How to add SSL to Nginx

If you've followed our getting started guides, set up LEMP, and added your DNS records, you may have noticed one major issue. Anybody who visits your site will be doing so in HTTP, and will therefore see a security warning in their browser.

It's important that you don't ignore this security warning and add SSL to your Nginx server. SSL helps to keep your customer's sensitive information safe via encryption and it's also a ranking factor – good luck getting to the first page of Google when your server isn't considered safe.

Thankfully, Nginx SSL setup isn't very complex. In fact, it only takes a minute or so. Before we start, however, you should know that there are three routes to set up SSL on Nginx.

The first is through the SSL certificate bundle provided by a certificate authority (CA). These usually come from your domain registrar, and in many cases, you'll have to pay extra for the privilege. You'll have either been sent it via email or you'll be able to download it from your account dashboard.

The second route is through Let's Encrypts free SSL/TLS certificate offering. Let's Encrypt is a free, non-profit Certificate Authority. The relevant part to us, however, is the Electronic Frontier Foundation's Let's Encrypt tool, which provides a quick and convenient way to generate and install an SSL certificate on your Nginx server.

Last but not least, you can use the new SSL tool bundled with BitLaunch's one-click LEMP stack install for an even easier install.

We'll of course show you all three routes today.

Pre-requisites

Before we start, at a minimum you'll need:

  1. A VPS server with LEMP installed (you can use BitLaunch's one-click app for a fast setup)
  2. A domain with an A record pointing to your server IP
  3. An nginx server block/virtual host for your domain

You will need these things regardless of whether you'll be using certbot or a certificate bundle to configure your SSL on Nginx

How to install an SSL certificate on Nginx via a CA Bundle


Your SSL certificate was probably provided to you as a .zip file. usually, this file consists of a server certificate, root certificate, and intermediate certificate. We won't go into what each does here, but suffice it to say that you'll want to combine them all into a single .crt file.

Step 1 – Combine your certificates into a single file

If you're yet to upload the certificates to your server, one route to combine your certificate is to manually copy and paste all of their contents into a single file in a text editor such as Notepad. You can then save the new file as combined-ssl.crt or something along those lines.

The other option is to use cat to combine them in Linux. The command will vary slightly depending on whether each of your certificates is a separate file or if your intermediate certificates are already in a single ca-bundle file.

If they're all separate, your command should look something like this:

cat your_domain_name.crt intermediate_certificate.crt root_certificate.crt >> bundle.crt

Obviously, you should replace the names of the .crt files with the names of your actual certificates.

If your intermediate certificates are bundled, it's even easier:

cat your_domain_name.crt your_domain.ca-bundle >> bundle.crt

That's all there is to it. Your certificate bundle is ready to use. You can upload it to /etc/ssl/ on your server with SFTP or another tool. You'll want to add your private key to this folder, too.

Step 2 – Perform your Nginx SSL configuration

You will have already edited the .conf file for your server block, so you should know where it is. If you don't, check  your  /etc/nginx/sites-available folder. Once you find it, edit it with:

sudo nano your_config_file_name.conf

There are a few changes you'll now want to make in the server { section:

  • Find the listen line and make sure it says listen 443;
  • Add or uncomment ssl on; if it's not there already.
  • Add the path to your certificate with ssl_certificate /etc/ssl/bundle.crt;
  • Add the path to your SSL key: ssl_certificate_key /etc/ssl/your_domain_name.key;

Once these are done, your config should look something like this:

server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/your_domain_name.key;
root /var/www/your_domain_bame;
server_name your_domain_name.com;
}

Save the file with Ctrl + O and press Ctrl + X to exit.

You should then check that your config has no errors with nginx -t. If no errors come back, restart Nginx using:

sudo systemctl restart nginx

This will apply the Nginx SSL config changes.

Step 3 – Check that SSL is working

SSL should now be enabled for your domain. You can verify this by going to https://yourdomainname.com in your local browser and checking for the padlock symbol in the address bar.

How to install a free SSL certificate on nginx with Certbot

If you don't have an SSL certificate as part of your domain name package, you can use Certbot to quickly install one on your Nginx server.

Step 1 – Install snap

The first step is to install snapd so we can use that to install Certbot. On Ubuntu, you can do so with:

sudo apt install snapd

If you're on another distribution you should be able to use your relevant package manager (yum for centos etc.).

Make sure you have the latest snapd version:

sudo snap install core; sudo snap refresh core

Step 2 – Install Certbot

We can install Certbot now with the following command:

sudo snap install --classic certbot

For the final step of the installation process, create a symlink to ensure Certbot runs when we type its command:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 3 – Create and install your SSL certificate

From here, we can run a single command to create our certificate and edit the nginx config to automatically serve it:

sudo certbot --nginx -d yourdomainname.info -d www.yourdomainname.info

That's it. Visit your domain in your local browser to check whether SSL is enabled. You can optionally do a test run of certbot's automatic certificate renewal to make sure that works:

sudo certbot renew --dry-run

How to Install SSL via BitLaunch's LEMP with SSL app

If you're a BitLaunch user, the most streamlined way to set up nginx with SSL is to use our one-click LEMP install tool when you create your server. It should look something like this:

After your server has been created, point an A record to your server's IP address is your domain's DNS settings and run the following command after the change has propagated:

install-ssl

Type your domain name when prompted and press Enter.

The SSL tool will take a few seconds to verify that your domain's DNS records are pointing to your server before performing all the configuration for you. You'll see the following success message:

 Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomainname.info/fullchain.pem

As you can see, Bit Launch's SSL tool still uses the widely praised lets encrypt certificates and its certbot tool, but simplifies the process even further.

You can visit your domain in your browser to verify that everything is working as it should.