âś•

Journal Entries

Scroll
March 19, 2020 Michelle Enakeno Playground-tuts  

Setting Up Comodo Positive SSL On NGIX

UPDATE: MARCH 1 2021

I got confused reading my own tutorial. Everything here works but the explanation is not good enough. 5/10.

I Will work on a much more comprehensive tutorial.

If I say this was easy, I’d be lying. I cannot find the right words to express my joy ’cause this whole process was indeed frustrating! I’ll take you through the steps I took, my mistakes and how I solved them.

So let’s get started!

NOTE: this is my first time setting up SSL on NGINX 🙂 and please read through before you proceed to purchase and set up SSL.

Prerequisites

  1. Ensure you’ve installed and set up nginx
  2. Lots of PATIENCE

PURCHASE COMODO POSITIVE SSL

You may decide to buy directly from Comodo or any reseller. In my case, I purchased via Hostinger.

SET UP COMODO POSITIVE SSL

Depending on the provider, you should see this on your dashboard. Click on set up and fill in the details.

NOTE: you should have this email: admin@yourdomain.com.

If you do not have ‘admin@domain.com’, purchase email hosting plan from your provider. Luckily I had free business email waiting to be setup….yay!

Once complete, login to the custom email you’ve created. You should get an email containing a validation code. Copy, then click the link provided in the email and paste it there.

 

DOWNLOAD SSL CERTIFICATE

If all goes well, you should be able to download your SSL certificate. You’ll find it in two places:

  1. Inbox (email address used to register for hosting account)
  2. SSL certificates page on cpanel (in my case hpanel – hostinger)

I’d advise you to download number two. You’ll see why below

SET UP SSL CERTIFICATE ON NGINX

I followed this tutorial from Comodo and things got messy from here. So let’s go through the process (mistakes + solution).

Based on this tutorial I should have generated the private key and CSR (certificate signing request) before purchasing SSL but I didn’t.

1 – Create a directory

Login to your server via the command line. Decide where you want to store your files and create a directory there.

sudo mkdir /your/desired/path/new_directory_name

Run this command in that directory

openssl req -new -newkey rsa:2048 -nodes -keyout domainname_com.key 
-out domainname_com.csr

You should get a prompt with a series of questions, fill in with the appropriate answers. Ensure you use your domain name or public ip for the ‘Common Name’ question.

Common Name (e.g. server FQDN or YOUR name) []: your_domain.com

You’ll get two files: domainname_com.key and domainname_com.csr

Based of another tutorial on youtube, I ran this command instead:

sudo openssl req -new -newkey rsa:2048 -nodes -keyout domain_com.key

-out domain.com

Once questions are completed, I got the csr output:

—–BEGIN CERTIFICATE REQUEST—–

—–END CERTIFICATE REQUEST—–

Copy and create a new file with this command:

sudo vim domain_com.csr

Enter insert mode by pressing ‘i’. Paste the csr. ‘Esc’ to exit insert mode then :wq to save and quit.

CREATE BUNDLE FILES

Combine the crt files extracted from the zip folder into a single file. You can do this by using a GUI text editor. Create a blank file then copy and paste each .crt file in this order:

  1. yourdomain_com.crt
  2. SectigoRSADomainValidationSecureServer.crt
  3. USERTrustRSAAddTrustCA.crt
  4. AddTrustExternalCARoot.crt

Copy everything.

Return to your command line, ‘cd’ into the directory where you stored your key and csr file. Create a new file with this command

sudo vim domain_com.crt

Copy and paste.

Save and quit

CONFIGURE NGINX

Find server config settings here:

/etc/nginx/sites-available/default OR /etc/nginx/sites-available/yoursite

If you’re using the default config file, then run this command:

sudo vim /etc/nginx/sites-available/default

Scroll through the config file and make these changes:

Uncomment this (remove #): listen 443 ssl default_server;

Modify:  server _; to server yourwebsite.com;

<Add the location to your crt and key files>

ssl_certificate /etc/path/to/your/ssl/domain_comn.crt;

ssl_certificate_key /etc/path/to/your/ssl/privatekey.key;

NOTE: terminate each line with a semi colon.

