Image 14282+ users

Configuring HTTPS from HTTP with SSL certificate in Nginx on Ubuntu

Configuring HTTPS from HTTP with SSL certificate in Nginx on Ubuntu

14/05/19   7 minutes read     501 Naren Allam

nginxbash

HTTPS is an extension to HTTP, where S stands for secure, it is also referred as HTTP over TLS or HTTP over SSL. The main purpose of using HTTPS is to secure the communication between web servers and client by encrypting the data and protects against tampering of data and man-in-the-middle attacks.
In this post, we will go through the complete procedure migrating from existing server running in http protocol to https by installing SSL certificates in Ubuntu Linux system.

Pre-requisites

A Domain name registered and pointing to your server static IP address.
Buy a https certificate from commercial CA for the subject domain like GoDaddy.
A webserver like Apache or Nginx.

Steps

Generation Of Csr And Private Key

Change directory to home
Generate .csr and .key files using openssl and rsa as below: -

BASH  Copy
                    
                      cd ~

openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Generating a 2048 bit RSA private key
....................................+++
......................................................+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Telangana       
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Rossum Computing Pvt Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
                    
                  

Check for the files with extensions .csr and .key in the directory.
.csr file is a public key which can be viewed by others, whereas .key file is a private key which is to be kept secret.
.csr looks as below.

BASH  Copy
                    
                      cat example.com.csr

-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCSU4xEjAQBgNVBAgMCVRlbGFuZ2FuYTES
MBAGA1UEBwwJSHlkZXJhYmFkMSEwHwYDVQQKDBhSb3NzdW0gQ29tcHV0aW5nIFB2
dCBMdGQxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ+IsckNO83iVcIz35uyW9rAtdrPlCL3
Acw2vUI44j186P/0Z9WQDt/mMmo5mDGPWBDXNBQZFnO7xngGLt6iYoDifqrWzUsj
T0B6zVDSvS6acnZOqwRJDJKyHZs9qFmdoSU70uCXFSTk2egOzkf93lKa/kF6G33B
IBVyeZJERf91NQ+b41H+FqJlH8Mg0SJTGdtExgKHK91/NHAh+YzA+NO1N/mpVOH3
NJDe1zh0xOGaLvUQAdjmCTget9fnKZBdRmQIKTDE36G+pb9WwZuFTNrGNA/3kuD3
Omo+OaQzVz6z+L2c5GBaWvZ9rkjOHzm7XanSifNi2EsDgb+Wf1R2WmUCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQBZZzhRLDTKTFMoqjUIUBhw7gD0hChkzme3LKov
JGywaIiYeCqCi43EFNTiXeQgShrVcp73JFBIsyJhKNfhRiShB+OzJlfsvMSlGAhL
+V7HRo4GyjO20sujC5LYPcrDKzkHLlnjH1yOejyPFWvOHhVwVLKwLXTE2AW1ybVv
7gQ2uWHQDuB8QWJfbb+CEfCAufdjZXZMtGZOIC31/6kV/f1lxy7FVfRlYztB/PN4
ylA85NNsblEWUf5IQKC6aKg8FNZ0oKHOQ8R4WiQVoJKz733Wh2dxSEebEodKbISw
9ica0kPn7zeuK5vgkaLIsFVA1fbv9eSM1Bvs+kPlRGZhQt8X
-----END CERTIFICATE REQUEST-----
                    
                  

Go to the commercial CA website
example in case of Godaddy
Go to SSL Certificates page

press the manage button for specific domain as shown above: -

Select Rekey & Manage option -> select Re-Key certificate paste the text from .csr file and press 'Save' and 'Submit All Saved Changes' button.

After submission of .csr, certificate by CA will be issued within 24 to 48 hours and a confirmation mail is sent to mail address mentioned to subject domain.
But most of the times, certificate is generally issued within a hour.
If mail address not available to the domain, one can confirm the issuance of certificate from customer care.
After confirmation of issuance of certificate either from mail or customer care, you can download the certificate.
Download the SSL certificates from download -> select -> server type ->Apache (for Apache as well as for Nginx) ->select ->Download Zip File.

After download and extract .zip file and find two files with similar names
8c7e6ba0d8a30b9d.crt
gd_bundle-g2-g1.crt
create a single chained .crt file by following commands

BASH  Copy
                    
                      cat 8c7e6ba0d8a30b9d.crt  gd_bundle-g2-g1.crt  >> example.com.chained.crt

                    
                  

copy example.com.chained.crt and example.com.key files in a secure path.
for e.g create a directory /etc/nginx/certificates and copy above files to this path.

BASH  Copy
                    
                      sudo mkdir /etc/nginx/certificates
sudo cp example.com.chained.crt /etc/nginx/certificates/
                    
                  

Preview For Nginx Config File ‘Example.com’ Before Installing Ssl

configure nginx file for the service from location /etc/nginx/sites-available/

BASH  Copy
                    
                      cd /etc/nginx/sites-available/
sudo nano example.com
                    
                  
NGINX  Copy
                    
                      # example.com
server {
  listen 80;
  server_name www.example.com example.com;

location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                root /var/www/html/dist/;
                index index.html index.htm index.nginx-debian.html;
                try_files $uri $uri/ =404;
        }
}
                    
                  

do changes in config file in order to redirect
http traffic (port 80) to https (port 443) as below: -

preview of nginx conf file 'example.com' with ssl certificates installed.
check the comments for understanding of code

NGINX  Copy
                    
                      # example.com
server {
  listen 80;
  server_name www. example.com example.com;

  # Redirect all traffic to SSL
  rewrite ^(.*) https://pythonguru.io$1 permanent;
}

server {
  listen 443 ssl default_server;

  # enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
  ssl_protocols SSLv3 TLSv1.2;

  # disables all weak ciphers
  ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

  server_name example.com www. example.com;

  ## Access and error logs.
  access_log /var/log/nginx/access.log;
  error_log  /var/log/nginx/error.log info;

  ## Keep alive timeout set to a greater value for SSL/TLS.
  keepalive_timeout 75 75;

  ## See the keepalive_timeout directive in nginx.conf.
  ## Server certificate and key.
  ssl on;
  ssl_certificate     /etc/nginx/certificates/example.com.chained.crt;
  ssl_certificate_key /etc/nginx/certificates/example.com.key;
  
  ## Strict Transport Security header for enhanced security. See
  ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
  ## whichever age you want.
  add_header Strict-Transport-Security "max-age=7200";

location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                root /var/www/html/dist/;
                index index.html index.htm index.nginx-debian.html;
                try_files $uri $uri/ =404;
        }
}
                    
                  

check nginx syntax

BASH  Copy
                    
                      sudo nginx -t
                    
                  

if successful restart nginx

BASH  Copy
                    
                      sudo service nginx restart
                    
                  

Now type the url in the browser, you should be able to see the website with https protocol.