Skip to content

Instantly share code, notes, and snippets.

@YogSottot

YogSottot/install-comodo-ssl-cert-for-nginx.rst

Forked from bradmontgomery/install-comodo-ssl-cert-for-nginx.rst
Last active January 30, 2020 14:08
Show Gist options
  • Save YogSottot/6d57dcb32dd3163baa4425b200a75e88 to your computer and use it in GitHub Desktop.
Save YogSottot/6d57dcb32dd3163baa4425b200a75e88 to your computer and use it in GitHub Desktop.
Download ZIP
Steps to install a Comodo PositiveSSL certificate with Nginx.
Raw
install-comodo-ssl-cert-for-nginx.rst

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt > ssl-bundle.crt

  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
mv ssl-bundle.crt /etc/nginx/ssl/example_com/

  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/

  4. If you ommit COMODORSAAddTrustCA.crt from the bundle you'll get rid of anchor error, but will get "extra download" warning.

If you want(and you do!) to get OCSP stapling enabled on your server, then you'd need full certificates chain to be available to the server. To work around the problem described above, nginx has another directive that makes certificate known to the server, but not sent to the client - ssl_trusted_certificate.

cat AddTrustExternalCARoot.crt > trusted.crt

And final config should contain those lines:

ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers               on;
ssl_stapling                            on;
ssl_stapling_verify                     on;

ssl_dhparam                             "/etc/nginx/certs/dhparam.pem";
ssl_certificate                         "/etc/nginx/certs/ssl-bundle.crt";
ssl_trusted_certificate                 "/etc/nginx/certs/trusted.crt";
ssl_certificate_key                     "/etc/ssl/private/example.com.key";

ssl_session_cache                       shared:SSL:10m;
ssl_session_timeout                     10m;
  1. Reload nginx.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8
  1. Or you can use https://github.com/spatie/ssl-certificate-chain-resolver
  2. Check https://github.com/ssllabs/ssllabs-scan
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment