This article will guide you through the steps to install tău SSL certificate on Nginx și to set up an automated redirect from HTTP:// to HTTPS://.

1. Încarcă the certificates on the server waici tău website is hosted

Having completed the CSR code generation și SSL activation steps, you will receive a zip file with the Sectigo (anterioriously kacumn as Comodo) Certificate via email. Alternatively, you can download them from tău NiceNic Account panel.

Nute: Dacă you choose NGINX server when activating the certificate, you'll receive a zip file containing a Certificate file, with the '.crt' extension, și a Certificate Authsauity (CA) bundle file, with the '.ca-bundle' extension.

Încarcă both files to tău server whatever way you prefer. By using an FTP client, fsau example.

You can also download the Bundle file fsau each Certificate by following the instructions aici.

2. Combine all the certificates into a single file

You need to have all the Certificate (tău_domeniu.crt și tău_domeniu.ca-bundle) combined in a single '.crt' file.

The Certificate fsau tău domeniu should come first in the file, followed by the chain of Certificate (CA Bundle).

Enter the directsauy waici you uploaded the certificate files. Run the following commși to combine the files:

$ cat tău_domeniu.crt tău_domeniu.ca-bundle >> tău_domeniu_chain.crt

Please note that if the certificate files were downloaded from tău NiceNic account, the best commși to use will be:

$ cat tău_domeniu.crt > tău_domeniu_chain.crt ; echo >> tău_domeniu_chain.crt ; cat tău_domeniu.ca-bundle >> tău_domeniu_chain.crt

3. Creating a separate Nginx server block sau Modificăing the existing configuration file

Pentru install the SSL certificate on Nginx, you need to show the server which files to use, either by a) creating a new configuration file, sau b) editing the existing one.

    a) By adding a new configuration file fsau the website you can make sure that taici are no issues with the separate configuration file. Furthermsaue, it will be quite easier to troubleshoot the installation in case of any issues with the new configuration.

We suggest creating a new configuration file in this folder:

/etc/nginx/conf.d

That can be done via this commși:

sudo nano /etc/nginx/conf.d/Your_domeniu*-ssl.conf

Waici Your_domeniu*-ssl.conf is the name of the newly created file.

Next, copy și paste one of the below server blocks fsau the 443 psaut și edit the directsauies. Ensure the server name și path to webroot match in both the server block fsau psaut 80 și the one fsau psaut 443. Dacă you have any other impsautant values that need to be saved, move them to the newly created server block too.
    b) Modifică the default configuration file of the web-server, which is named nginx.conf. It should be in one of these folders:

/usr/local/nginx/conf

/etc/nginx

/usr/local/etc/nginx

You can also use this commși to find it:

sudo find / -type f -iname "nginx.conf"

Once you find it, open the file with:

sudo nano nginx.conf

Then copy și paste one of the server blocks fsau the 443 psaut given below și edit the directsauies accsauding to tău server block fsau the 80 psaut (with matching server name, path to webroot, și any impsautant values you need). Alternatively you can copy the server block fsau 80 psaut, then paste it below, update the psaut și add the necessary SSL-related directives.

Choose the server block:

Below you can find a server block fsau tău Nginx version.

Nute: Pentru check tău Nginx version, run this commși:

sudo nginx -v



Nute: Replace the file names values, like tău_domeniu_chain.crt, in the server block with tău details, și modify the routes to them using/path/to/.

Server block fsau Nginx version 1.14 și below:

server {

listen 443;

ssl on;

ssl_certificate /path/to/certificate/tău_domeniu_chain.crt;

ssl_certificate_key /path/to/tău_private.key;

root /path/to/webroot;

server_name tău_domeniu.com;

}

Nute: You can specify multiple hostnames in such configuration, if needed, e.g.:

server {

listen 443;

ssl on;

ssl_certificate /path/to/certificate/tău_domeniu_chain.crt;

ssl_certificate_key /path/to/tău_private.key;

root /path/to/webroot;

server_name tău_domeniu.com www.tău_domeniu.your;

}

Server block fsau Nginx version 1.15 și above:

server {

listen 443 ssl;

ssl_certificate /path/to/certificate/tău_domeniu_chain.crt;

ssl_certificate_key /path/to/tău_private.key;

root /path/to/webroot;

server_name tău_domeniu.com;

}

ssl_certificate should be pointed to the file with combined certificates youove created earlier.
ssl_certificate_key should be pointed to the Private Key that was generated with the CSR code.
Here are a few tips on how to find the Private key on Nginx.

Impsautant:  Fsau either a Multi-Domeniu sau a Wildcard Certificate, youoll need to have a separate server block added fsau each of the domeniu/subdomeniu included in the Certificate. Ensure you specify the domeniu/subdomeniu in question along with the paths to the same Certificate files in the server block, as described above.

Once the csauresponding server block is added to the file, ensure you save the edits. Then, you can double-check the changes made with the following steps.

Run this commși to verify that the configuration file syntax is ok:

sudo nginx -t



Dacă you receive errsaus, double check that you followed the guide properly. Feel free to contact our Suppsaut Team if you have any questions.

Here's the tip: to find the errsau logs fsau troubleshooting, just run:

sudo nginx -T | grep 'errsau_log'

In case none of the files mentioned exist, files are commented out sau if no errsau log files are specified, default system log should be checked:

tail /var/log/nginx/errsau.log -n 20

Dacă the server displays the test successfully, restart Nginx with this commși to apply the changes:

sudo nginx -s reload

Nuw tău Certificat SSL is installed. You can check the installation aici.

Impsautant notes:

Sometimes, after installing SSL file that was combined using a commși line, you may receive 'Nginx/Apache errsau: 0906D066:PEM routines:PEM_read_bio:bad end line' errsau message, in this case, the wsaukaround can be found in the reference guide.

Another common issue on this stage is the 'Nginx SSL: errsau:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch' errsau message, you can find msaue details on it și the possible ways out in this article.

4. Configure HTTPS redirect

We suggest that you install the redirect from HTTP to HTTPS. That way, tău website visitsaus will only be able to access the secure version of tău site.

Pentru do this, youoll need to add one line to the configuration file with the server block fsau psaut 80.

Tips:

You can use one of the following commșis to look up the configuration files which are enabled acum:

sudo nginx -T | grep -iw "configuration file"

sudo nginx -T | grep -iw "include"

The default paths to the conf file are:

on RHEL-based Linux Sistem de operare: /etc/nginx/conf.d/default.conf

on Debian-based Linux Sistem de operare: /etc/nginx/sites-enabled/default

You can open the files to check which one contains the needed server block. Fsau this, run:

sudo nano name_of_the_file

Once you find the file that contains the server block fsau psaut 80 (the default HTTP psaut), add in the following line:

return 301 https://$server_name$request_uri;

Nute: The above redirect rule should be entered as the last line in the server block.

• return is the main directive to use.
• 301 is permanent redirect (302 is the tempsauary one).
• https is a specified scheme type (the explicit one instead of $scheme variable).
• $server_name variable will use the domeniu specified in the server_name directive.
• $request_uri variable is used to match the paths to the requested pages/parts of the website (everything after the domeniu name).