Installing an SSL certificate on Nginx
-
-
Upload the certificates on the server where your website is hosted
Having completed the CSR code generation and SSL activation steps, you will receive a zip file with the Sectigo (previously known as Comodo) Certificates via email. Alternatively,
Note: If you choose NGINX server when activating the certificate, you’ll receive a zip file containing a Certificate file, with the ‘.crt’ extension, and a Certificate Authority (CA) bundle file, with the ‘.ca-bundle’ extension.
Upload both files to your server whatever way you prefer. By using an FTP client, for example.
You can also download the Bundle file for each Certificate by following the instructions here.
-
-
Combine all the certificates into a single file
You need to have all the Certificates (your_domain.crt and your_domain.ca-bundle) combined in a single ‘.crt’ file.
The Certificate for your domain should come first in the file, followed by the chain of Certificates (CA Bundle).
Enter the directory where you uploaded the certificate files. Run the following command to combine the files:
$ cat your_domain.crt your_domain.ca-bundle >> your_domain_chain.crt
-
Creating a separate Nginx VirtualHost file or Modifying the existing configuration file
To install the SSL certificate on Nginx, you need to show the server which files to use, either by a) creating a new configuration file, or b) editing the existing one.
a) By adding a new configuration file for the website you can make sure that there are no issues with the separate configuration file. Furthermore, the whole server will not go down if there are any issues with the configuration file.
We suggest creating a new configuration file in this folder:
/etc/nginx/conf.d
That can be done via this command:
sudo nano /etc/nginx/conf.d/Your_domain*-ssl.conf
Where Your_domain*-ssl.conf is the name of the newly created file.
Next, copy and paste one of the below server blocks for the 443 port and edit the directories. Ensure the server name and path to webroot match in both the server block for port 80 and the one for port 443. If you have any other important values that need to be saved, move them to the newly created server block too. b) Edit the default configuration file of the web-server, which is named nginx.conf. It should be in one of these folders:
/usr/local/nginx/conf
/etc/nginx
/usr/local/etc/nginx
You can also use this command to find it:
sudo find / -type f -iname “nginx.conf”
Once you find it, open the file with:
sudo nano nginx.conf
Then copy and paste one of the server blocks for the 443 port given below and edit the directories according to your server block for the 80 port (with matching server name, path to webroot, and any important values you need).
Choose the server block:
Below you can find a server block for your Nginx version.
Note: To check your Nginx version, run this command:
sudo nginx -v
Note: Replace the file names values, like your_domain_chain.crt, in the server block with your details, and modify the routes to them using /path/to/.
- Server block for Nginx version 1.14 and below:
server {
listen 443;
ssl on;
ssl_certificate /path/to/certificate/your_domain_chain.crt;
ssl_certificate_key /path/to/your_private.key;
root /path/to/webroot;
server_name your_domain.com;
}
Note: You can specify multiple hostnames in such configuration, if needed, e.g.:
server {
listen 443;
ssl on;
ssl_certificate /path/to/certificate/your_domain_chain.crt;
ssl_certificate_key /path/to/your_private.key;
root /path/to/webroot;
server_name your_domain.com www.your_domain.com;
}
- Server block for Nginx version 1.15 and above:
server {
listen 443 ssl;
ssl_certificate /path/to/certificate/your_domain_chain.crt;
ssl_certificate_key /path/to/your_private.key;
root /path/to/webroot;
server_name your_domain.com;
}
- ssl_certificate should be pointed to the file with combined certificates you’ve created earlier.
- ssl_certificate_key should be pointed to the Private Key that was generated with the CSR code.
Here are a few tips on how to find the Private key on Nginx.
Important: For either a Multi-Domain or a Wildcard Certificate, you’ll need to have a separate server block added for each of the domain/subdomain included in the Certificate. Ensure you specify the domain/subdomain in question along with the paths to the same Certificate files in the VirtualHost record, as described above.Once the corresponding server block is added to the file, ensure you save the edits. Then, you can double-check the changes made with the following steps.
Run this command to verify that the configuration file syntax is ok:
sudo nginx -t
If you receive errors, double check that you followed the guide properly. Feel free to contact our Support Team if you have any questions.
If the server displays the test successfully, restart Nginx with this command to apply the changes:
sudo nginx -s reload
Now your SSL Certificate is installed. You can check the installation here.
-
Configure HTTPS redirect
We suggest that you install the redirect from HTTP to HTTPS. That way, your website visitors will only be able to access the secure version of your site.
To do this, you’ll need to add one line to the configuration file with the server block for port 80.
Tips:
- You can use one of the following commands to look up the configuration files which are enabled now:
sudo nginx -T | grep -iw “configuration file”
sudo nginx -T | grep -iw “include”
- The default paths to the conf file are:
on RHEL-based Linux OS: /etc/nginx/conf.d/default.conf
on Debian-based Linux OS: /etc/nginx/sites-enabled/default
- You can open the files to check which one contains the needed server block. For this, run:
sudo nano name_of_the_file
Once you find the file that contains the server block for port 80 (the default HTTP port), add in the following line:
return 301 https://$server_name$request_uri;
Note: The above redirect rule should be entered as the last line in the server block.
- return is the main directive to use.
- 301 is permanent redirect (302 is the temporary one).
- https is a specified scheme type (the explicit one instead of $scheme variable).
- $server_name variable will use the domain specified in the server_name directive.
- $request_uri variable is used to match the paths to the requested pages/parts of the website (everything after the domain name).
Here are examples of server blocks with the HTTPS redirect:
Permanent redirect to HTTPS
server {
listen 80;
server_name your_domain.com www.your_domain.com;
return 301 https://$server_name$request_uri;
}
Permanent redirect to HTTPS non-www
server {
listen 80;
server_name your_domain.com www.your_domain.com;
return 301 https://your_domain.com$request_uri;
}
Permanent redirect to HTTPS www
server {
listen 80;
server_name your_domain.com www.your_domain.com;
return 301 https://www.your_domain.com$request_uri;
}
Temporary redirect to HTTPS non-www
server {
listen 80;
server_name your_domain.com www.your_domain.com;
return 302 https://your_domain.com$request_uri;
}
You can find more details about redirect options on Nginx here.