Image 14282+ users

Configuring HTTPS from HTTP with SSL certificate in Nginx on Ubuntu

Configuring HTTPS from HTTP with SSL certificate in Nginx on Ubuntu

14/05/19   7 minutes read     501 Naren Allam


HTTPS is an extension to HTTP, where S stands for secure, it is also referred as HTTP over TLS or HTTP over SSL. The main purpose of using HTTPS is to secure the communication between web servers and client by encrypting the data and protects against tampering of data and man-in-the-middle attacks.
In this post, we will go through the complete procedure migrating from existing server running in http protocol to https by installing SSL certificates in Ubuntu Linux system.


A Domain name registered and pointing to your server static IP address.
Buy a https certificate from commercial CA for the subject domain like GoDaddy.
A webserver like Apache or Nginx.


Generation Of Csr And Private Key

Change directory to home
Generate .csr and .key files using openssl and rsa as below: -

BASH  Copy
                      cd ~

openssl req -newkey rsa:2048 -nodes -keyout -out

Generating a 2048 bit RSA private key
writing new private key to ''
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Telangana       
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Rossum Computing Pvt Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Check for the files with extensions .csr and .key in the directory.
.csr file is a public key which can be viewed by others, whereas .key file is a private key which is to be kept secret.
.csr looks as below.

BASH  Copy


Go to the commercial CA website
example in case of Godaddy
Go to SSL Certificates page

press the manage button for specific domain as shown above: -

Select Rekey & Manage option -> select Re-Key certificate paste the text from .csr file and press 'Save' and 'Submit All Saved Changes' button.

After submission of .csr, certificate by CA will be issued within 24 to 48 hours and a confirmation mail is sent to mail address mentioned to subject domain.
But most of the times, certificate is generally issued within a hour.
If mail address not available to the domain, one can confirm the issuance of certificate from customer care.
After confirmation of issuance of certificate either from mail or customer care, you can download the certificate.
Download the SSL certificates from download -> select -> server type ->Apache (for Apache as well as for Nginx) ->select ->Download Zip File.

After download and extract .zip file and find two files with similar names
create a single chained .crt file by following commands

BASH  Copy
                      cat 8c7e6ba0d8a30b9d.crt  gd_bundle-g2-g1.crt  >>


copy and files in a secure path.
for e.g create a directory /etc/nginx/certificates and copy above files to this path.

BASH  Copy
                      sudo mkdir /etc/nginx/certificates
sudo cp /etc/nginx/certificates/

Preview For Nginx Config File ‘’ Before Installing Ssl

configure nginx file for the service from location /etc/nginx/sites-available/

BASH  Copy
                      cd /etc/nginx/sites-available/
sudo nano
server {
  listen 80;

location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                root /var/www/html/dist/;
                index index.html index.htm index.nginx-debian.html;
                try_files $uri $uri/ =404;

do changes in config file in order to redirect
http traffic (port 80) to https (port 443) as below: -

preview of nginx conf file '' with ssl certificates installed.
check the comments for understanding of code

server {
  listen 80;
  server_name www.;

  # Redirect all traffic to SSL
  rewrite ^(.*)$1 permanent;

server {
  listen 443 ssl default_server;

  # enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
  ssl_protocols SSLv3 TLSv1.2;

  # disables all weak ciphers

  server_name www.;

  ## Access and error logs.
  access_log /var/log/nginx/access.log;
  error_log  /var/log/nginx/error.log info;

  ## Keep alive timeout set to a greater value for SSL/TLS.
  keepalive_timeout 75 75;

  ## See the keepalive_timeout directive in nginx.conf.
  ## Server certificate and key.
  ssl on;
  ssl_certificate     /etc/nginx/certificates/;
  ssl_certificate_key /etc/nginx/certificates/;
  ## Strict Transport Security header for enhanced security. See
  ## I've set it to 2 hours; set it to
  ## whichever age you want.
  add_header Strict-Transport-Security "max-age=7200";

location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                root /var/www/html/dist/;
                index index.html index.htm index.nginx-debian.html;
                try_files $uri $uri/ =404;

check nginx syntax

BASH  Copy
                      sudo nginx -t

if successful restart nginx

BASH  Copy
                      sudo service nginx restart

Now type the url in the browser, you should be able to see the website with https protocol.