Skip to content

Instantly share code, notes, and snippets.

@Dev-Dipesh

Dev-Dipesh/nginx-ssl.md

Last active March 21, 2023 19:14
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save Dev-Dipesh/3943ee7809c19de8845fb0dfe680b550 to your computer and use it in GitHub Desktop.
Save Dev-Dipesh/3943ee7809c19de8845fb0dfe680b550 to your computer and use it in GitHub Desktop.
Download ZIP
Setting SSL/TLS in Nginx Using Godaddy as CA Provider
Raw
nginx-ssl.md

CA PROVIDER - GODADDY

Certificates

Ones you have generated, downloaded and extracted the certificate zip, you will find 2 files in it:

  • gd_bundle-g2-g1.crt Intermediate Certificate
  • RANDOM_NUM.crt Your SSL Certificate

Creating single chained certificate

Create a single "chained" certificate file that contains your certificate and the CA's intermediate certificates.

  cat RANDOM_NUM.crt gd_bundle-g2-g1.crt > domain.com.chained.crt

OPTIONAL

You can validate your certificates using your key file.

  • Check a certificate and return information about it(Signing authority, expiration date, etc.)

    openssl x509 -in server.crt -text -noout

  • Check the SSL key and verify the consistency.

    openssl rsa -in server.key -check

  • Verify the CSR and print CSR data filled in when generating the CSR.

    openssl req -text -noout -verify -in server.csr

  • The following two commands will print out md5 sums of the certificate and key. These sums can be compared to verify that the certificate and key match.

    openssl x509 -noout -modulus -in server.crt| openssl md5

    openssl rsa -noout -modulus -in server.key| openssl md5

Configuring Nginx

First, store your certificate files to a directory other, where only root can access it. Here, I'm creating a directory under etc named as godaddy

(Assuming your current directory is where your generated chained cert resides).

  sudo mkdir /etc/godaddy
  sudo mv domain.com.chained.crt /etc/godaddy/    // mv will remove old file from present directory
  rm gd_bundle-g2-g1.crt RANDOM_NUM.crt           // don't forget to remove your other certificate files

Now go to your Nginx server block configuration directory and edit default file. Assuming that is located at /etc/nginx/sites-enabled, use these commands:

  cd /etc/nginx/sites-enabled
  sudo vim default // Can use any editor of choice

Delete following lines from your Nginx server block:

  listen 80 default_server;
  listen [::]:80 default_server ipv6only=on;

and add these lines, make sure to replace all the instance of domain.com

        listen 443 ssl;

        server_name domain.com www.domain.com *.domain.com;

        ssl_certificate /etc/godaddy/domain.com.chained.crt;
        ssl_certificate_key /etc/godaddy/domain.com.key;

To allow only the most secure SSL protocols and ciphers, add the following lines to the file in same server block:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Now, if you want HTTP traffic to redirect to HTTPS, you can add this additional server block at the top of the file:

server {
    listen 80;
    server_name domain.com;
    rewrite ^/(.*) https://domain.com/$1 permanent;
}

Save and close the configuration file. Test the configuration file for syntax errors by typing:

  sudo nginx -t

Now restart Nginx to load the new configuration and enable TLS/SSL over HTTPS!

  sudo service nginx restart

Voila! Test it out by accessing your site via HTTPS, e.g. https://domain.com

@Taaqif
Copy link

Taaqif commented Jul 18, 2022

Anyone looking for GoDaddy's root certs, they are stored and available here https://certs.godaddy.com/repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment