How to Install a Comodo Positive SSL Certificate on Nginx

Earlier this week Namecheap sent me a reminder that it was time to renew the SSL certificate for my website.  Honestly I’m not sure why they use the term “renew” when essentially you have to go through the entire process over again which can be huge pain.

Namecheap offers PositiveSSL certificates from Comodo for $9/year which is incredibly cheap but the Comodo certificates can be a bit difficult to work with.

Recently they stopped sending the intermediate and root certificates via email making things a lot harder than they needed to be.

I decided to document the process of installing the Comodo PositiveSSL certificate for Nginx web servers to save you the hassle I had to go through.

Namecheap SSL Renewal

 

Step 1:  Upload the certificates to your server

After purchasing the certificate and completing the verification process you will receive a copy of the PositiveSSL certificate via email.  In my case the file was called www_samkear_com.crt.

In addition to this file you will also need two additional files both of which can be downloaded directly from comodo.com using the links below.

At this point you should have 3 certificate files, the domain certificate, the intermediate certificate bundle, and the root certificate.  Upload all three of these certificates to your web server.  Personally I like to store them in /srv/ssl.

Step 2:  Combine the domain certificate with the intermediate certificates

Next you’ll need to concatenate the domain certificate with the intermediate certificates in the chain.  Make sure to insert the name of your domain certificate in the commands below.

The order these certificates are joined together makes a difference so make sure your domain certificate is listed first.

cd /srv/ssl/
cat www_samkear_com.crt comodo-rsa-domain-validation-sha-2-intermediates.ca-bundle.crt  >> www.samkear.com.certchain.crt

Step 3:  Combine the intermediate certificate bundle with the root certificate

If you’re planning to use OCSP stapling (which I strongly recommend) then you’ll also want to concatenate the intermediate cert bundle with the root certificate.  Again, don’t forget to change the name of the output file here.
cat comodo-rsa-domain-validation-sha-2-intermediates.ca-bundle.crt addtrustexternalcaroot.crt >> www.samkear.com.trustchain.pem

Step 4:  Update the Nginx configuration file

The Nginx configuration file for your site needs to be updated to point to the combined domain certificate and the private key.

Assuming you generated the certificate request on your web server you should already have the private key in the same directory as the certificate request file.

Place the key in the same directory with your certificates (/srv/ssl)

ssl_certificate /srv/ssl/www.samkear.com.certchain.crt;
ssl_certificate_key /srv/ssl/www.samkear.com.key;

Then point ssl_trusted_certificate to the combined intermediate and root certificate from step 3.
ssl_trusted_certificate /srv/ssl/www.samkear.com.trustchain.pem

Step 5: Restart Nginx

In order for Nginx to start using the new certificate you must restart the process.
service nginx restart

If you don’t see any error messages then you can move on to the testing process.  If you do see some errors or warnings you’ll need to address them.  See the section below on common problems.

Testing SSL

Initially you can browse to your site in Chrome to confirm if the certificate is being presented to the browser.  If Chrome is happy with the certificate details then you should also see the green lock icon on the address bar.

Chrome SSL Lock Icon

For a much more in-depth analysis I recommend using the Qualys SSL server test.  Their tool will connect to your sit and perform many different tests to verify the status of the SSL certificate on your site.

They will assign an overall rating score based on their assessment of the server.  This utility can be very helpful for diagnosing and solving common SSL problems.

Qualysis SSL Labs Report

Further SSL Tweaks for Nginx

Here are some additional SSL optimizations for Nginx you can apply in order to get an A+ score from Qualys Labs.  These should be applied in the server {} section of your nginx config file for your domain (same area as the certificate settings above).

Use only Transport Layer Security

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Optimize the cipher suites

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK;

Enable OCSP Stapling

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /srv/ssl/www.yourdomain.com.trustchain.pem;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

Enable connection credential caching

ssl_session_cache shared:SSL:32m;
ssl_buffer_size 8k;
ssl_session_timeout 180m;

Common Problems

If Nginx encounters any issues with your certficate files you may see some errors here.  One of the most common errors is a complaint about “bad end line”.  This usually happens when there is a missing line break.
nginx: [emerg] PEM_read_bio_X509(“/srv/ssl/www.samkear.com.certchain.crt”) failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line

To fix this error open the certificate file in the error message using a text editor like vi and look for a missing line break.

Usually you’ll see something like this:

END CERTIFICATEBEGIN CERTIFICATE

To fix this add a line break so it looks like this:

 END CERTIFICATE
  BEGIN CERTIFICATE

Closing Thoughts

The SSL certificate I purchased this time is good for 3 years.  Since the process of renewing certificates is such a pain I’d recommend buying a certificate that won’t expire for a while just so you don’t have to go through this process again.

Browsers are also starting to display warnings when sites have a certificate that is about to expire so there is really little advantage to buying a certificate which is only good for 1 year.

For more information on configuring Nginx with SSL I recomend checking out Bjørn Johansen’s website.  He has some great guides on securing Nginx with SSL, and also some excellent tips for how to optimize SSL performance.

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

One thought on “How to Install a Comodo Positive SSL Certificate on Nginx

Leave a Reply

Your email address will not be published. Required fields are marked *