If I say this was easy, I’d be lying. I cannot find the right words to express my joy ’cause this whole process was indeed frustrating! I’ll take you through the steps I took, my mistakes and how I solved them.

So let’s get started!

NOTE: this is my first time setting up SSL on NGINX ūüôā and please read through before you proceed to purchase and set up SSL.

Prerequisites

  1. Ensure you’ve installed and set up nginx
  2. Lots of PATIENCE

PURCHASE COMODO POSITIVE SSL

You may decide to buy directly from Comodo or any reseller. In my case, I purchased via Hostinger.

SET UP COMODO POSITIVE SSL

Depending on the provider, you should see this on your dashboard. Click on set up and fill in the details. 

NOTE: you should have this email: admin@yourdomain.com. 

If you do not have ‘admin@domain.com’, purchase email hosting plan from your provider. Luckily I had free business email waiting to be setup….yay!

Once complete, login to the custom email you’ve created. You should get an email containing a validation code. Copy, then click the link provided in the email and paste it there.

DOWNLOAD SSL CERTIFICATE

If all goes well, you should be able to download your SSL certificate. You’ll find it in two places:

  1. Inbox (email address used to register for hosting account)
  2. SSL certificates page on cpanel (in my case hpanel – hostinger)

I’d advise you to download number two. You’ll see why below

 

SET UP SSL CERTIFICATE ON NGINX

I followed this tutorial¬†from Comodo and things got messy from here. So let’s go through the process (mistakes + solution).

Based on this tutorial I should have generated the private key and CSR (certificate signing request) before purchasing SSL but I didn’t.

1 РCreate a directory 

Login to your server via the command line. Decide where you want to store your files and create a directory there.

 

sudo mkdir /your/desired/path/new_directory_name

Run this command in that directory

 

openssl req -new -newkey rsa:2048 -nodes -keyout domainname_com.key 
-out domainname_com.csr

You should get a prompt with a series of questions, fill in with the appropriate answers. Ensure you use your domain name or public ip for the ‘Common Name’ question.

 

Common Name (e.g. server FQDN or YOUR name) []: your_domain.com

 

You’ll get two files: domainname_com.key and domainname_com.csr

Based of another tutorial on youtube, I ran this command instead:

sudo openssl req -new -newkey rsa:2048 -nodes -keyout domain_com.key

-out domain.com

Once questions are completed, I got the csr output:

—–BEGIN CERTIFICATE REQUEST—–

—–END CERTIFICATE REQUEST—–

Copy and create a new file with this command:

 

sudo vim domain_com.csr

 

Enter insert mode by pressing ‘i’. Paste the csr. ‘Esc’ to exit insert mode then :wq to save and quit.

 

CREATE BUNDLE FILES

Combine the crt files extracted from the zip folder into a single file. You can do this by using a GUI text editor. Create a blank file then copy and paste each .crt file in this order:

  1. yourdomain_com.crt
  2. SectigoRSADomainValidationSecureServer.crt
  3. USERTrustRSAAddTrustCA.crt
  4. AddTrustExternalCARoot.crt

Copy everything.

Return to your command line, ‘cd’ into the directory where you stored your key and csr file. Create a new file with this command

 

sudo vim domain_com.crt

Copy and paste.

Save and quit

 

CONFIGURE NGINX

Find server config settings here:

 

/etc/nginx/sites-available/default OR /etc/nginx/sites-available/yoursite

 

If you’re using the default config file, then run this command:


sudo vim /etc/nginx/sites-available/default

 

Scroll through the config file and make these changes:

 

Uncomment this (remove #): listen 443 ssl default_server;

Modify:  server _; to server yourwebsite.com;

<Add the location to your crt and key files>

ssl_certificate /etc/path/to/your/ssl/certificate.crt;

ssl_certificate_key /etc/path/to/your/ssl/privatekey.key;

 

NOTE: terminate each line with a semi colon.

 

Config file should have these changes:

 

listen 443 ssl default_server;

server yourdomain.com;

ssl_certificate /etc/path/to/your/ssl/certificate.crt;

ssl_certificate_key /etc/path/to/your/ssl/privatekey.key;

 

Save and quit.

 

Restart nginx with this command:



sudo service nginx restart

 

Now this is where I got an error:

Job for nginx.service failed because the control process exited with error code.

See “systemctl status nginx.service” and “journalctl -xe” for details.

 

I ran this command to test nginx configuration:

 

nginx -t

 

First error had to do with permission on the key. So I  changed ownership of the .key file to the user signed in.

 

Then restarted the server but another error:

 

… (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

 

This time private key value mismatch. 

 

After reading numerous articles and watching several youtube videos, I couldn’t find a solution. Mainly because some tutorials are outdated and the one on comodo is helpful to a certain point.

 

THE FIX

Remember the zip file I downloaded from Hostinger dashboard? It contains the private key *facepalm*.

Open the key file in your favorite (gui) text editor. It should be like this:

—–BEGIN PRIVATE KEY—–

..

..

—–END PRIVATE KEY—–

 

Copy it. 

Edit the domain_com.key file with this command

 

sudo vim domain_com.key

 

I deleted everything in the file with ‘:1, $d’ then pasted the new key.

 

Restarted nginx once more and no errors! YES!

 

BROWSER TEST

Type in: https://www.yourdomain.com on your browser’s address bar. If all goes well, you should see a green (closed) padlock.

 

BONUS: REDIRECT HTTP – HTTPS

To do this, you’ll need two server blocks in your configuration file. One for port 80 and the other for 443.¬†

 Modified Server Configuration
server {

listen 80;

listen [::]:80;

server_name domain.com www.domain.com;

return 301 https://$server_name$request_uri;

}

server{


listen 443 ssl default_server;

listen [::]:443 ssl default_server;
 
root /path/to/your/site/folder/public;

server_name domain.com www.domain.com;

ssl_certificate /path/to/domain_com.crt;

ssl_certificate_key /path/to/domain_com.key;


}





FINAL THOUGHTS

This is my first written guide (of some sort) so pardon any errors or mixup. If you have any issues/corrections, do not hesitate to reach out.

Based on one or two, all I had to do was download the zip file containing the private key. Bundle the 4 certificate files and move them to my server.

I’ll work on creating a detailed step by step tutorial as soon as I can (heaven forbid procrastination).

 

Thank you ūüôā

QUICK COMMANDS

 

mkdir somename = make directory

vim hello.extension = create a file named hello. Example hello.txt

sudo chown -R  yourusername foldernameORfilename = change ownership

sudo service nginx restart = restart nginx

sudo systemctl restart nginx = restart nginx

ll = get information about files and directories  (present working directory)

cd  = change directory

Vim

i = insert

:q = quit without saving

:wq = save and quit

:1,$d = delete everything

 

USEFUL LINKs

Coder’s Tape Laravel deployment guide

Digital Ocean – Create SSL certificate for nginx

Comodo Positive SSL on Nginx guide

Digital Ocean – Community Question force HTTP to redirect to HTTPs

Servers for hackers – Redirect HTTP to HTTPs

 

Featured Image via Pexels. Created by Pixabay




Add Comment

Your email address will not be published. Required fields are marked *