I recently discovered a pretty amazing SSL service called SSLMate that is designed for developers and simplicity of use. Because of how simple they make things, this post will be extremely short. In fact, you could just head over to their page and easily get going by yourself. Nevertheless, I will outline it here.
If you prefer “free” instead and don’t mind doing extra work and navigating a confusing website, you can refer to my previous article Setting up SSL with Nginx and Startssl
Preparations
The only prerequisite is that you have the package “ca-certificates” installed on your server.
sudo apt-get install ca-certificates
Now we need to install SSLMate itself. *Note* they have different paths for different OS’s so browse over to https://sslmate.com/help/getting_started to get the appropriate lines (the ones below are for Ubuntu 14.04)
sudo wget -P /etc/apt/sources.list.d https://sslmate.com/apt/ubuntu1404/sslmate.list
sudo wget -P /etc/apt/trusted.gpg.d https://sslmate.com/apt/ubuntu1404/sslmate.gpg
sudo apt-get update
sudo apt-get install sslmate
Obviously you need to signup at sslmate’s website and fill in your credit card info (it’s not charged until you issue the buy command)
Now on the command line, navigate to the folder you wish to store the certs. (I made a folder in ~/certs) and issue the buy command. *Note certs issues for hostname.com will also work for www.hostname.com*
mkdir ~/certs
cd ~/certs
sslmate buy HOSTNAME
Now we need to configure nginx to use the certificates. Typically I symlink the certs into the /etc/nginx/ssl folder (you may need to create it.)
sudo mkdir /etc/nginx/ssl
sudo ln -s ~/certs/HOSTNAME.key HOSTNAME.key
sudo ln -s ~/certs/HOSTNAME.chained.crt HOSTNAME.chained.crt
You need to modify your domain’s virtual host file to change the port and add the certificate information. the top lines inside the main “server” block for that domain should read like this.
listen 443 ssl;
ssl_certificate_key /etc/nginx/ssl/HOSTNAME.key;
ssl_certificate /etc/nginx/ssl/HOSTNAME.chained.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
If you run a HTTPS-only site, you should consider using HTTP Strict Transport Security (HSTS). HSTS tells a browser that the website should only be accessed through a secure connection. Just add this below the certificate lines.
add_header Strict-Transport-Security max-age=31536000;
If you serve a page over HTTPS, usually you will never allow your content to be framed. This can be specified by the X-Frame-Options header. You can configure this by then adding this line below the previous ones.
add_header X-Frame-Options DENY;
Now if you want to use the recommended security settings of SSLMate in their entirety, make your file look like this
ssl_certificate_key /etc/nginx/ssl/HOSTNAME.key;
ssl_certificate /etc/nginx/ssl/HOSTNAME.chained.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security max-age=15768000;
add_header X-Frame-Options DENY;
After you have saved the virtual host file (/etc/nginx/sites-available/domain) you need to restart nginx for the changes to take affect.
sudo service nginx restart
That should be it!
Leave a Reply