Latest: Genstatic, my first sip of coffee

Content with Style

Web Technique

Setting up SSL for Nginx

by Pascal Opitz on September 30 2010, 19:56

Quite a kerfuffle trying to set up SSL encryption for www.tagbento.com, which runs on Nginx. Here is how it was done.

The files I had gotten came via the client from startSSL. The following were present:


ssl.crt
ssl.key
ca.pem
sub.class2.server.ca.pem

I was used to having a cert and a key file from generating self signed certificates, but the rest? Unfortunately nginx wasn't mentioned in the howto pages at all.

Remove the password from the key file:

If you don't do this with every configtest or reload/restart of nginx you'll have to type in the PEM password.


mv ssl.key bak.key
openssl rsa -in bak.key -out ssl.key

Creating a combined key certificate

Probably the most confusing point. The Nginx manual explains why you'll have to do this:

if you have a chain of certificates — by having intermediate certificates between the server certificate and the CA root certificate — they're not specified separately like you would do for Apache. Instead you'll need to concatenate all the certificates, starting with the server certificate, and going deeper in the chain running through all the intermediate certificates.


mv ssl.crt bak.crt
cat ssl.crt ca.pem sub.class2.server.ca.pem > ssl.crt

Tribulations

At this point I was quite confused, because instructions for level 1certificates were slightly different. The main problem, as it turned out though, was that the ssl.crt I had been given had Windows line breaks in it. So yeah, if stuff doesn't work, have a look at the concatenated file in vim and see if you can see something unusual.

Enable SSL in the Nginx Vhost


server {
        listen 443;

        ssl on;
        ssl_certificate /path/to/ssl.crt;
        ssl_certificate_key /path/to/ssl.key;

        server_name www.tagbento.com;

        ... 
}

Test and Reload Nginx configuration


/etc/init.d/nginx configtest
/etc/init.d/nginx reload

That's it, enjoy!

Comments

  • Sorry about the tribulations!

    So that others don't cause the same problem, if you're also using Notepad++ on Windows, change this... Settings : Preferences : New Document/Default Directory : Format : Unix.

    Then make your new document, and you're set to copy&paste the SSL cert from your Certificate Authority.

    To confirm, turn on View : Show symbol : Show all characters

    The end of lines should show [LF]. If it shows [CR][LF], it's got Windows formatting - bad!

    by Stephen Hau on October 1 2010, 07:11 - #

  • Is it necessary to include ca.pem? Shouldn’t the browser know the CA? And does the order of the CA certificates (ca.pem, sub.….pem) matter?

    by Martin on October 7 2010, 04:01 - #


Comments for this article are closed.