How to add SSL to Nginx

SSL keeps your users’ information secure and helps your website rank on search engines. Here’s how to set it up on Nginx.

If you’ve followed our getting started guides, set up LEMP, and added your DNS records, you may have noticed one major issue. Anyone who visits your site will do so over HTTP and will therefore see a security warning in their browser.

You mustn’t ignore this security warning and add SSL to your Nginx server. SSL helps to keep your customers’ sensitive information safe via encryption, and it’s also a ranking factor – good luck getting to the first page of Google when your server isn’t considered secure.

Thankfully, setting up Nginx SSL isn’t very complex. It only takes a minute or so. Before we begin, however, please note that there are three routes to set up SSL on Nginx.

The first is through the SSL certificate bundle provided by a certificate authority (CA). These typically come from your domain registrar, and in many cases, you’ll have to pay an additional fee for the privilege. You’ll have either been sent it via email or you’ll be able to download it from your account dashboard.

The second route is through Let’s Encrypt’s free SSL/TLS certificate offering. Let’s Encrypt is a free, non-profit Certificate Authority. The relevant part to us, however, is the Electronic Frontier Foundation’s Let’s Encrypt tool, which provides a quick and convenient way to generate and install an SSL certificate on your Nginx server.

Last but not least, you can use the new SSL tool bundled with EasyGlobal’s one-click LEMP stack install for an even easier install.

We’ll, of course, show you all three routes today.

Pre-requisites

Before we start, at a minimum, you’ll need:

1. A VPS server with LEMP installed (you can use EasyGlobal’s one-click app for a fast setup)
2. A domain with an A record pointing to your server IP
3. An nginx server block/virtual host for your domain

You will need these things regardless of whether you’ll be using certbot or a certificate bundle to configure your SSL on Nginx

How to install an SSL certificate on Nginx via a CA Bundle

Your SSL certificate was probably provided to you as a .zip file. Typically, this file comprises a server certificate, a root certificate, and an intermediate certificate. We won’t go into the details of each here, but suffice it to say that you’ll want to combine them all into a single .crt file.

Step 1 – Combine your certificates into a single file

If you haven’t yet uploaded the certificates to your server, one way to combine your certificates is to manually copy and paste all their contents into a single file in a text editor, such as Notepad. You can then save the new file as combined-ssl.crt something along those lines.

The other option is to use cat to combine them in Linux. The command will vary slightly depending on whether each of your certificates is a separate file or if your intermediate certificates are already in a single ca-bundle file.

If they’re all separate, your command should look something like this:

cat your_domain_name.crt intermediate_certificate.crt root_certificate.crt >> bundle.crt

You should replace the names of the .crt files with the names of your actual certificates.

If your intermediate certificates are bundled, it’s even easier:

cat your_domain_name.crt your_domain.ca-bundle >> bundle.crt

That’s all there is to it. Your certificate bundle is ready to use. You can upload it to /etc/ssl/ your server with SFTP or another tool. You’ll want to add your private key to this folder, too.

Step 2 – Perform your Nginx SSL configuration

You will have already edited the .conf file for your server block, so you should know where it is. If you don’t, check your  /etc/nginx/sites-available folder. Once you find it, edit it with:

sudo nano your_config_file_name.conf

There are a few changes you’ll now want to make in the server { Section:

• Find the listen line and make sure it says listen 443;
• Add or uncomment ssl on; If it’s not there already.
• Add the path to your certificate with ssl_certificate /etc/ssl/bundle.crt;
• Add the path to your SSL key: ssl_certificate_key /etc/ssl/your_domain_name.key;

Once these are done, your config should look something like this:

server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/your_domain_name.key;
root /var/www/your_domain_bame;
server_name your_domain_name.com;
}

Save the file with Ctrl+O and press Ctrl+X to exit.

You should then check that your config has no errors with nginx -t. If no errors come back, restart Nginx using:

sudo systemctl restart nginx

This will apply the Nginx SSL config changes.

Step 3 – Check that SSL is working

SSL should now be enabled for your domain. You can verify this by going to https://yourdomainname.com in your local browser and checking for the padlock symbol in the address bar.

How to install a free SSL certificate on nginx with Certbot

If you don’t have an SSL certificate as part of your domain name package, you can use Certbot to install one on your Nginx server quickly.

Step 1 – Install snap

The first step is to install snapd, which will enable us to use it to install Certbot. On Ubuntu, you can do so with:

sudo apt install snapd

If you’re on another distribution, you should be able to use your relevant package manager (yum for CentOS, etc.).

Make sure you have the latest snapd version:

sudo snap install core; sudo snap refresh core

Step 2 – Install Certbot

We can install Certbot now with the following command:

sudo snap install --classic certbot

For the final step of the installation process, create a symlink to ensure Certbot runs when we type its command:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 3 – Create and install your SSL certificate

From here, we can run a single command to create our certificate and edit the nginx config to serve it automatically:

sudo certbot --nginx -d yourdomainname.info -d www.yourdomainname.info

That’s it. Visit your domain in your local browser to check whether SSL is enabled. You can optionally do a test run of certbot’s automatic certificate renewal to make sure that it works:

sudo certbot renew --dry-run

How to Install SSL via easyglobal’s LEMP with SSL app

If you’re a EasyGlobal user, the most streamlined way to set up nginx with SSL is to use our one-click LEMP install tool when you create your server. It should look something like this:

After your server has been created, point an A record to your server’s IP address is your domain’s DNS settings and run the following command after the change has propagated:

install-ssl

Type your domain name when prompted and press the Enter key.

The SSL tool will take a few seconds to verify that your domain’s DNS records are pointing to your server before performing all the configuration for you. You’ll see the following success message:

 Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomainname.info/fullchain.pem

As you can see, EasyGlobal’s SSL tool still uses the widely praised Let’s Encrypt certificates and its certbot tool, but simplifies the process even further.

You can visit your domain in your browser to verify that everything is functioning as expected.