Earlier this week Namecheap sent me a reminder that it was time to renew the SSL certificate for my website. Honestly I’m not sure why they use the term “renew” when essentially you have to go through the entire process over again which can be a huge pain.
Namecheap offers PositiveSSL certificates from Comodo for $9/year which is incredibly cheap but the Comodo certificates can be a bit difficult to work with.
Recently they stopped sending the intermediate and root certificates via email making things a lot harder than they needed to be.
I decided to document the process of installing the Comodo PositiveSSL certificate for Nginx web servers to save you the hassle I had to go through.
Step 1: Upload the certificates to your server
After purchasing the certificate and completing the verification process you will receive a copy of the PositiveSSL certificate via email. In my case the file was called www_samkear_com.crt.
In addition to this file you will also need two additional files both of which can be downloaded directly from comodo.com using the links below.
At this point you should have 3 certificate files, the domain certificate, the intermediate certificate bundle, and the root certificate. Upload all three of these certificates to your web server. Personally I like to store them in /srv/ssl.
Step 2: Combine the domain certificate with the intermediate certificates
Next you’ll need to concatenate the domain certificate with the intermediate certificates in the chain. Make sure to insert the name of your domain certificate in the commands below.
The order these certificates are joined together makes a difference so make sure your domain certificate is listed first.
cd /srv/ssl/
cat www_samkear_com.crt comodo-rsa-domain-validation-sha-2-intermediates.ca-bundle.crt >> www.samkear.com.certchain.crt
Step 3: Combine the intermediate certificate bundle with the root certificate
If you’re planning to use OCSP stapling (which I strongly recommend) then you’ll also want to concatenate the intermediate cert bundle with the root certificate. Again, don’t forget to change the name of the output file here.
cat comodo-rsa-domain-validation-sha-2-intermediates.ca-bundle.crt addtrustexternalcaroot.crt >> www.samkear.com.trustchain.pem
Step 4: Update the Nginx configuration file
The Nginx configuration file for your site needs to be updated to point to the combined domain certificate and the private key.
Assuming you generated the certificate request on your web server you should already have the private key in the same directory as the certificate request file.
Place the key in the same directory with your certificates (/srv/ssl)
ssl_certificate /srv/ssl/www.samkear.com.certchain.crt;
ssl_certificate_key /srv/ssl/www.samkear.com.key;
Then point ssl_trusted_certificate to the combined intermediate and root certificate from step 3.
ssl_trusted_certificate /srv/ssl/www.samkear.com.trustchain.pem
Step 5: Restart Nginx
In order for Nginx to start using the new certificate you must restart the process.
service nginx restart
If you don’t see any error messages then you can move on to the testing process. If you do see some errors or warnings you’ll need to address them. See the section below on common problems.
Testing SSL
Initially you can browse to your site in Chrome to confirm if the certificate is being presented to the browser. If Chrome is happy with the certificate details then you should also see the green lock icon on the address bar.
For a much more in-depth analysis I recommend using the Qualys SSL server test. Their tool will connect to your sit and perform many different tests to verify the status of the SSL certificate on your site.
They will assign an overall rating score based on their assessment of the server. This utility can be very helpful for diagnosing and solving common SSL problems.
Further SSL Tweaks for Nginx
Here are some additional SSL optimizations for Nginx you can apply in order to get an A+ score from Qualys Labs. These should be applied in the server {} section of your nginx config file for your domain (same area as the certificate settings above).
Use only Transport Layer Security
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Optimize the cipher suites
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK;
Enable OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /srv/ssl/www.yourdomain.com.trustchain.pem;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
Enable connection credential caching
ssl_session_cache shared:SSL:32m;
ssl_buffer_size 8k;
ssl_session_timeout 180m;
Common Problems
If Nginx encounters any issues with your certficate files you may see some errors here. One of the most common errors is a complaint about “bad end line”. This usually happens when there is a missing line break.
nginx: [emerg] PEM_read_bio_X509(“/srv/ssl/www.samkear.com.certchain.crt”) failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line
To fix this error open the certificate file in the error message using a text editor like vi and look for a missing line break.
Usually you’ll see something like this:
——–END CERTIFICATE—————BEGIN CERTIFICATE——–
To fix this add a line break so it looks like this:
Closing Thoughts
The SSL certificate I purchased this time is good for 3 years. Since the process of renewing certificates is such a pain I’d recommend buying a certificate that won’t expire for a while just so you don’t have to go through this process again.
Browsers are also starting to display warnings when sites have a certificate that is about to expire so there is really little advantage to buying a certificate which is only good for 1 year.
For more information on configuring Nginx with SSL I recomend checking out Bjørn Johansen’s website. He has some great guides on securing Nginx with SSL, and also some excellent tips for how to optimize SSL performance.
Thank you. Got A+, just needed to add that dhparam.pem to get the A+. Rest all are as per ur details.
Thanks for sharing guide. I was reading a forum where people are disusing about installation. I am going to share your guide with them.