Enter the following in SSH to generate the key, I’d recommend you be in the directory you’d like to save the certificates in before entering the commands, then you will be sure all the certificates are kept in a convenient easy to remember area and can be referenced in the NGINX config file later.
sudo openssl genrsa -des3 -out www.mydomain.com.key 2048
Please note: If you do not wish to use a Pass Phrase, do not use the -des3 command. It will however leave the private key unprotected.
Next generate the CSR
sudo openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
This information will be displayed in the certificate.
Please note:The following characters cannot be accepted: < > ~ ! @ # $ % ^ / ( ) ?.,&
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [GX Networks Ltd]:Dream Sites Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:www.domain.net (Must be the FQDN – Fully Qualifed Domain Name)
Ensure you use www in the domain name, if you get it wrong here you may need to buy another certificate
Important: DO NOT Enter the following:
Email Address []:
A challenge password []:
An optional company name []:
Now copy and paste the contents of the .csr file into the certificate provider’s website to begin the verification process.
Once the certificate provider has completed verification of the domain, they will supply you with 2 files, a .crt and a .ca-bundle
You will need to concatenate the 2 files into a final bundle.crt file as below.
sudo cat website_co_uk.crt website_co_uk.ca-bundle > website_co_uk-ssl-bundle.crt
Then you will need to tell the Nginx config file the location of the .crt file and enable SSL, here is a sample file (Please note we are using port 8080 as we have Varnish enabled, use port 80 otherwise).
server {
listen 8080;
listen [::]:8080;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name website.co.uk;
ssl on;
ssl_certificate /home/ssl-certs/website/website_co_uk-ssl-bundle.crt;
ssl_certificate_key /home/ssl-certs/website/website_co_uk.key;
ssl_prefer_server_ciphers on;
error_log /home/errorlogs/website/errors.log;
root /var/www/html/website.co.uk/;
index index.php;
location / {
try_files $uri $uri/ =404;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
}
port_in_redirect off;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
}
}
Now test the NGINX server block is valid.
sudo nginx -t
If this is a new server block, you can enable it with this command.
sudo ln -s /etc/nginx/sites-available/website.conf /etc/nginx/sites-enabled/
Finally reload NGINX to make the changes take effect
sudo service nginx reload
If you refresh your browser, you should see the page load in https.
location ~ /.well-known {
alias /var/www/.well-known/pki-validation/2C91A832698C9BD543534fdg43E2BFFC4706E80.txt;
}