Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Steps to install a Comodo PositiveSSL certificate with Nginx.

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
    
  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
    mv ssl-bundle.crt /etc/nginx/ssl/example_com/
    
  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/
    
  4. Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
        listen 443;
    
        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;
    
        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
        # ...
    
    }
    
  1. Restart nginx.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8

allaire commented Jan 24, 2014

Thanks!

Great tutorial, thank you!

Helpful! πŸ‘

bscutt commented Mar 16, 2014

Thanks - that was a great help!

Great tutorial it helped me a lot on getting started with the main steps. Thanks! Anyway, sorry for the newbie question, but how am I supposed to execute the commands which will combine the crt files into a bundle? I mean, Do I have to upload the crt files first to the root directory of my server and then execute the command on a terminal app? I use Mac OSX and I use the Terminal.app to ssh on my server

rmdort commented Jul 21, 2014

To fix Firefox showing This connection is untrusted you need to create the bundle with all these files

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

Additionallly, you can disable SSL 2, in the server{ } block

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

Test your site here https://www.ssllabs.com/ssltest/index.html

I also used namecheap to purchase my PositiveSSL cert last night. Read what rmdort posted above, that is what finally got this working for me. Thanks rmdort and bradmontgomery!

minhhahl commented Aug 5, 2014

I am using COMODO certification. I have done as @rmdort said.

I've run ssltest on web application and it found "Chain issues - Contains anchor" (section "Additional Certificates (if supplied)")

In this link http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
They said that the root certification (AddTrustExternalCARoot.crt) should not included in ssl-bundle.crt because it is included in client. It is maybe the reason for "Chain issues - Contains anchor".

Does any one have any idea about this point? Should we include root certification or not?

dltj commented Sep 16, 2014

@minhhahl -- For what it's worth, that StackExchange post was right on. I combined the domain's cert, COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt into one file (leaving off AddTrustExternalCARoot.crt) and my site passed the SSL labs test.

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt

Do you add BOTH intermediate certs to the bundle???
which first? 1 and then 2?

COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA

?

My certificate zip included 4 files. I used cat to chain all 4 files together and it worked correctly - a pretty green lock in the browser address bar.
cat domain.crt intermediate1.crt intermediate2.crt authority.crt > domain.chained.crt

Suggested addition to the Gist in response to @dillchuk's comment about verifying:

6. Restart nginx.

Test to see if your new configuration is valid (if test fails to go step 7)
sudo service nginx configtest

If configtest passes without errors then reload
sudo service nginx reload

7. Testing your .key, .csr and chained .crt files with openssl CLI

The output of these three commands should be an identical hash. If one is different, you will see an error when running nginx configtest.

Sample output
Modulus=CC9DE72...99C4564AA985E28877D

Test key
openssl rsa -noout -modulus -in example.com.key

Test CSR
openssl req -noout -modulus -in example.com.csr

Test original crt and bundled crt separately. I find that 50% of the time I've uploaded the wrong .crt (old from same domain) and didn't realize it. The rest of the time it has either bundled the wrong files or the wrong order.
openssl x509 -noout -modulus -in example_com.crt
openssl x509 -noout -modulus -in ssl-bundled.crt

thanks helpful ! (y)

reustle commented Mar 13, 2015

Thanks @dltj, that works perfectly for fixing the untrusted ssl error on chrome mobile.

Owner

bradmontgomery commented Mar 14, 2015

Thanks to everyone who's left updated comments, here: @rmdort, @minhhahl, @dltj, @dylanvalade. You've all been a huge help!

I've recently chained all 4 files together, and things seem to be ok, but I do also get the Chain issues Contains anchor warning at the SSL labs test.

cat www_bradmontgomery_net.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

I've also disabled both SSLv2 and SSLv3, using only TLS in nginx:

# NO SSLv3, it's vulnerable to POODLE, see: http://goo.gl/zS3QXH
ssl_protocols TLSv1 TLSv1.1 TLSv1.2

I should probably update the original document.

dbosen commented Mar 26, 2015

Implement Strict Transport Security to get an A+

cboettig commented Apr 1, 2015

Great help and great thread. I had to add Forward Security:

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

and also add Strict Transport Security:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

to get this to an A+

Just great, that finally got it. Just wondering, is there a way to test on the CLI? Something like:

openssl verify bundle.crt my.key

eadz commented May 7, 2015

@bradmontgomery I believe that warning is due to adding the 'AddTrustExternalCARoot' which is already included in your browser. Removing that cert removes the warning for me.

