Install A Free Self-Signed SSL Certificate On Nginx
SSL. It’s the word of the year, it would seem, ever since Google’s late 2014 announcement that installing an SSL certificate on your website would effect rankings in their search engine algorithm. And all for the better, as I’ve written about before: traditional SEO is dead and things are finally starting to get exciting again as “Web 3.0” brings us things like CloudFlare, MaxCDN, CodeGuard, and other enterprise-level APIs and technologies that previously were not readily available to the masses.
The below “SSL for Nginx” tutorial assumes that you are on Ubuntu 14.04, the latest LTS release of the free, open-source operating system maintained by UK-based Canonical Ltd. Pretty much everyone should be using Ubuntu Linux on their server these days, as its arguably the best-supported Linux distro with the most user-friendly software repositories.
Now, first of all, I should clarify something: SSL certificates are a racket – even a scam, in many cases. Right now, web hosts and resellers are having a hayday thanks to Google’s recent announcement, and thousands upon thousands of webmasters are getting tricked or confused into buying expensive SSL certificates that they don’t even need.
In fact, SSL (Secure Sockets Layer) is dying, and has already been replaced by a newer technology that is known as TLS (Transport Layer Security). But the original name “SSL” is rather catchy and has therefore stuck, and the term is now used generally to describe various types of encrypted web traffic. In other words, SSL (TLS) “wraps” an encryption layer around otherwise normal “data” sent between a web server and client so that the messages can’t be intercepted or read by any 3rd parties (i.e. the NSA). Now, the second important self-proclaimed mission of the SSL/TLS world is identity verification, in which Certificate Authorities a.k.a. CAs claim to “verify” the owners of a website before issuing them the SSL certificate.
“I think it only makes sense to seek out and identify structures of authority, hierarchy, and domination in every aspect of life, and to challenge them; unless a justification for them can be given, they are illegitimate, and should be dismantled, to increase the scope of human freedom.”
— Noam Chomsky
Clearly, this is nearly impossible to do (sufficiently) in most cases, which is why SSL sales are ultimately a scam in my opinion. Therefore, I recommend all my clients to instead generate a “self-signed” SSL certificate (below) that connects with CloudFlare’s free domain-level certification issued by Comodo, meaning that the entire SSL generation and renewal process is FREE (forever) and yet no HTTPS errors or “identity” warnings are displayed to your website visitors.
Before you begin, you first need to have a VPS server on which you’ve installed Nginx. Then, we must generate a self-signed SSL certificate via OpenSSL, a free, open-source tool that is included within Nginx itself. The below SSH command can generate all SSL options in a single line (shout out to Justin Ellingwood for the below shortcut and explanation).
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/nginx.key -out /etc/ssl/nginx.crt
- openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
- req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The “X.509” is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.
- -x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
- -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
- -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
- -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
- -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
- -out: This tells OpenSSL where to place the certificate that we are creating.
Next, the automated OpenSSL tool within Nginx will ask you a few questions to complete the “identity” part of the SSL certificate. Mind you, if CloudFlare is re-SSL’ing your domain via Comodo, this information is rather pointless, actually. Still, you should try to keep it as accurate as possible to prepare for any future changes or other issues.
Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Nevada Locality Name (eg, city) : Las Vegas Organization Name (eg, company) [Internet Widgits Pty Ltd]: LittleBizzy Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : www.littlebizzy.com Email Address : firstname.lastname@example.org
Great! So now we have a 2048-bit self-signed SSL certificate installed on our server. But how do we actually activate HTTPS on our website’s frontend, and make sure all non-HTTPS URLs are 301 redirected to their HTTPS equivalent? Enter the simple beauty of the Nginx server block (there are several ways of doing this; my preferred method is below):