09.11.2020

How to Install SSL Certificate on Nginx for Ubuntu 20.04

In order to use the HTTPS protocol on a website, you must obtain the TLS/SSL certificate and configure Nginx. You can get a certificate from a trusted certificate authority for money in a large number of services. The free version is possible thanks to the Let’s Encrypt service and is described here in step 3.You also need to perform basic Nginx configuration. If you use self-signed certificates, the browser will display an error when checking security.

Basic SSL configuration

If you purchased an SSL certificate, you must create a complete chain of your certificate from the received public key and the chain of certifying centers. To do this, place the contents of the chain file at the end of the public key file. Files can have the .pem or .crt extension.

cat cert.pem chain.pem > fullchain.pem

Now copy files to your server. A good choice is to put the private key (.key or .pem) to the /etc/ssl/private/ folder, and the fullchain.pem to the /etc/ssl/certs/.

Now open the configuration file of your virtual host (/etc/nginx/sites-available/domain-name.com) and add the following lines:

server {
listen 443 ssl;
server_name domain-name.com; # Your website's domain name
ssl_certificate /etc/ssl/certs/fullchain.pem; # Path to the full chain of your SSL certificate
ssl_certificate_key /etc/ssl/private/privkey.pem; # Path to the private key of your SSL certificate
}

Don’t forget to set the root and index parameters in this section, just like in the HTTP section.
Restart Nginx.

systemctl restart nginx

Now you can check your SSL certificate and configuration using https://www.ssllabs.com/ssltest/ and proceed with settings that do not correspond to class A.

Disabling outdated protocols and enabling priority for server ciphers

Specify the use of TLS versions 1.2 and 1.3 and the priority for server ciphers. Open the /etc/nginx/nginx.conf file and correct or add the following lines in the http section.

http {
...
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
...
}

Restart Nginx.

systemctl restart nginx

Redirecting from HTTP to HTTPS

To configure the site to work only over HTTPS you need to add a redirect with HTTP. Open the configuration file of your virtual host (/etc/nginx/sites-available/domain-name.com), delete the HTTP section:

server {
listen 80;

}

Now add a new one with the following parameters:

server {
listen 80;
server_name domain-name.com; # Your website's domain name
return 301 https://$host$request_uri; # Redirect
}

Now restart Nginx.

systemctl restart nginx