Namecheap SSL and Nginx

07/29/2014, Tue
Categories: #Server

Namecheap PositiveSSL

This post will explain the process of setting up your nginx-powered site to used Namecheap's Comodo Positivessl certificate.

Navigate to a safe location where your nginx.conf file is able to reference the to-be-generated SSL key.

Generate your site's key in the safe location

# SSL Certificates

openssl req -nodes -newkey rsa:2048 -keyout mydomain_com.key -out mydomain_com.csr

You will be prompted to enter some information. Do make sure to fill out this important information.

Country:       mycountry
State:         mystate
Email:         myemail@myemailprovider.com
Common Name:   mydomain_com
Organisation:  mycompanyname

Skip entering a 'challenge password', as it does not add to security.

Login to your Namecheap Account

Navigate to 'Manage Domains' and select your domain that will require the SSL certificate.

Ensure that the Namecheap DNS servers are used or else your choice of forwarding email address can not be used to verify the confirmation email. You can tell if you are using another DNS if you can see 'Transfer DNS back' on the left sidebar (do select that option if you see it).

Now for the SSL configuration

For the server, choose 'apache2' and then enter the contents of your 'mydomain_com.csr' into the textarea.

On the second page, the confirmation email is required to confirm a SSL issuance.

Do this by setting up the forwarding email that you can access

Navigate to 'Email Forwarding Setup' and change 'USER NAME' to 'admin'

UserName:        admin
ForwardedTo:     myemail@myemailprovider.com

As for the forward email, try to not use a gmail account as I found out that there were some problems receiving emails.

Fill in the 'administrator' account information if not complete.

Receiving Confirmation Email

A Comodo security services email will be delivered shortly to your 'ForwardedTo' email account. Once you receive that, confirm with the link by the validation code that was sent in that email.

The zip file containing your certificates will go to your 'administrator' account, the account that you sign up with namecheap. Note that the 'ForwardedTo' may not be the same as your 'administrator' account email, if you configured it that way.

Unzip Certificates

Unzip the file to a temp directory and combine the three files into one. The order is important.

# Combine Certificates

cat MyDomain_com.crt COMODORSADomainValidationSecureServerCA.crt \
    COMODORSAAddTrustCA.crt > comdo-certs.combined

Setup Nginx

Copy or move the 'comodo-certs.combined' file to the same folder as your 'mydomain_com.key' file.

Add or modify the following in your nginx.conf file

server {
  listen 80;
  server_name .my_domain.com;
  rewrite ^ https://$host$request_uri permanent;
}

server {
  listen 443;

  ssl on;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

  ssl_prefer_server_ciphers on;

  ssl_certificate /path/where/nginx/references/comodo-certs.combined;
  ssl_certificate_key /path/where/nginx/references/mydomain_com.key;
}

The first server block will redirect all variants of non-secured versions of your site to the secured version.

All the following

www.my_domain.com
my_domain.com
http://my_domain.com
http://www.my_domain.com

will be redirected to

https://www.my_domain.com

Now to test the changes made to nginx by

# Test First

sudo service nginx configtest

Finally, start or restart your nginx server to apply the changes.

Now for Liftoff
sudo service nginx reload