Handy reference but be aware of the sneaky affiliate link πŸ˜„

dovy commented May 25, 2015

So useful. They should just ship us one precompiled like GoDaddy. Bah.

Very useful, thanks!

I have like 5 SSL tutorials open right now, and this is the best. Thanks!

Hates commented Jul 28, 2015

Brilliant. Thanks a lot! πŸ‘

Thanks a lot! Worked with Websockets (NodeJS) too πŸ‘

b-a-t commented Aug 25, 2015

Somehow I keep ending up on this page all the time, so seems it's a popular answer to the problem with Comodo certificates and nginx. Unfortunatelly, with the recent enough(2015) Qualys.com SSL test the given instructions lead either to "Chain issues: Contains anchor" or "Extra download". After a bit more digging I came down to the recipie that makes SSL test happy.

To avoid anchor error you should ommit Root CA certificate from the bundle. So, bundle should contain:

 cat example.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt

If you ommit COMODORSAAddTrustCA.crt from the bundle you'll get rid of anchor error, but will get "extra download" warning.

If you want(and you do!) to get OCSP stapling enabled on your server, then you'd need full certificates chain to be available to the server. To work around the problem described above, nginx has another directive that makes certificate known to the server, but not sent to the client - ssl_trusted_certificate.

cat AddTrustExternalCARoot.crt > trusted.crt

And final config should contain those lines:

ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers               on;
ssl_stapling                            on;
ssl_stapling_verify                     on;

ssl_dhparam                             "/etc/nginx/certs/dhparam.pem";
ssl_certificate                         "/etc/nginx/certs/ssl-bundle.crt";
ssl_trusted_certificate                 "/etc/nginx/certs/trusted.crt";
ssl_certificate_key                     "/etc/ssl/private/example.com.key";

ssl_session_cache                       shared:SSL:10m;
ssl_session_timeout                     10m;
  1. How to fix "Chain issues:contains anchor"
  2. ssltest: Chain issues - Contains anchor
  3. How to fix "Extra download"
  4. Multiple certificate paths
  5. What is wrong with my SSL trust chain?
  6. SSL Certificate Chain Resolver - handy tool to build correct certificates chain
@ghost

ghost commented Sep 12, 2015

Thanks a lot!
It wasn't that easy to come by the correct procedure (by that, I mean, in which order to concatenate the cert files).

is "ssl on" deprecated? and it might be a good idea to have "listen 443 ssl";

Thanks a lot! πŸ‘

Thanks Bro !

Hi guys!

I just got a ssl cert from comodo, but for some reason the chain doesnt work, i've tried every method.
I'm running nginx 1.9.5 with hhvm.

I've made a bundle like this:

cat alexhera_me.crt comodorsadomainvalidationsecureserverca.crt comodorsaaddtrustca.crt > ssl-bundle.crt

and the other one
cat addtrustexternalcaroot.crt > trusted.crt

So,the first one I've added to ssl_certificate in nginx config.
The second is the ssl_trusted_certificate.

But when I save the config file and restart the server I get this error.

  • Restarting nginx nginx nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/ssl-bundle.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
    nginx: configuration file /etc/nginx/nginx.conf test failed

@alexandruhera make sure that your lines end with semicolon ; and that /etc/nginx/ssl/ssl-bundle.crt exists.

You can test config with nginx -t

This is where you can get the root & intermediate certs (they're no longer included in the emailed zip file)

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

rlfrahm commented Oct 20, 2015

Thanks!

thanks!

Thanks so much ... works with haproxy too

Thanks!!!!

This helped solve my Android / Chrome woes. Thanks a bunch. Also, thanks @b-a-t for the OCSP stapling guide, it worked straight away.

lubosdz commented Nov 26, 2015

Yes, do not add AddTrustExternalCARoot.crt, it's not needed.
For windows users - Bundle certificate can be simply create by manually copying into file ssl-bundle.crt with content:


-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQT5ZKyUQaERXKiNTtx3ZaITANBgkqhkiG9w0BAQsFADCB
..... your private key .....
pn5dLjAsP86UWi5J7wD2hvuLbzmUmmnbCs5k4pleb37FU18E6Q1qiexjWYlx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
..... COMODORSADomainValidationSecureServerCA.crt .....
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
..... COMODORSAAddTrustCA.crt ..........
pu/xO28QOG8=
-----END CERTIFICATE-----


if you receive message invalid number of aruments in ssl_cipher then you probably missed semicolon ; at the end of the line (applies to nginx config above by b-a-t, which otherwise works OK).

