I’m a big fan of Gandi for domain hosting since they are very transparent about their operation, support the efforts of EFF and last but not least, are based in Paris. So today I transfered fak3r.com over to Gandi, and earned a free SSL cert for a year for doing so! Cool, since my old StartSSL cert expired, I needed to replace it, so this was nice timing. Now while Gandi’s documentation is very good, and I’ve done plenty of SSL setup before, I still hit a snag that I’ve hit before, so this time I wanted to record it so I wouldn’t have to look it up again next time. The issue comes about because nginx doesn’t have a declaration for an intermediate, or chained cert file. So while Apache has the SSLCertificateChainFile directive, in nginx we have to concatenate it with the certificate file to have nginx recognize it. Here’s how you do it.
First we need a directory to hold the SSL certs, it’s really not important where, but I’ve always put mine in /etc/nginx/ssl/FQDN
mkdir -p /etc/nginx/ssl/fak3r.com
Then follow Gandi’s instructions on creating the SSL data they need to make your cert, then download it to that directory. Next we need to grab Gandi’s CA cert and put it in that directory too
cd /etc/nginx/ssl/fak3r.com
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
Now we’ll make a new file, first by catting your cert file (note: mine was named certificate-61332.crt - yours will be different) into a new one, here I named it after my domain with the .crt suffix
cat certificate-61332.crt > fak3r.com.crt
Then, since their CA file doesn’t contain a carriage return we need to echo one in before the CA information
echo "\n" >> fak3r.com.crt
And now we cat in the CA cert information
cat GandiStandardSSLCA.pem >> fak3r.com.crt
Now let’s set permissions
chown root:root fak3r.com.* *.key
chmod 400 fak3r.com.* *key
Meanwhile in the nginx SSL block, be sure we’ve listed the location of our new certificate as well as our key from the the initial generation
ssl_certificate /etc/nginx/ssl/fak3r.com/fak3r.com.crt;
ssl_certificate_key /etc/nginx/ssl/fak3r.com/fak3r.com.key;
Test that everything works, and then if so, restart nginx to pickup the changes
nginx -t
/etc/init.d/nginx restart
Great, now that I have you here, why don’t we cover some ‘BONUS’ material to make nginx serve SSL content a bit more securely. In your site configuration file, in your SSL section, besides the normal lines such as the location of the crt, key files and such, add some lines.
server {
[...]
# Some configuration to avoid ssl timing attacks
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Some cipher configs to avoid BEAST and other vulnerabilties
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
# Some security headers configured with the help of https://securityheaders.com/
add_header Cache-Control "public";
add_header X-Frame-Options "DENY";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Type "text/html; charset=UTF-8";
add_header X-Permitted-Cross-Domain-Policies "master-only";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
And then, as always, test and restart nginx to pickup the changes
nginx -t
/etc/init.d/nginx restart
Now your SSL serving by nginx is far more secure than before. Look online for more tips, and share what you find. Until then, this is fak3r, keeping it secure.