Steps to install a Comodo Wildcard certificate with Nginx.

install-comodo-ssl-cert-for-nginx.md

The steps below show how to install comodo certificate on centos7.

I have used bigrock.in for the domain registration and procuring the certificates

Create a certificate request

1. Create a folder to put all our ssl certificates

    mkdir /etc/nginx/ssl/c2r_com
    cd /etc/nginx/ssl/c2r_com
   

2. Run the command to generate the private key and CSR

   openssl req -newkey rsa:2048 -nodes -keyout c2r.com.key -out c2r.com.csr
   

At this point, you will be prompted for several lines of information that will be included in your certificate request. The most important part is the Common Name field which should match the name that you want to use your certificate with — for example, c2r.com, *.c2r.com (wildcard).

3. This will generate you two files: c2r.com.key - Private key. You’ll need this later to configure NGINX. c2r.com.csr - CSR file.

4. Now you can purchase your certificate. You will need to copy and paste your c2r.com.csr certificate to send your request for a SSL Certificate. Use this command to print your file:

Purchase certificate

Choose any vendor and purchase the certificate. Once the certificate is approved, download the certificate artifacts

Comodo Certificate

Comodo provides all the required root and intermedite certificates @

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

The downloaded artifacts includes

1. Root CA Certificate - addtrustexternalcaroot.crt
2. Intermediate CA Certificate - comodorsaaddtrustca.crt
3. Intermediate CA Certificate - comodorsadomainvalidationsecureserverca.crt
4. Root CA Bundle - comodo-rsa-domain-validation-sha-2-w-root.ca-bundle
5. Intermedite CA Bundle - comodo-rsa-domain-validation-sha-2-intermediates.ca-bundle

The application ceritificate is provided in the email or on web site

1. Application Certificate - c2r.crt

Install SSL Certificate

1. Copy all the certificate artifacts to the server under the designated folder

    /etc/nginx/ssl/c2r_com
   

2. Combine the certificates to create a bundle

    cat c2r.crt comodorsadomainvalidationsecureserverca.crt > ssl-bundle.crt
   

3. update the nginx configuration

    server {
        listen 443 ssl;
        server_name beta.c2r.com;
   
   
        ssl on;
        ssl_certificate /etc/nginx/ssl/c2r/c2r.crt;
        ssl_certificate_key /etc/nginx/ssl/c2r/ssl-bundle.crt;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    }
   

4. Check if the configuration is correct by running

    nginx -t
   

5. Restart nginx

    sudo systemctl restart nginx
   

References :

• https://gist.github.com/bradmontgomery/6487319

Common Trouble shooting

1. Installing the certificate gave the folloing error on restaring the server

    nginx SSL PEM_read_bio:bad end line
   

   • Open the ssl-bundle.crt

   • The concatenation had created a mess

       -----END CERTIFICATE----------BEGIN CERTIFICATE-----
     

   • Just add a line break

       -----END CERTIFICATE-----
       -----BEGIN CERTIFICATE-----
     

Hey, thanks for the tutorial, but you are missing the key completely.

This is wrong (wrong order and missing key):
ssl_certificate /etc/nginx/ssl/c2r/c2r.crt;
ssl_certificate_key /etc/nginx/ssl/c2r/ssl-bundle.crt;

It should be:
ssl_certificate /etc/nginx/ssl/c2r/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/c2r/c2r.key;

The key must be uploaded to the folder also :)

@pv81 Thanks it works for me