And preferrably use more ciphers for better support on mobile devices:

ssl_ciphers  'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';

When I downloaded my certificate the zip file had 3 files, but they were :

my_site.ca-bundle
my_site.crt
my_site.p7b

I am not sure what to do with those files. the crt makes sense to me, but what is the ca-bundle and p7b?

b-a-t commented Dec 18, 2015

The ca-bundle file contains concatenated intermediate certificates in x509 PEM format. The p7b seems to contain the same information in the PKCS#7 format, but I couldn't read it with openssl pkcs7 -in command, so it seems to be supported by Windows only and in general is necessary for IIS/Tomcat.

As it was said above, you can get separate intermediate certificates from:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

Thanks! I come back to this every year the day before the certs expire

This is awesome. Thanks so much for posting this!

it looks like this guide is to install new cert, I am looking for a guide to renew existing cert which are going to expire. My stack is rails application with nginx + passenger, postgresql db and sidekiq job handlers if they matter.

w33zy commented Apr 18, 2016

@ammislan these are the steps you would follow. To 'renew' a cert is to remove the old one and install the new one.

chozabu commented Apr 18, 2016

Hmm, I've got similar results to @SpencerCooley but my provided files are

STAR_example_com.ca-bundle 
STAR_example_com.crt

This runs fine on my test server just using the crt file - but I wonder if I need to combine them first? (and why?)

chozabu commented Apr 18, 2016

@SpencerCooley looks like the info we need is here: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37

PREREQUISITES: Concatenate the CAbundle and the certificate file which we sent you using the following command.
cat STAR_example_com.crt STAR_example_com.ca-bundle > ssl-bundle.crt

(formatted to be a more exact match for what I actually typed, with domain name checked)

And for more info - using just the original crt file works, but https://www.sslshopper.com/ssl-checker.html mentioned it is missing some trust chain, and some browsers will be unhappy.

After combining the certs as above, everything seems groovy.

pmuens commented Apr 21, 2016

Great guide! Thanks man!

tks !

Rigoni commented Jun 14, 2016

Great tutorial!

But if don't concatenate the AddTrustExternalCARoot.crt file, the site www.ssllabs.com doesn't show the Chain Issues -> Contain Anchor.

I have not concatenate and it shows me Chain Issues -> None.

Awesome... Thanks!

THANK YOU!! The wild world of SSL.

Scit commented Jul 22, 2016

Nice! Very clear instructions! Thank you!

Dude you rock, I'm going to fork this just so I have a copy. This is what should be displayed on Comodo's site as their instructions were terrible.

Thanks for this @bradmontgomery!

taniadaniela commented Sep 9, 2016

These instructions work perfectly for SSL CA generated with register.com, the same order of files to generate the bundle file (just replace Comodo word for the word in your files). Thanks a lot!

Thanks for the detailed writeup, I was looking for exactly this!

Thanks!

Thanks!

eugenbg commented Nov 28, 2016

thank you!

Thank you! You made my day!

Great!

Saved my ass today. example_com.crt was working for desktop not for mobile. followed ur steps and now its working perfectly fine.

Very useful, thanks!

This is amazing. Thank you!!!

p-thurner commented Mar 12, 2017

Good howto! There is a "generator" for good SSL configs for nginx and apache. You can specify the version of the webserver and your openssl version:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

Mashpy commented Mar 30, 2017

Thank you for the solution. I have written a tutorial how to install positive ssl on your website using nginx webserver . Hope it will be helpful.

This works perfectly, thanks.

thx

Thanks!

Thanks !!

Many thanks

JaphethC commented Jul 1, 2017

Thank you. This was the exact information I needed for my set up.

nitin7dc commented Aug 3, 2017

thanks :)

thnx!

Thanks for the write-up.
Helped with setting up a Postfix mail server.
I greatly appreciate it.

Aukhan commented Oct 5, 2017

Much Appreciated !
Thanks !

Hi @bradmontgomery,

Great Tutorial. Thanks for this. :)

I got question, when I use www_example_com.crt COMODORSADomainValidationSecureServerCA.crt 2 files only. Any issue with that?

Not familiar much on certificate but I have a weird issue.

Thanks in advance. Appreciate your response. :)

Thanks! Exactly what I was looking for.

Thanks!

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment