Last week i was installing SSL certificate on an Nginx server which was acting as front-end for tomcat and the basic set up was that our Grails WAR file was deployed in tomcat which was running on port 8080 and Nginx server was running on port 80. We ordered SSL certificate and started the installation. Here are the steps i followed :

1. Generate CSR on server and provide it to GoDaddy. This is the command i used :

openssl req -new -newkey rsa:2048 -nodes -keyout website.com.key -out website.com.csr

You will be asked a series of questions and make sure you answer all of them. Only important thing to note is “Common Name” if you need a wildcard certificate which shall run on all subdomains then you shall be providing “*.website.com” as it’s value otherwise “website.com”. The later will only work on single website.

2. You will get 2 files from above command. One is the key file and other will be the CSR. The file names have already been passed as arguments in above command.

3. Login to GoDaddy and request a SSL certificate. You will be asked to provide CSR for the same and you will need to provide content of the CSR file you got from Step 1.

4. Copy the SSL certificate to the web server. (Your application server)

5. Unzip the SSL files and you will have 2 files out of it. A Bundle file and another certificate file. Both will be having CRT extension.

6. Now open nginx configuration file. I was using Ubuntu 14.04 and for me file was located at /etc/nginx/nginx.conf

7. Inside http section put the following content :

http {
*
*
*
server {
listen   443;
ssl    on;
ssl_certificate    <Path to your certificate file> ;
ssl_certificate_key  <Path to your certificate key file>;
server_name <web server name>;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header  X-Real-IP $remote_addr;
proxy_redirect off;
proxy_connect_timeout      240;
proxy_send_timeout         240;
proxy_read_timeout         240;
# note, there is not SSL here! plain HTTP is used
proxy_pass http://localhost:8080;
   }
}
*
*
*
}

This will make sure that your website starts working with SSL certificate and you will be able to access it using https. But there is a problem which you not have found out yet. Some web browsers may start complaining about your SSL certificate and declare it invalid thereby blocking user from accessing your website. The reason behind this problem is that your server did not include the entire cert chain along with the server certificate.

Now how to fix this problem ? You can read this section on Nginx website which explains SSL certificate chain.

All you need to do is to create a chained certificate file and put that in Nginx configuration file. You can do that as follows :

cat website.com.crt website.bundle.crt > website.com.chained.crt

Now open nginx.conf and put this chained certificate path against ssl_certificate.

TIP : I recommend you to run SSL check against your website after installation to make sure you are not missing anything. You can use SSL checker tool by SSLShopper