How To Create a SSL Certificate on nginx

ABout Self-Signed Certificates


A SSL certificate is a way to encrypt a site’s information and create a more secure connection. Additionally, the certificate can show the virtual private erver’s identification information to site visitors. Certificate Authorities can issue SSL certificates that verify the server’s details while a self-signed certificate has no 3rd party corroboration.

Set Up

You need to have nginx already installed and running on your VPS.
If this is not the case, you can download it with this command:

sudo apt-get install nginx

Step One—Create a Directory for the Certificate


The SSL certificate has 2 parts main parts: the certificate itself and the public key. To make all of the relevant files easy to access, we should create a directory to store them in:

 sudo mkdir /etc/nginx/ssl

We will perform the next few steps within the directory:

 cd /etc/nginx/ssl

Step Two—Create the Server Key and Certificate Signing Request


Start by creating the private server key. During this process, you will be asked to enter a specific passphrase. Be sure to note this phrase carefully, if you forget it or lose it, you will not be able to access the certificate.

sudo openssl genrsa -des3 -out server.key 1024

Follow up by creating a certificate signing request:

sudo openssl req -new -key server.key -out server.csr

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is “Common Name”. Enter your official domain name here or, if you don’t have one yet, your site’s IP address. Leave the challenge password and optional company name blank.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Dallas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc
Organizational Unit Name (eg, section) []:Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []:example.com                  
Email Address []:webmaster@maanas.co

Step Three—Remove the Passphrase


We are almost finished creating the certificate. However, it would serve us to remove the passphrase. Although having the passphrase in place does provide heightened security, the issue starts when one tries to reload nginx. In the event that nginx crashes or needs to reboot, you will always have to re-enter your passphrase to get your entire web server back online.

Use this command to remove the password:

sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key

Step Four— Sign your SSL Certificate


Your certificate is all but done, and you just have to sign it.

Keep in mind that you can specify how long the certificate should remain valid by changing the 365 to the number of days you prefer. As it stands this certificate will expire after one year.

 sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

You are now done making your certificate.

Step Five—Set Up the Certificate


Now we have all of the required components of the finished certificate.The next thing to do is to set up the virtual hosts to display the new certificate.

Let’s create new file with the same default text and layout as the standard virtual host file. You can replace “example” in the command with whatever name you prefer:

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example

Then go ahead and open up that new file:

 sudo nano /etc/nginx/sites-available/example

Scroll down to the bottom of the file and find the section that begins with this:

# HTTPS server

server {
        listen 443;
        server_name example.com;

        root /usr/share/nginx/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key; 
}

Uncomment within the section under the line HTTPS Server. Match your config to the information above, replacing the example.com in the “server_name” line with your domain name or IP address. Subsequently, add in the correct directory for your site (the above configuration includes the default nginx page).

Additionally, make sure that both of these lines are commented out in the line toward the beginning of the file that says:

# Make site accessible from http://localhost/
# server_name localhost;

Step Six—Activate the Virtual Host


The last step is to activate the host by creating a symbolic link between the sites-available directory and the sites-enabled directory.

 sudo ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example

Then restart nginx:

 sudo service nginx restart

Visit https://youraddress You will see your self-signed certificate on that page!

Split your Nginx config files up, in order to host multiple WordPress domains

If you are hosting multiple domain on your VPS, then you don’t want to have to copy and paste all the configuration lines every time. Instead keep each domain’s config file small and compact. This makes it easy to see what is going on, makes it easier to change a setting across the board (e.g. increasing the cache period), and in my opinion makes it easier to build a script to do the job for you.

To this end, I thought I’d share an example Nginx WordPress configuration, split into 4 parts that allows you to easily add another domain.

1. The main Nginx server config file (nginx.conf)

user www-data;
worker_processes 4;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
  worker_connections  1024;
}

http {
  server_names_hash_max_size 512;
  server_names_hash_bucket_size 128;

  index index.php index.html index.htm;

  include       mime.types;
  default_type  application/octet-stream;

  # Configure FastCGI cache
  fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=WORDPRESS:15m inactive=15m;

  access_log /var/log/nginx/access.log main;
  sendfile   on;

  keepalive_timeout  65;

  gzip  on;
  gzip_disable "MSIE [1-6]\.(?!.*SV1)";

  client_max_body_size       25m;
  client_body_buffer_size    256k;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

2. Handling static resources (css, js, images and so on)

rewrite /wp-admin$ $scheme://$host$uri/ permanent;

location ~ /favicon.ico {
  log_not_found off;
  access_log    off;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
  expires       30m;
  access_log    off;
  log_not_found on;
}

location ~ /\.ht {
  deny  all;
}

3. FastCGI handling (and caching)

try_files $uri =404;

set $nocache "";
if ($http_cookie ~ (comment_author_.*|wordpress_logged_in.*|wp-postpass_.*)) {
  set $nocache "Y";
}

fastcgi_pass  unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param CONTENT-LENGTH  $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO       $fastcgi_script_name;
include fastcgi_params;

fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_key       $request_method$host$request_uri;
fastcgi_cache           WORDPRESS;
fastcgi_cache_valid     200 301 302 10m;
fastcgi_cache_valid     404 30m;
fastcgi_ignore_headers  Expires Cache-Control;
fastcgi_cache_bypass    $nocache;
fastcgi_no_cache        $nocache;

4. Example domain

server {
  listen      178.79.142.110:80;
  server_name www.maanas.co maanas.co;

  error_log  /var/log/nginx/maanas/www.maanas.co-error.log;
  access_log /var/log/nginx/maanas/www.maanas.co-access.log;

  root  /home/maanas/sites/www.maanas.co;

  include static-resources.conf;

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    include wordpress-fastcgi-cache.conf;
  }

  include purge.conf;
}

The 4th config file is small but pertinent. Only the information about the domain itself is in here.