Namecheap SSL and Nginx
07/29/2014, TueNamecheap PositiveSSL
This post will explain the process of setting up your nginx-powered site to used Namecheap's Comodo Positivessl certificate.
Navigate to a safe location where your nginx.conf file is able to reference the to-be-generated SSL key.
Generate your site's key in the safe location
# SSL Certificates
openssl req -nodes -newkey rsa:2048 -keyout mydomain_com.key -out mydomain_com.csr
You will be prompted to enter some information. Do make sure to fill out this important information.
Country: mycountry
State: mystate
Email: myemail@myemailprovider.com
Common Name: mydomain_com
Organisation: mycompanyname
Skip entering a 'challenge password', as it does not add to security.
Login to your Namecheap Account
Navigate to 'Manage Domains' and select your domain that will require the SSL certificate.
Ensure that the Namecheap DNS servers are used or else your choice of forwarding email address can not be used to verify the confirmation email. You can tell if you are using another DNS if you can see 'Transfer DNS back' on the left sidebar (do select that option if you see it).
Now for the SSL configuration
For the server, choose 'apache2' and then enter the contents of your 'mydomain_com.csr' into the textarea.
On the second page, the confirmation email is required to confirm a SSL issuance.
Do this by setting up the forwarding email that you can access
Navigate to 'Email Forwarding Setup' and change 'USER NAME' to 'admin'
UserName: admin
ForwardedTo: myemail@myemailprovider.com
As for the forward email, try to not use a gmail account as I found out that there were some problems receiving emails.
Fill in the 'administrator' account information if not complete.
Receiving Confirmation Email
A Comodo security services email will be delivered shortly to your 'ForwardedTo' email account. Once you receive that, confirm with the link by the validation code that was sent in that email.
The zip file containing your certificates will go to your 'administrator' account, the account that you sign up with namecheap. Note that the 'ForwardedTo' may not be the same as your 'administrator' account email, if you configured it that way.
Unzip Certificates
Unzip the file to a temp directory and combine the three files into one. The order is important.
# Combine Certificates
cat MyDomain_com.crt COMODORSADomainValidationSecureServerCA.crt \
COMODORSAAddTrustCA.crt > comdo-certs.combined
Setup Nginx
Copy or move the 'comodo-certs.combined' file to the same folder as your 'mydomain_com.key' file.
Add or modify the following in your nginx.conf file
server {
listen 80;
server_name .my_domain.com;
rewrite ^ https://$host$request_uri permanent;
}
server {
listen 443;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_certificate /path/where/nginx/references/comodo-certs.combined;
ssl_certificate_key /path/where/nginx/references/mydomain_com.key;
}
The first server block will redirect all variants of non-secured versions of your site to the secured version.
All the following
www.my_domain.com
my_domain.com
http://my_domain.com
http://www.my_domain.com
will be redirected to
https://www.my_domain.com
Now to test the changes made to nginx by
# Test First
sudo service nginx configtest
Finally, start or restart your nginx server to apply the changes.
Now for Liftoff
sudo service nginx reload