Skip to content

Instantly share code, notes, and snippets.

@lin

lin/ssl.md

Last active March 6, 2017 17:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save lin/24c0b8b6ba24ed389c80 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save lin/24c0b8b6ba24ed389c80 to your computer and use it in GitHub Desktop.
Download ZIP
SSL
Raw
ssl.md

nginx ssl

1, buy a Certificate at one service (e.g. ssl.com)

2, Generate a csr file using openssl or this tool http://tools.ssl.com/

The openssl command is something like:

openssl req -new -newkey rsa:2048 -nodes -out www_example_com.csr -keyout www_example_com.key -subj "/C=us/ST=Pennsylvania/L=Philadelphia/O=SSL Inc./CN=www.example.com"

3, ssh to your server

ssh -i ~/.ssh/app.pem ubuntu@1.1.1.1

4, run the command from step 2. Will generate www_example_com.csr www_example_com.key files at ~/

5, vi www_example_com.csr

6, copy the csr, something like:

-----BEGIN CERTIFICATE-----
MIIHgzCCBmugAwIBAgIIOQH9s8eHezYwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNDA4MTQxNjE3WhcNMTUwNzA3MDAwMDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YXDdpu5
Gy+qZXYWVVlEabFybjJB5qPt4Sd7jt03ZTbGTjRK6oyLTMlHtQrjOYfbM/T5ErF3
XEy6Ky7RNldJ7gGTsjTb/Chs0bRHoj+FgMCvvPzraltegNBTRQA6qVfWyHFw/oTj
kC7M/EgV5R2d8ua70Jp5vJNwNyj/U40hcUollKsOKUZQ/xBBR6YzoJOd9+awYKmb
E1Ff+Ni5mCALZcLSMgpPN3mGOhIxQPOa2Al5zRClfflz2T4BRGJmTuNz5kd922z+
z6D95L1PWGnRENev0OlbHHMio9xDOEWlKMW7zdWXQbc60LnKYYVgUoIhTuOisOHy
RvAZ9ZDkm0EwTQIDAQABo4IEUDCCBEwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDJgYDVR0RBIIDHTCCAxmCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp
cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou
Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou
Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy
Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j
b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRp
bWcuY29tggthbmRyb2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0
aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4u
Y29tggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
MGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUu
Y29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2ds
ZS5jb20vb2NzcDAdBgNVHQ4EFgQUrFWn4lvMNeG7qEo62BCSvLHctWwwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAE
EDAOMAwGCisGAQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5n
b29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAb9iyLqUQ7knP
KiJeEhJjSnNmnr+dF3cg2rogXyd7a0FmU5VtgjZwMUeVmr/B/PwucecejJ1CFCoj
b3W892OfD4E8Cm5naQYkDnDa1asnSTWPSm9bZrTen3P1Uga6eWuGq18hd8aw3QmM
9Ln+5dd/I9B6y/+mHQfyMX2D+SeO1eAkGiTj1vZ4aN5+y57U3t4GLac0coILxJ52
D+RjToGOsoY+hbcb8d3X+QG6aHthAf7IE3Dg3kJ2+erTIhR6OcK7pAcGeSjuZ7Ng
0bs7Lcd2gYmEO9lUmMD2Qbk7XTr9x8SsvFl+4kxetC9lNgEcifZrrzuXbm/9CP1t
XnODZt+19g==
-----END CERTIFICATE-----

7, finish process at ssl register site. Verify your domain name.

8, download the crt file www_example_com.crt

9, upload the crt file to server

scp -i ~/.ssh/app.pem ~/Downloads/www_example_com.crt ubuntu@1.1.1.1:~/

10, create a new directory

sudo mkdir /etc/nginx/ssl

11, move files to /etc/nginx/ssl

mv ~/www_example_com.crt /etc/nginx/ssl/www_example_com.crt
mv ~/www_example_com.key /etc/nginx/ssl/www_example_com.key
mv ~/www_example_com.csr /etc/nginx/ssl/www_example_com.csr

12, open the nginx config file

sudo vi /etc/nginx/sites-available/default

13, add these lines to config file

server {
  listen 443 ssl;

  ssl_certificate /etc/nginx/ssl/www_example_com.crt;
  ssl_certificate_key /etc/nginx/ssl/www_example_com.key;
  
  location @appname {
     proxy_set_header X-Forwarded-Proto https;
  }
}

14, restart the server

sudo service nginx restart

15, update rails config

# /config/environments/production.rb
config.force_ssl = true

16, optionally sudo vi /etc/nginx/nginx.conf

http {
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  keepalive_timeout 70;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment