webserver Posts

How to Setup HTTPS Connection for NginX

I just bought a new SSL Certificate from an SSL providers, and now im trying to install it on my nginx webserver. Now im trying to share the steps needed to install my ssl certificate, in case someone need it.

But first, i need to generate a .key and .csr file using openssl’s command, i will need those files to become a “secret key” or my private key.

sudo openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Next is i send my .csr file to SSL providers to generate .crt files. In my case, the SSL Provider, gives me 2 .crt files. First is the “Intermediate Certificate” (my_intermediate_ca.crt) and another one is “SSL Certificate” files (domain.crt).

First, i need to join those 2 crt files,

cat domain.crt my_intermediate_ca.crt >> bundle.crt

It will look like this,

..... my domain.crt .......
..... my intermediate.crt .......

Next is registering my SSL on nginx, i just edit the ssl.conf here

sudo vi /etc/nginx/conf.d/ssl.conf

and add this lines

server {
    listen       443 default ssl;
    server_name  mydomain;

    server_tokens off;

    ssl_certificate      /crtlocation/bundle.crt;
    ssl_certificate_key  /crtlocation/domain.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;

Restart nginx and check your ssl using openssl command,

openssl s_client -debug -connect localhost:443

A good SSL configuration will give this result,

Verify return code: 0 (ok)

While bad ones will create result like this,

Hope it would help others, have fun 😀

i had one weird condition on my previous ssl installation, somehow my website shows valid ssl on desktop browsers, but shows broken ssl when accessed from mobile devices and android browsers. I found out it’s due to i provide the wrong .crt file on nginx’s ssl.conf, i provide domain.crt instead of bundle.crt. 🙁