English
Frequently Asked Questions

Install the certificate on the Nginx server

Updated Time:2022-03-09  Views:32010

You can install an issued SSL certificate onto the Nginx server. This article describes how to download an SSL certificate and install it on the Nginx server.
Preconditions
The certificate issuance has been completed through the SSL certificate service. For more information, see Submitting Certificate Requests.
Remote login tools (eg PuTTY, Xshell) are ready to log in to your web server.
Imprint
This article takes CentOS 8 operating system and Nginx 1.14.1 server system as examples to illustrate. Depending on the server system version, the commands you use during the operation may be slightly different.
Step 1: Download the certificate to the local
1. Log in to the management center of this site;
2. Select "SSL Certificate > Certificate Management > Enter the SSL Certificate Management page
3. In the certificate download panel, locate the Nginx server, and click Download under the Action column.
This operation will download the compressed package of the Nginx server certificate to the local and save it in the default download location of the browser.
4. Open the default download location of the browser and unzip the downloaded Nginx certificate zip file.
After unzipping you will get the following files:

Notice:
Where the certificate file name appears in this document, cert-file-name is used as an example for description. For example, the certificate file used in this article is cert-file-name.pem, and the certificate private key file is cert-file-name.key. In practice, you must replace the cert-file-name in the sample code with the real certificate file name.
* Certificate file in PEM format.
The certificate file in PEM format is a text file encoded in Base64. You can modify the certificate file to other formats as required.
* The certificate private key file in KEY format.
Notice:
If you set the CSR generation method to be filled in manually when applying for a certificate, the downloaded certificate file will not contain a KEY file, and you need to manually create a certificate private key file.

Step 2: Install the certificate on the Nginx server
The specific operations for installing certificates on Nginx independent servers and Nginx virtual hosts are different. Please select the corresponding installation steps according to your actual environment.
Follow the steps below to install the certificate on the Nginx standalone server:
1. Log in to the Nginx server.
For example, you can use remote login tools (eg PuTTY, Xshell) to log in to the server.
2. Execute the following command to create a directory for storing certificates in the Nginx installation directory (default is /usr/local/nginx/conf) and name it cert.
cd /usr/local/nginx/conf #Enter the default installation directory of Nginx. If you have modified the default installation directory, please adjust it according to the actual configuration. mkdir cert #Create a certificate directory named cert.
3. Use the local file upload function attached to the remote login tool (for example, PuTTY, Xshell) to upload the local certificate file and private key file to the certificate directory of the Nginx server (/usr/local/nginx/conf/cert in the example) .
Notice 
If you set the CSR generation method to be filled in manually when applying for a certificate, upload the manually created certificate private key file to the /usr/local/nginx/conf/cert directory.
4. Edit the Nginx configuration file (nginx.conf) and modify the configuration content related to the certificate.
* Execute the following command to open the configuration file.
Notice
nginx.conf is saved in the /usr/local/nginx/conf directory by default. If you have modified the location of nginx.conf, please replace /usr/local/nginx/conf/nginx.conf with the modified location.
vim /usr/local/nginx/conf/nginx.conf
* Press i key to enter edit mode.
* Locate the HTTP protocol code fragment (http{}) in the configuration file, and add the following server configuration in the HTTP protocol code (if the server configuration already exists, modify the corresponding configuration according to the following comments).
Before using the sample code, please replace the following:
①. yourdomain.com: Replace with the domain name bound to the certificate.
If you purchased a single domain name certificate, you need to change it to a single domain name (such as www.domain.com); if you purchased a wildcard domain name certificate, you need to change it to a wildcard domain name (such as *.domain.com).
②. cert-file-name.pem: Replace with the name of the certificate file you uploaded in step 3.
③. cert-file-name.key: Replace with the name of the certificate private key file you uploaded in step 3.
#In the following properties, the properties starting with ssl are related to certificate configuration. server { listen 443 ssl; #Configure the default access port of HTTPS to 443. #If the default access port of HTTPS is not configured here, it may cause Nginx to fail to start. #If you use Nginx 1.15.0 and above, please use listen 443 ssl instead of listen 443 and ssl on. server_name yourdomain.com; #You need to replace yourdomain.com with the domain name bound to the certificate. root html; index index.html index.htm; ssl_certificate cert/cert-file-name.pem; #You need to replace cert-file-name.pem with the name of the uploaded certificate file. ssl_certificate_key cert/cert-file-name.key; #You need to replace cert-file-name.key with the name of the uploaded certificate private key file. ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Indicates the type of cipher suite used. ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; #Indicates the type of TLS protocol used. ssl_prefer_server_ciphers on; location / { root html; #site directory. index index.html index.htm; } }
④. Optional: Set HTTP requests to automatically jump to HTTPS.
If you want all HTTP access to be automatically redirected to HTTPS pages, you can add the following rewrite statement under the HTTP site to be redirected.
Before using the sample code, please replace yourdomain.com with the domain name bound to the certificate.
server { listen 80; server_name yourdomain.com; #You need to replace yourdomain.com with the domain name bound to the certificate. rewrite ^(.*)$ https://$host$1; #Redirect all HTTP requests to HTTPS through the rewrite directive. location / { index index.html index.htm; } }
⑤. After the modification is completed, press the Esc key and enter: wq! and press Enter, and exit edit mode.

