How to add a GeoTrust SSL certificate to Nginx on Ubuntu

I had a bit of trouble finding the information I needed to get a certificate I purchased from GeoTrust installed on an Nginx server. The reseller I used – cheapsslsecurity.com – sent me a set of certificate files that didn’t match any of the instructions in GeoTrust’s support pages. Nginx configuration information is available on Digital Ocean’s support site. If you are running WordPress, there’s some useful information here.

I received two files called CACertificate, CACertificate-1.cer and CACertificate-2.cer, as well as ServerCertificate.cer from CheapSSL.

For Nginx, you need to concatenate the three certificate files into a single file. From the command line, you can do that with

# cat CACertificate-1.cer >> CACertificate-2.cer >> ServerCertificate.cer

This is the information that was missing from the GeoTrust documentation. You do not need to download any additional CA certificate files.

I renamed this file to the domain name for which I wanted SSL. You can name this file anything you want. I copied this file to /etc/ssl, and I copied the key file I used to generate the certificate to /etc/ssl/private.

I then added a new file to /etc/nginx/sites-available, based on my current server setup, called it mydomain.ssl, and modified so that it looked like this:

server {
    listen 443;
    ssl on;
    ssl_certificate /etc/ssl/DOMAINNAME.com.cer;
    ssl_certificate_key /etc/ssl/private/DOMAINNAME.com.key;
    server_name DOMAINNAME.com www.DOMAINNAME.com;
    root /var/www/;
    index index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

Make sure that the configuration points to your .cer and .key files, and that you are using your own domain names for server_name.

Note the first four lines after “server {“.

Create a symlink to this new Nginx configuration file in /etc/nginx/sites-enabled:

ln -s /etc/nginx/sites-available/yourconfigfile.ssl .

Restart the Nginx with # service nginx restart, and you should be good to go.

Leave a Reply

Your email address will not be published.