Config file should have these changes:

listen 443 ssl default_server;

server yourdomain.com;

ssl_certificate /etc/path/to/your/ssl/certificate.crt;

ssl_certificate_key /etc/path/to/your/ssl/privatekey.key;

Save and quit.

Restart nginx with this command:



sudo service nginx restart


Now this is where I got an error:


Job for nginx.service failed because the control process exited with error code.


See “systemctl status nginx.service” and “journalctl -xe” for details.


I ran this command to test nginx configuration:


nginx -t




First error had to do with permission on the key. So I  changed ownership of the .key file to the user signed in.


Then restarted the server but another error:


… (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)


This time private key value mismatch.


After reading numerous articles and watching several youtube videos, I couldn’t find a solution. Mainly because some tutorials are outdated and the one on comodo is helpful to a certain point.


THE FIX


Remember the zip file I downloaded from Hostinger dashboard? It contains the private key *facepalm*.


Open the key file in your favorite (gui) text editor. It should be like this:


—–BEGIN PRIVATE KEY—–




..


..


—–END PRIVATE KEY—–


Copy it.


Edit the domain_com.key file with this command


sudo vim domain_com.key


I deleted everything in the file with ‘:1, $d’ then pasted the new key.


Restarted nginx once more and no errors! YES!


BROWSER TEST


Type in: https://www.yourdomain.com on your browser’s address bar. If all goes well, you should see a green (closed) padlock.


BONUS: REDIRECT HTTP – HTTPS


To do this, you’ll need two server blocks in your configuration file. One for port 80 and the other for 443.


 Modified Server Configuration


server {

 listen 80;

 listen [::]:80;

 server_name domain.com www.domain.com;

 return 301 https://$server_name$request_uri;

}

server{


 listen 443 ssl default_server;

 listen [::]:443 ssl default_server;


 
 root /path/to/your/site/folder/public;

 server_name domain.com www.domain.com;

 ssl_certificate /path/to/domain_com.crt;

 ssl_certificate_key /path/to/domain_com.key;


}








FINAL THOUGHTS


This is my first written guide (of some sort) so pardon any errors or mixup. If you have any issues/corrections, do not hesitate to reach out.


Based on one or two, all I had to do was download the zip file containing the private key. Bundle the 4 certificate files and move them to my server.


I’ll work on creating a detailed step by step tutorial as soon as I can (heaven forbid procrastination).


Thank you 🙂


QUICK COMMANDS


mkdir somename = make directory


vim hello.extension = create a file named hello. Example hello.txt


sudo chown -R  yourusername foldernameORfilename = change ownership


sudo service nginx restart = restart nginx


sudo systemctl restart nginx = restart nginx


ll = get information about files and directories  (present working directory)


cd  = change directory


Vim


i = insert


:q = quit without saving


:wq = save and quit


:1,$d = delete everything


USEFUL LINKs


Coder’s Tape Laravel deployment guide


Digital Ocean – Create SSL certificate for nginx


Comodo Positive SSL on Nginx guide


Digital Ocean – Community Question force HTTP to redirect to HTTPs


Servers for hackers – Redirect HTTP to HTTPs


Featured Image via Pexels. Created by Pixabay


 


		

	


		
 
	
 


				
				
					

		
Tags:
	


				
		

		
			
				Super Easy Carrot Cake Recipe
			
			
		
	

	
		

		
			
			
				Self Growth Diary: Page 3- Gratitude
			
		
	

	

			


		

	


	
	
	






	

				

			
		

	


			
		
		






	

		

			


								


					
		

			

				©2024. Michelle Enakeno Umar - All rights reserved.