If everything is good, restart Nginx by running the commands below.

Next, browse to the server hostname or IP address via HTTPS (https://localhost ) .

You can 301 redirect all traffic via HTTPS by adding the block below at the bottom of the config file.

server {
listen 80;
server_name localhost;
return 301 https://localhost$request_uri;
}

This is how you configure Nginx with SSL/TLS certificate. Although we’re using Self-Signed certificates, it should also work with trusted certificates from trusted CA.

Enjoy!