[Memo] Install SSL certificate on Nginx server

You can install an SSL certificate on the Nginx or Tengine server to securely access the web server through HTTPS. This article describes how to install an SSL certificate for Nginx or Tengine server.

Important

This article takes CentOS 8.0 64-bit operating system and Nginx 1.14.2 as examples. Deployment operations may be different for different versions of operating systems or web servers. If you have any questions, please contact product technical experts for consultation. For details, see expert one-on-one service.

If you are using Alibaba Cloud Server ECS (Elastic Compute Service), you must allow port 80 and port 443 on the Security Group page of the ECS management console. , otherwise website access may be abnormal. For information on how to configure a security group, see Adding Security Group Rules.

Wherever the name of the certificate file appears in this article, use cert-file-name to describe it. For example, the certificate file used in this article is cert-file-name.pem, and the certificate private key file is cert-file-name.key. In practice, you must replace cert-file-name in the sample code with the correct certificate file name.

Prerequisite

• The certificate has been issued through the Digital Certificate Management Service console. For specific operations, see Purchasing an SSL Certificate and Submitting a Certificate Application.

• The domain name bound to the SSL certificate has completed DNS resolution, that is, your domain name and the host IP address are mapped to each other. You can use the DNS verification certificate tool to check whether the DNS resolution of the domain name is effective. For specific operations, see DNS verification.

Step 1: Download SSL certificate

1. Log in to the digital certificate management service console.

2. In the left navigation bar, click SSL Certificates.

3. On the SSL Certificate page, navigate to the target certificate, and in the Action column, click Download.

4. In the Server type is Nginx and in the Operation column, click < strong id="cas.view.op.download">Download.

   

5. Unzip the downloaded SSL certificate compressed package.

   Depending on the CSR generation method you choose when submitting a certificate application, the files obtained by decompression are different, as shown in the following table.

   

   CSR generation method	Files included in the certificate compressed package
   System generated or Select an existing CSR	Certificate file (PEM format): By default, it is named after Certificate ID_Certificate Binding Domain Name. Certificate files in PEM format are text files encoded in Base64. Private key file (KEY format): By default, it is named after the certificate binding domain name.
   Manual filling	If you fill in the CSR created through the Digital Certificate Management Service Console, the certificate file included after downloading is consistent with the one generated by the system. If you fill in the CSR that was not created through the Digital Certificate Management Service Console, the download will only include the certificate file (PEM format) and not the certificate password or private key file. You can use the certificate tool to convert the certificate file and the certificate password or private key file you hold into the required format. For specific operations on converting the certificate format, see Certificate Format Conversion.

Step 2: Install the certificate on the Nginx server

The operations for installing certificates on Nginx independent servers and Nginx virtual hosts are different. Please select the corresponding installation steps according to your actual environment.

Install certificate on Nginx independent server

1. Execute the following command to create a directory for storing certificates in the Nginx conf directory.

   cd /usr/local/nginx/conf #Enter the Nginx default configuration file directory. This directory is the default directory when manually compiling and installing Nginx. If you have modified the default installation directory or installed it in other ways, please adjust it according to the actual configuration.
   mkdir cert #Create a certificate directory and name it cert. 

2. Upload the certificate file and private key file to the certificate directory of the Nginx server (/usr/local/nginx/conf/cert).

   Description

   You can use the local file upload function provided with the remote login tool to upload files. For example PuTTy, Xshell or WindSCP, etc. If you are using Alibaba Cloud Server ECS, for specific operations on uploading files, see Using MSTSC to Upload Files to a Windows Cloud Server on a Local Windows Host or Upload Files to a Linux Cloud Server.

3. Edit the Nginx configuration file nginx.conf and modify the certificate-related configuration.

   1. Execute the following command to open the configuration file.

      vim /usr/local/nginx/conf/nginx.conf

      Important

      nginx.conf is saved in the /usr/local/nginx/conf directory by default. If you have modified the location of nginx.conf, you can execute nginx -t to view the nginx configuration file path, and change /usr/local/nginx/conf/nginx.confReplace.

   2. Press the i key to enter edit mode.

   3. Locate the server attribute configuration in nginx.conf.

      

   4. Delete the comment symbol # at the beginning of the line and modify it as follows.

      server {
           #The default access port for HTTPS is 443.
           #If the default access port of HTTPS is not configured here, Nginx may not start.
           listen 443 ssl;
           
           #Fill in the domain name bound to the certificate
           server_name <yourdomain>;
       
           #Fill in the certificate file name
           ssl_certificate cert/<cert-file-name>.pem;
           #Fill in the certificate private key file name
           ssl_certificate_key cert/<cert-file-name>.key;
       
           ssl_session_cache shared:SSL:1m;
           ssl_session_timeout 5m;
      \t 
           #Customize the type of TLS protocol and cipher suite used (the following is a configuration example, please evaluate whether you need to configure it yourself)
           #The higher the TLS protocol version, the higher the security of HTTPS communication. However, compared with the lower version of the TLS protocol, the higher version of the TLS protocol is less compatible with browsers.
           ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
           ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
      
           #Indicates that server-side cipher suites are used first. Enabled by default
           ssl_prefer_server_ciphers on;
       
       
          location/{
                 roothtml;
                 index index.html index.htm;
          }
      }

   5. Optional: Set HTTP requests to automatically redirect to HTTPS.

      If you want all HTTP access to automatically jump to HTTPS pages, you can add a rewrite statement under the HTTP site that needs to be redirected.

      Important

      The following code snippets need to be placed after the server {} code segment in the nginx.conf file. That is, after setting HTTP requests to automatically jump to HTTPS, there will be two server {} in the nginx.conf file. Code snippet.

      server {
          listen 80;
          #Fill in the domain name bound to the certificate
          server_name <yourdomain>;
          #Redirect all HTTP requests to HTTPS through the rewrite directive.
          rewrite ^(.*)$ https://$host$1;
          location/{
              index index.html index.htm;
          }
      }

      The configuration effect is shown in the figure below:

      

   6. After the modification is completed, press the Esc key, enter: wq and press the Enter key to save the modified configuration file and exit the editing mode.

4. Execute the following command to restart the Nginx service.

   cd /usr/local/nginx/sbin #Enter the executable directory of the Nginx service.
   ./nginx -s reload #Reload the configuration file. 

   Description

   • Error the "ssl" parameter requires ngx_http_ssl_module: You need to recompile Nginx and add the --with-http_ssl_module configuration when compiling and installing.

   • Error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com .pem','r') error:2006D080:BIO routines:BIO_new_file:no such file): You need to remove the / at the front of the relative path of the certificate. For example, you need to remove the / at the front of /cert/cert-file-name.pem and use the correct relative path cert/cert-file-name. pem.

Install the certificate on the Nginx virtual host

To install certificates on different virtual hosts, you need to perform different steps. If you are using Alibaba Cloud’s cloud virtual host, for specific operations, see Enabling HTTPS encrypted access. If you are using another brand of virtual host, please refer to the corresponding virtual host installation certificate operation guide.

Step 3: Verify whether the SSL certificate is installed successfully

After the certificate is installed, you can verify whether the certificate was installed successfully by accessing the domain name bound to the certificate.

https://yourdomain #You need to replace yourdomain with the domain name bound to the certificate. 

If a small lock sign appears in the address bar of the web page, it means that the certificate has been successfully installed.

END

Original text: How to install an SSL certificate on an Nginx or Tengine server_Digital Certificate Management Service-Alibaba Cloud Help Center