5. Execute the following command to restart the Nginx service.
cd /usr/local/nginx/sbin #Enter the executable directory of the Nginx service. ./nginx -s reload #Reload the configuration file.
If you receive an error when restarting the Nginx service, you can use the following methods to troubleshoot:
* Receive the "ssl" parameter requires ngx_http_ssl_module error: you need to recompile Nginx and add the --with-http_ssl_module configuration when compiling and installing.
* Received "/cert/3970497_pic.certificatestests.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_pic.certificatestests.com. pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) error: You need to remove the / at the front of the certificate relative path. For example, you need to remove the leading / from /cert/cert-file-name.pem and use the correct relative path cert/cert-file-name.pem.

Follow the steps below to install the certificate on the Nginx virtual host:
1. Log in to your virtual machine.
2. Create a cert directory in the Web directory, and copy the downloaded certificate file and private key file to the cert directory.
3. Open the virtual host configuration file and copy and paste the following content to the end of the file.
illustrate 
The virtual host configuration files of different server systems are different. For example, the Nginx server defaults to *.conf, and the Apache server defaults to vhosts.conf. For the specific path of the virtual host configuration file, please refer to the introduction on the method of enabling virtual host in the server manual. ,
server { listen 80; server_name localhost; location / { index index.html index.htm; } } server { listen 443 ssl; server_name localhost; root html; index index.html index.htm; ssl_certificate cert/cert-file-name. pem; #You need to replace cert-file-name.pem with the name of the uploaded certificate file. ssl_certificate_key cert/cert-file-name.key; #You need to replace cert-file-name.key with the name of the uploaded certificate private key file. ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on ; location / { index index.html index.htm; } }
4. Save the vhost.conf or *.conf file and exit.
5. Optional: Set HTTP requests to automatically jump to HTTPS.
If you want all HTTP accesses to automatically redirect to HTTPS pages, you can open the .htaccess file in the Web directory (if not, create a new file) and add the following rewrite statement.
RewriteEngine On RewriteCond %{HTTP:From-Https}!^on$ [NC] RewriteCond %{HTTP_HOST} ^(www.)?yourdomain.com$ [NC] #You need to replace yourdomain.com with the domain name bound to the certificate. RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L] #You need to replace yourdomain.com with the domain name bound to the certificate.
6. Restart the virtual host.
Notice 
After the certificate is successfully installed, you need to configure pseudo-static rules on the virtual host, so that your website can support HTTPS all over the site. Otherwise, only the homepage of the website supports HTTPS, and the subdirectories of the website will not support HTTPS.