Move your site from http to https: get and install free ssl certificates with nginx
Last Updated on 15th September 2020 by peppe8o
In this guide I’m going to help you (and my memory) to get and install free ssl certificates with nginx. This is necessary to move your website from http to a secure https. This has been also my first need after creating my self hosted website (see here to learn how to host your wordpress website).
This guide is recommended to medium experienced peolple, because a failure in this procedure could require a clear idea of how to roll back in your settings.
What is SSL and why internet needs it
With internet business growing up in the past years, security needs increased to avoid malicious people from creating damages both to customers and companies. One of the key concept of securing internet connections has been to assure that the end user is browsing (and passing data) to the correct website he is thinking to surf.
SSL certificates work to establish a trust and secure connections. With modern browsers, website visitors can verify that connection is secure just looking a padlock into the URL bar near the website address.
To work correctly, SSL certificate must be digitally signed by a trusted Certification Authority (CA). Anyone can create a certificate, but browsers only trust certificates that come from an organization on their list of trusted CAs.
How to require free a SSL certificate for your website
If you want to install free ssl certificates you need first, of course, to receive it. Luckily, there are many online services offering free certificates. One of these is SSL For Free. It is a good idea, in my opinion, to register a free account (not strictly required, but useful for renewal). Go back to home page and request a certificate typing your website address:
In case of multiple domains or subdomains, these adresses should be separated by spaces (e.g. “subdomain.domain.com domain.com otherdomain.org *.wildcarddomain.com”) in order to obtain a single certificate working for multiple websites.
At this point, yuo must verify your identity and that you own the domain for which you are requesting certificates. There are many ways (manual or automatic) offered to accomplish verification. One of the easyest way is to modify your DNS record (with the registrar used to acquire the domain) adding a specifica TXT record. A second alternative is downloading a file from their website and locating it to a specifica path reachable from internet and mapped in your webserver. A tird way is configuring an FTP connection and giving them access.
Once your verification process is completed, you will receive 3 files:
- certificate.crt (server certificate)
- ca_bundle.crt (autority certificate)
- private.key (your private key)
Install free ssl certificates with nginx
At this point installation procedure depends on your web server. If you have Nginx, you will proceed with the folloqing steps.
Merge together in a single “.pem” file the following just downloaded (in this exact order):
- certificate.crt
- ca_bundle.crt
your new file must appear something similar to the following:
-----BEGIN CERTIFICATE----- ................................ ................................ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ................................ ................................ -----END CERTIFICATE-----
Please be aware that the start of the second certificate must be on a different line from the end of the first certificate.
Now move the .pem file (let’s call it “certificate.pem”) and your “private.key” file into a path of your webserver and edit your nginx site configuration file adding the new parameters in listening, ssl_certificate, ssl_certificate_key, ssl_protocols and ssl_ciphers. Your configuration file will appear something similare to the following:
server {
listen 80;
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /your/path/to/certificate.pem;
ssl_certificate_key /your/path/to/private.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
.......
.......
Now test your configuration, that should be working.
Enjoy!
