tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
SSL Certificates
    Documentation
    Download PDF

    Installing an SSL Certificate on an Nginx Server

    Last updated: 2024-03-06 17:38:42
    Download PDF
      The following video shows you how to install an SSL certificate on an Nginx server:

      Overview

      This document describes how to install an SSL certificate on an Nginx server.
      Note:
      The certificate name cloud.tencent.com is used as an example.
      The nginx/1.18.0 version is used as an example.
      The current server OS is CentOS 7. Detailed steps vary slightly by OS.
      Before you install an SSL certificate, enable the default HTTPS port 443 on the Nginx server so that HTTPS can be enabled after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
      For detailed directions on how to upload SSL certificate files to a server, see Copying Local Files to CVMs.

      Prerequisites

      Install the remote file copy tool such as WinSCP. The latest official version is recommended. We recommend that you use CVM's file upload feature for deployment to CVM.
      Install the remote login tool such as PuTTY or Xshell. The latest official version is recommended.
      Install the Nginx service containing http_ssl_module module in the current server.
      The data required to install the SSL certificate includes the following:
      Name
      Description
      Server IP address
      IP address of the server, which is used to connect the PC to the server.
      Username
      The username used to log in to the server.
      Password
      The password used to log in to the server.
      Note:
      For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password.

      Directions

      Installing the certificate

      1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
      2. In the pop-up window, select Nginx for the server type, click Download, and decompress the cloud.tencent.com certificate file package to the local directory. After decompression, you can get the certificate file of the corresponding type, which includes the cloud.tencent.com_nginx folder.
      Folder: cloud.tencent.com_nginx
      Files in the folder:
      cloud.tencent.com_bundle.crt: Certificate file
      cloud.tencent.com_bundle.pem: Certificate file (optional)
      cloud.tencent.com.key: Private key file
      cloud.tencent.com.csr: CSR file
      Note:
      You can upload the CSR file when applying for a certificate or have it generated online by the system. It is provided to the CA and irrelevant to the installation.
      3. Log in to the Nginx server using WinSCP (a tool copying files between a local computer and a remote computer).
      Note:
      For detailed directions, see Uploading files via WinSCP to a Linux CVM from Windows.
      We recommend that you use CVM's file upload feature for deployment to CVM.
      4. Copy the cloud.tencent.com_bundle.crt certificate file and cloud.tencent.com.key private key file from the local directory to the /etc/nginx directory (this is the default Nginx installation directory and needs to be adjusted as needed) of the Nginx server.
      5. Log in to the Nginx server remotely with such a login tool as PuTTY.
      6. Edit the nginx.conf configuration file in the Nginx root directory as follows:
      Note:
      If you cannot find the following content, manually add it. Run the nginx -t command to find the path of the Nginx configuration file. As shown below:
      tapd_10132091_base64_1665978617_57.png
      
      
      This operation can edit the file by running vim /etc/nginx/nginx.conf.
      The configuration file may be written differently on different versions; for example, use listen 443 ssl instead of listen 443 and ssl on on nginx/1.15.0 or later.
      server {
           # The default SSL access port is 443
           listen 443 ssl; 
           # Enter the domain name bound to the certificate
           server_name cloud.tencent.com; 
           # Enter the relative or absolute path of the certificate file
           ssl_certificate cloud.tencent.com_bundle.crt; 
           # Enter the relative or absolute path of the private key file
           ssl_certificate_key cloud.tencent.com.key; 
           ssl_session_timeout 5m;
           # Configure the following protocols
           ssl_protocols TLSv1.2 TLSv1.3; 
           # Configure the cipher suite according to the OpenSSL standard
           ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
           ssl_prefer_server_ciphers on;
           location / {
               # Path to the website homepage. This example is for reference only. You need to set it to the actual path.
               # For example, if your website homepage is under the "/etc/www" path of the Nginx server, change the "html" behind "root" to "/etc/www".
               root html; 
               index  index.html index.htm;
           }
       }
      7. Run the following command to check whether there is a problem with the configuration file.
      nginx -t
      If yes, reconfigure or fix the problem as prompted.
      If not, proceed to step 8.
      8. Run the following command to reload the Nginx server.
      nginx -s reload
      9. If the server is reloaded successfully, you can access it through https://cloud.tencent.com.

      (Optional) Security configuration for automatic redirect from HTTP to HTTPS

      To redirect HTTP requests to HTTPS, complete the following settings:
      1. Select one of the following configuration methods based on your actual needs:
      Add a JavaScript script to the page.
      Add redirect in the backend program.
      Redirect through a web server.
      Nginx supports rewrite. If you did not remove PCRE during the compilation, you can add return 301 https://$host$request_uri; to the HTTP server to redirect requests made to the default HTTP port 80 to HTTPS.
      Note:
      Uncommented configuration statements can be configured as follows.
      The configuration file may be written differently on different versions; for example, use listen 443 ssl instead of listen 443 and ssl on on nginx/1.15.0 or later.
        server {
         # The default SSL access port is 443
         listen 443 ssl;
         # Enter the domain name bound to the certificate
         server_name cloud.tencent.com; 
         # Enter the relative or absolute path of the certificate file
         ssl_certificate  cloud.tencent.com_bundle.crt; 
         # Enter the relative or absolute path of the private key file
         ssl_certificate_key cloud.tencent.com.key; 
         ssl_session_timeout 5m;
         # Configure the cipher suite according to the OpenSSL standard
         ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
         # Configure the following protocols
         ssl_protocols TLSv1.2 TLSv1.3;
         ssl_prefer_server_ciphers on;
         location / {
           # Path to the website homepage. This example is for reference only. You need to set it to the actual path. 
           # For example, if your website homepage is under the "/etc/www" path of the Nginx server, change the "html" behind "root" to "/etc/www".
           root html;
           index index.html index.htm;
         }
        }
        server {
         listen 80;
         # Enter the domain name bound to the certificate
         server_name cloud.tencent.com; 
         # Redirect requests made to an HTTP domain name to HTTPS
         return 301 https://$host$request_uri; 
        }
      
      2. Run the following command to check whether there is a problem with the configuration file.
      nginx -t
      If yes, reconfigure or fix the problem as prompted.
      If not, proceed to step 3.
      3. Run the following command to reload the Nginx server.
      nginx -s reload
      4. If the server is reloaded successfully, you can access it through https://cloud.tencent.com.
      If the security lock icon is displayed in the browser, the certificate has been installed successfully.
      In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
      Website Inaccessible After an SSL Certificate is Deployed
      "Your Connection is Not Secure" is Displayed After the SSL Certificate is Installed
      Why Does the Website Prompt "Connection Is Untrusted"?
      404 Error After the SSL Certificate is Deployed on IIS
      Note: If anything goes wrong during this process, contact us.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy