Skip to content

Instantly share code, notes, and snippets.

@bradmontgomery
Last active March 7, 2024 05:32
Star You must be signed in to star a gist
Save bradmontgomery/6487319 to your computer and use it in GitHub Desktop.
Steps to install a Comodo PositiveSSL certificate with Nginx.

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
    
  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
    mv ssl-bundle.crt /etc/nginx/ssl/example_com/
    
  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/
    
  4. Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
        listen 443;
    
        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;
    
        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
        # ...
    
    }
    
  1. Restart nginx.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8
@JefferyHus
Copy link

This works perfectly, thanks.

@frostmark
Copy link

thx

@jhemarcos
Copy link

Thanks!

@Stormix
Copy link

Stormix commented Jun 26, 2017

Thanks !!

@pilgrim2go
Copy link

Many thanks

@JaphethC
Copy link

JaphethC commented Jul 1, 2017

Thank you. This was the exact information I needed for my set up.

@nitin7dc
Copy link

nitin7dc commented Aug 3, 2017

thanks :)

@getaclue00
Copy link

thnx!

@jmalone68
Copy link

Thanks for the write-up.
Helped with setting up a Postfix mail server.
I greatly appreciate it.

@Aukhan
Copy link

Aukhan commented Oct 5, 2017

Much Appreciated !
Thanks !

@jsabanal
Copy link

Hi @bradmontgomery,

Great Tutorial. Thanks for this. :)

I got question, when I use www_example_com.crt COMODORSADomainValidationSecureServerCA.crt 2 files only. Any issue with that?

Not familiar much on certificate but I have a weird issue.

Thanks in advance. Appreciate your response. :)

@lomholdt
Copy link

Thanks! Exactly what I was looking for.

@floydback
Copy link

Thanks!

@CrashedBboy
Copy link

Thanks a lot!

@superjose
Copy link

Shame that Github doesn't have the thumbs up.... @b-a-t! Thanks a bunch your solution worked! And thanks to @bradmontgomery as well for the original post 💃

@hshahdoost
Copy link

Thanx a lot, just for the record if you happen to face the following error
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl...
make sure that certificates are not sticked together like this
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
nginx can't read this. they should be separated with \r\n (enter).

@MichaelBrenden
Copy link

Possibly The Best toot online. Helped me solve problem with SSL, Comodo cert, and Stripe -- specifically this error: "SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)" -- odd how comodo, stripe either do not have this info or bury it such that it is useless.

@bobo101
Copy link

bobo101 commented Sep 4, 2018

Thanks a lot!

Copy link

ghost commented Sep 5, 2018

I am getting ERR_CONNECTION_CLOSED on Comodo free ssl certificate. Any solution ?

@Open-Asset
Copy link

Same issues here on one fresh server......

I am getting ERR_CONNECTION_CLOSED on Comodo free ssl certificate. Any solution ?

Same issues here on one fresh server......

@learnbybit
Copy link

you're awesome man !

@atish-abhang-zz
Copy link

Thanks man..!

@czaryas
Copy link

czaryas commented Nov 27, 2018

thanks a lot, man ....!!

@VireshDoshi
Copy link

Very clear

@hemanth-sp
Copy link

thank you working fine for django nginx

@pranayIntrigue
Copy link

Thanks works well !!

@ksunkara
Copy link

Thank you good description

@warkirasep
Copy link

Thank's

@akhiljalagam
Copy link

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

thank you...

@Tebo555
Copy link

Tebo555 commented Jun 27, 2023

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment