See how to purchase and install a production SSL certificate. Don't miss the followup video where we debug and fix some installation issues.We'll cover purchasing and install an SSL certificate.
Warning
I make a mistake here fixed in the next video "Testing and Debugging SSL Certificates"!
Log into your server. I'm using Ubuntu 12.04.4 in this video.
Let's make sure we have openssl installed:
# See that openssl is available to use
which openssl
I choose to add SSL certificates in the /etc/ssl
directory.
sudo mkdir /etc/ssl/sfh
cd /etc/ssl/sfh
Generate a private key and a CSR (certificate signing request).
# Generate a New Private Key
sudo openssl genrsa -out "/etc/ssl/sfh/sfh.key" 2048
sudo openssl req -new -key "/etc/ssl/sfh/sfh.key" -out "/etc/ssl/sfh/sfh.csr"
The CSR will ask you a number of questions, including the "common name", the domain name used in your browser. I use serversforhackers.com
without www
. I did not add a challenge password. If you use one, you'll need to enter it when restarting Apache or Nginx when all is said and done.
After we submit the CSR, we'll get confirmed and then we can (finally!) get our certificate files from wherever we purchased our SSL certificate. Upload that files to your server.
# From my local computer
scp ~/Downloads/serversforhackers_com.zip fideloper:~/
# Then from the remote server, after logged in via ssh
unzip ~/serversforhackers_com.zip
cd ~/serversforhackers_com
# List out the certificate files
ll
# Copy the certificate file into our SSL location
sudo cp serversforhackers_com.crt /etc/ssl/sfh/
The mistake made in this video, talked about in the next video about debugging SSL certificates, is to not concatenate all the SSL certificate files together. See the next video on rectifying that.
We'll next configure Nginx to use this SSL certificate:
# My config file for nginx is just named "sfh"
sudo vim /etc/nginx/sites-available/sfh
Important portions of the Nginx configuration are:
server {
server_name *.serversforhackers.com;
return 301 http://serversforhackers.com$request_uri;
}
server {
listen 80;
listen 443;
server_name serversforhackers.com;
ssl on;
ssl_certificate /etc/ssl/sfh/serversforhackers_com.crt;
ssl_certificate_key /etc/ssl/sfh/sfh.key;
# other items omitted
}
Save and quit, and run a config test:
# Test config
sudo service nginx configtest
# If ok:
sudo service nginx reload
Then we'll check out the firewall settings. I had to open the "https" port 443 for inbound connections.
# Inspect iptables
sudo iptables -L -v
# Add "https" inbound rule,
# I added it as the 6th rule in the chain
sudo iptables -I INPUT 6 -p tpc --dport 443 -j ACCEPT
Then try your https
url in the browser and see that you can reach your site over SSL!