3/26/12

Using Namecheap SSL with Nginx

I used to use Godaddy and Startcom SSL. Now I just use Namecheap's Comodo PositiveSSL. It's inexpensive - $9/per year, and the installation is pretty straight-forward.
Here are the steps:

1, Buy Comodo PositiveSSl from Namecheap

2, Create domain private key and certificate signing request.
Let's suppose your domain name is example.com
#Must do these as root.
openssl genrsa -des3 -out example.com.key 2048
#you will be prompted to enter password
openssl rsa -in example.com.key -out example.com.key.nopass
#you will be prompted to enter password you created in last step
openssl req -new -key example.com.key.nopass -out example.com.csr
#you will be prompted to enter country code (US), State name, City name, Organization name etc. The most important one is "Common Name", it must be the same as your domain name. For those optional item (ones marked as []", just press enter. Don't enter "A challenge password"

The reason we use example.com.key.nopass instead of example.com.key to generated the signing request is that so we don't need to enter a password everytime you start/restart nginx.

3, Login to Namecheap/Your SSL certificate, click "Activate". You will be asked to select the server type. Just select the first one - Apache/OpenSSL (even though we are using Nginx). You then are asked to paste the certificate signing request (CSR). On your server, do a "cat example.com.csr", and copy and paste the everything (including "----BEGIN..." and "----END...") to the Namecheap web page's text-area. click submit. You will then be asked enter additional information, enter them.

4, You will receive a email from Comodo asking you to open a link and paste some code that's provided in the mail. Do that.

5, After some time (30 minutes to a few hours), you will get your certificate in email. Download the zip file. It contains 3 files: example_com.crt, PositiveSSLCA2.crt, AddTrustExternalCARoot.crt. You need to concatenate them into a single file:
cat example_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > example.com.crt


6, Configure Nginx.
Copy the files example.com.key.nopass and example.com.crt to a certian place, for example /usr/local/etc/nginx/ssl/. In Nginx conf file, point to them:

ssl on;
ssl_certificate /usr/local/etc/nginx/ssl/example.com.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/example.com.key.nopass;

After that you're done.

12 comments:

Satish said...

I used "Other" because NGINX was not in the list... your blog suggests to pick Apache/OpenSSL. Do you think this is an important thing ? I copied the files and point my nginx.conf to the certificates but unable to see SSL getting activated... appreciate your comments.

Satish said...

My bad ... I did not open the port on 443, it works all fine. Thanks for the blog.

mrhassell said...

Another way to handle password requests is to strip it from the private key, with OpenSSL;

openssl rsa -in example.com.key -out example.com-stripped.key

Wensheng Wang said...

mrhassell, that's exactly what I had in the post:
openssl rsa -in example.com.key -out example.com.key.nopass

mrhassell said...

Hi,

Yes! Issuing that command over any existing key, will remove the password - I think that was causing some confusion and I wanted to clarify that works as I used this with my Nginx config and got exactly the results expected - thank you!

# Nginx HTTPS
server {
listen 443;
server_name localhost;

root html;
index index.html index.htm;

ssl on;
#ssl_certificate cert.pem;
ssl_certificate ssl/example.com.pem;
ssl_certificate_key ssl/example.com.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}
}

Mark Thien said...

Hi guys,

I followed this guide but doesn't really works for me.

my nginx conf is like below:

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
}


http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

include /etc/nginx/conf.d/*.conf;

server {
listen 443;
server_name binceipt.com
ssl on;
ssl_certificate /etc/ssl/namecheap/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/namecheap/binceipt.com.key.nopass;
keepalive_timeout 70;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
}


when I opened http://binceipt.com/index.html it has no problem. when i opened https://binceipt.com/index.html it just hang there and after that saying page not found.

Appreciate anyone help please. thanks !

Note: I am using namecheap PositiveSSL, AWS EC2 AMI

Cheers,
Mark

mrhassell said...

Mark,

Nginx must be built with the option –with-http_ssl_module. To verify you can run nginx -V from the terminal to see all the options your current release was built with. Building from source is recommended but if you installed from a package (yum / apt), you might need to hunt for a different build.

Mark Thien said...

hi mrhassell,

yes ssl module is installed:

nginx version: nginx/1.2.3
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g'



Wensheng Wang said...

Do you have firewall? port 443 might be blocked.

try "iptables -nvL" see if there's firewall rules in place.

shutdown firewall temporarily and see if it works.

Mark Thien said...

holy cow .... i love you man ! i was so fucking stupid that i forgot to turn on port 443. Thanks a lot man !

Cheers,
Mark

Aronwp said...

Thanks, this was just what i was looking for. Worked perfectly after I restarted nginx.

Lars Holgerson said...

Thanks for this great article - however, I have bought my wildcard ssl certificate from SSLPOINT.

Pretty good price and excellent support...