Installing an SSL certificate on Nginx


This article will guide you through the steps to install your SSL certificate on Nginx and to set up an automated redirect from HTTP:// to HTTPS://.
    1. Upload the certificates on the server where your website is hosted

      Having completed the CSR code generation and SSL activation steps, you will receive a zip file with the Sectigo (previously known as Comodo) Certificates via email. Alternatively, you can download them from your Namecheap Account panel.

      Note: If you choose NGINX server when activating the certificate, you'll receive a zip file containing a Certificate file, with the '.crt' extension, and a Certificate Authority (CA) bundle file, with the '.ca-bundle' extension.

      Upload both files to your server whatever way you prefer. By using an FTP client, for example.

      You can also download the Bundle file for each Certificate by following the instructions here.



    2. Combine all the certificates into a single file

      You need to have all the Certificates (your_domain.crt and your_domain.ca-bundle) combined in a single '.crt' file.

      The Certificate for your domain should come first in the file, followed by the chain of Certificates (CA Bundle).

      Enter the directory where you uploaded the certificate files. Run the following command to combine the files:

      $ cat your_domain.crt your_domain.ca-bundle >> your_domain_chain.crt


    3. Creating a separate Nginx VirtualHost file or Modifying the existing configuration file

      To install the SSL certificate on Nginx, you need to show the server which files to use, either by a) creating a new configuration file, or b) editing the existing one.

          a) By adding a new configuration file for the website you can make sure that there are no issues with the separate configuration file. Furthermore, the whole server will not go down if there are any issues with the configuration file.

      We suggest creating a new configuration file in this folder:

      /etc/nginx/conf.d

      That can be done via this command:

      sudo nano /etc/nginx/conf.d/Your_domain*-ssl.conf

      Where Your_domain*-ssl.conf is the name of the newly created file.

      Next, copy and paste one of the below server blocks for the 443 port and edit the directories. Ensure the server name and path to webroot match in both the server block for port 80 and the one for port 443. If you have any other important values that need to be saved, move them to the newly created server block too.

          b) Edit the default configuration file of the web-server, which is named nginx.conf. It should be in one of these folders:

      /usr/local/nginx/conf

      /etc/nginx

      /usr/local/etc/nginx

      You can also use this command to find it:

      sudo find / -type f -iname "nginx.conf"

      Once you find it, open the file with:

      sudo nano nginx.conf

      Then copy and paste one of the server blocks for the 443 port given below and edit the directories according to your server block for the 80 port (with matching server name, path to webroot, and any important values you need).

      Choose the server block:

      Below you can find a server block for your Nginx version.

      Note: To check your Nginx version, run this command:

      sudo nginx -v

      Note: Replace the file names values, like your_domain_chain.crt, in the server block with your details, and modify the routes to them using /path/to/.

      • Server block for Nginx version 1.14 and below:

      server {

      listen 443;

      ssl on;

      ssl_certificate /path/to/certificate/your_domain_chain.crt;

      ssl_certificate_key /path/to/your_private.key;

      root /path/to/webroot;

      server_name your_domain.com;

      }

      Note: You can specify multiple hostnames in such configuration, if needed, e.g.:

      server {

      listen 443;

      ssl on;

      ssl_certificate /path/to/certificate/your_domain_chain.crt;

      ssl_certificate_key /path/to/your_private.key;

      root /path/to/webroot;

      server_name your_domain.com www.your_domain.com;

      }

      • Server block for Nginx version 1.15 and above:

      server {

      listen 443 ssl;

      ssl_certificate /path/to/certificate/your_domain_chain.crt;

      ssl_certificate_key /path/to/your_private.key;

      root /path/to/webroot;

      server_name your_domain.com;

      }


      Important
      : For either a Multi-Domain or a Wildcard Certificate, you’ll need to have a separate server block added for each of the domain/subdomain included in the Certificate. Ensure you specify the domain/subdomain in question along with the paths to the same Certificate files in the VirtualHost record, as described above.

      Once the corresponding server block is added to the file, ensure you save the edits. Then, you can double-check the changes made with the following steps.

      Run this command to verify that the configuration file syntax is ok:

      sudo nginx -t

      If you receive errors, double check that you followed the guide properly. Feel free to contact our Support Team if you have any questions.

      If the server displays the test successfully, restart Nginx with this command to apply the changes:

      sudo nginx -s reload

      Now your SSL Certificate is installed. You can check the installation here.


    4. Configure HTTPS redirect

      We suggest that you install the redirect from HTTP to HTTPS. That way, your website visitors will only be able to access the secure version of your site.

      To do this, you’ll need to add one line to the configuration file with the server block for port 80.

      Tips:

      • You can use one of the following commands to look up the configuration files which are enabled now:

      sudo nginx -T | grep -iw "configuration file"

      sudo nginx -T | grep -iw "include"

      • The default paths to the conf file are:

      on RHEL-based Linux OS: /etc/nginx/conf.d/default.conf

      on Debian-based Linux OS: /etc/nginx/sites-enabled/default

      • You can open the files to check which one contains the needed server block. For this, run:

      sudo nano name_of_the_file

      Once you find the file that contains the server block for port 80 (the default HTTP port), add in the following line:

      return 301 https://$server_name$request_uri;

      Note: The above redirect rule should be entered as the last line in the server block.

      • return is the main directive to use.
      • 301 is permanent redirect (302 is the temporary one).
      • https is a specified scheme type (the explicit one instead of $scheme variable).
      • $server_name variable will use the domain specified in the server_name directive.
      • $request_uri variable is used to match the paths to the requested pages/parts of the website (everything after the domain name).

      Here are examples of server blocks with the HTTPS redirect:

      Permanent redirect to HTTPS

      server {

      listen 80;

      server_name your_domain.com www.your_domain.com;

      return 301 https://$server_name$request_uri;

      }

      Permanent redirect to HTTPS non-www

      server {

      listen 80;

      server_name your_domain.com www.your_domain.com;

      return 301 https://your_domain.com$request_uri;

      }

      Permanent redirect to HTTPS www

      server {

      listen 80;

      server_name your_domain.com www.your_domain.com;

      return 301 https://www.your_domain.com$request_uri;

      }

      Temporary redirect to HTTPS non-www

      server {

      listen 80;

      server_name your_domain.com www.your_domain.com;

      return 302 https://your_domain.com$request_uri;

      }

      You can find more details about redirect options on Nginx here.

    Updated
    3/13/2020

    Viewed
    80983 times

    Comments

    We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

    If you need specific help with your account, feel free to contact our Support Team. Thank you.

    Need help? We're always here for you.

    × Close