Nginx SSL Enable

環境: Ubuntu 14.04 x64

1. 產生key

root@Wordpress:/tmp# openssl genrsa -des3 -out site.key 2048
Generating RSA private key, 2048 bit long modulus
..........................+++
....................................+++
e is 65537 (0x10001)
Enter pass phrase for site.key:
Verifying - Enter pass phrase for site.key:

2.產生 csr

root@Wordpress:/tmp# openssl req -new -key site.key -out site.csr
Enter pass phrase for site.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cowman
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:cowman.ip
Email Address []:cowman.chiang@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

1. cat csr，貼至申請處

root@Wordpress:/tmp# cat site.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIC1DCCAbwCAQAwgY4xCzAJBgNVBAYTAlRXMQ8wDQYDVQQIDAZUYWl3YW4xFDAS
BgNVBAcMC1RhaXBlaSBDaXR5MQ8wDQYDVQQKDAZDb3dtYW4xCzAJBgNVBAsMAklU
MRIwEAYDVQQDDAljb3dtYW4uaXAxJjAkBgkqhkiG9w0BCQEWF2Nvd21hbi5jaGlh
bmdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oNl
FGzEzzpVSvFkwrYegC1VxoznmsPp2UrImb+w2M4ZLLuqdAqjhLs1atnPaQZsQlOF
wfbnbGvcdwULuIzU8o1o1v7KS7TmWfi7P3oYG5GBRq/j3QuOQEwQ1s0QFAnulso9
rAHCt4i1rFg8wNF6mEF1Ghd2DzzD8P7Ew+LCYq+C4G8yq44RD+WJ8DccA4OQfzou
mcstrRkXWmoYyrICepCE4eqxSdlNH3dyZbSmG4yKC1gQc60/Utm5o8lGynvS0pBh
PUx124eMsWz80wZ0xAkE6Ma24XgOHied3XuaiRfBi5/tql+wfEQBrIOZ0DJ1DAhN
J723zUMw9amQ8cF4zQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGeLtDAWlgh6
ag+PP8YqXrxGSAkkyL8EKdrPEntgYEPIkKt9to+h0tKBCZ5kCvG4bL6V5zRhtx4f
ViqTzh9itOI3MDfvE5o8vxhed4jzevIifpKDONt0bAOC73STpv9+HCR+CMNX0Erf
tmhD+zuLwHcBl5qoZqaPQobPF1VR1U2jsGBZ2HTTamtjGcr0mkso3MO5QxcV8JkP
DwAc/PGn06zzKUyPeGPY2PE2xAppcof8B/WOYLvRx202YeoG6Cp1hLT94GoN+ef/
aDwd7WgaFpC1sXTnjoOlzpsxoovHmaJMTskncYkUZIsg4ZvhJnF9trqu9XlUKBh7
vDAfX3ZNzCs=
-----END CERTIFICATE REQUEST-----

1. 這裡一樣以namecheap的comodo ssl為例，會收到下面四個檔案
   伺服器類型選nginx
   AddTrustExternalCARoot.crt
   COMODORSAAddTrustCA.crt
   COMODORSADomainValidationSecureServerCA.crt
   cowman_ip.crt

2. 產生 ssl-bundle.crt

cat cowman_ip.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

1. 移除需要輸入 phase 的機制

root@Wordpress:/tmp# openssl rsa -in site.key -out site-nopass.key
Enter pass phrase for site.key:
writing RSA key

1. 修改 nginx 設定檔，位置在 /etc/nginx/sites-enabled/default，這裡把設定檔整併在server中

root@Wordpress:/tmp# vim /etc/nginx/sites-enabled/default

server {
        #listen 80 default_server;
        #listen [::]:80 default_server ipv6only=on;
        listen 80;
        listen 443 default ssl;

        ssl_certificate /opt/local/nginx/conf/certs/ssl-bundle.crt;
        ssl_certificate_key /opt/local/nginx/conf/certs/site_ip.key;

        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
        ssl_prefer_server_ciphers on;

1. 重新啟動 nginx

service nginx restart