Setting SSL/TLS in Nginx Using Godaddy as CA Provider

nginx-ssl.md

CA PROVIDER - GODADDY

Certificates

Ones you have generated, downloaded and extracted the certificate zip, you will find 2 files in it:

• gd_bundle-g2-g1.crt Intermediate Certificate
• RANDOM_NUM.crt Your SSL Certificate

Creating single chained certificate

Create a single "chained" certificate file that contains your certificate and the CA's intermediate certificates.

  cat RANDOM_NUM.crt gd_bundle-g2-g1.crt > domain.com.chained.crt

OPTIONAL

You can validate your certificates using your key file.

• Check a certificate and return information about it(Signing authority, expiration date, etc.)

  openssl x509 -in server.crt -text -noout

• Check the SSL key and verify the consistency.

  openssl rsa -in server.key -check

• Verify the CSR and print CSR data filled in when generating the CSR.

  openssl req -text -noout -verify -in server.csr

• The following two commands will print out md5 sums of the certificate and key. These sums can be compared to verify that the certificate and key match.

  openssl x509 -noout -modulus -in server.crt| openssl md5

  openssl rsa -noout -modulus -in server.key| openssl md5

Configuring Nginx

First, store your certificate files to a directory other, where only root can access it. Here, I'm creating a directory under etc named as godaddy

(Assuming your current directory is where your generated chained cert resides).

  sudo mkdir /etc/godaddy
  sudo mv domain.com.chained.crt /etc/godaddy/    // mv will remove old file from present directory
  rm gd_bundle-g2-g1.crt RANDOM_NUM.crt           // don't forget to remove your other certificate files

Now go to your Nginx server block configuration directory and edit default file. Assuming that is located at /etc/nginx/sites-enabled, use these commands:

  cd /etc/nginx/sites-enabled
  sudo vim default // Can use any editor of choice

Delete following lines from your Nginx server block:

  listen 80 default_server;
  listen [::]:80 default_server ipv6only=on;

and add these lines, make sure to replace all the instance of domain.com

        listen 443 ssl;

        server_name domain.com www.domain.com *.domain.com;

        ssl_certificate /etc/godaddy/domain.com.chained.crt;
        ssl_certificate_key /etc/godaddy/domain.com.key;

To allow only the most secure SSL protocols and ciphers, add the following lines to the file in same server block:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Now, if you want HTTP traffic to redirect to HTTPS, you can add this additional server block at the top of the file:

server {
    listen 80;
    server_name domain.com;
    rewrite ^/(.*) https://domain.com/$1 permanent;
}

Save and close the configuration file. Test the configuration file for syntax errors by typing:

  sudo nginx -t

Now restart Nginx to load the new configuration and enable TLS/SSL over HTTPS!

  sudo service nginx restart

Voila! Test it out by accessing your site via HTTPS, e.g. https://domain.com

Anyone looking for GoDaddy's root certs, they are stored and available here https://certs.godaddy.com/repository

I have used this as a reference and it worked seamlessly. Thank you so much for sharing this knowledge to all @Dev-Dipesh

One observation which I faced few issues when configuring this.

1. One step has been missed where we need to copy the "domain.com.key" in the "/etc/godaddy/" directory
2. Even after configuring above all steps and mapping the IP in GoDaddy it was showing me HTTPS not secured and it was working with https:// and not with https://. After trying to Google around the issue, I found that we need to add a paramater in the server block - ssl on, reloaded the Nginx and still no luck. Few stack overflow recommended me to reboot the server. After which it worked flawlessly.
   Request you to please add the above.
   It was really a good learning for me. Thank you so much for sharing this. It helped me a lot.