Installing an SSL Certificate is something that can benefit all developers. SSL Certificates provide security when passing data back and forth between the user and the server. This specific Tutorial uses AWS for DNS and the server, Nginx as a reverse-proxy engine, and Namecheap for the SSL Certificate itself. Follow the steps and you will have the base knowledge to install an SSL Certificate in no time!

  1. Purchase a domain name from Route 53 on AWS.
    1. If you are following this tutorial for learning purposes only, I recommend choosing a cheap domain and ensuring auto-renew is turned off to avoid extra charges. This tutorial uses a .com domain, so that is recommended to follow the tutorial more precisely.
  2. Purchase an EC2 Server on AWS.
    1. I recommend an Ubuntu Server 16.04 LTS (HVM), SSD Volume Type
    2. For security groups, create or choose one that covers HTTP access (port 80), HTTPS access (port 443), and SSH access (port 22).
    3. Use your own key-pair when setting this up, you will need this later, save it in your .ssh folder.
  3. Connect domain name to server.
    1. You will need the IP address of the server.
    2. Follow this guide.
  4. Install and configure Nginx on server
    1. Add the following lines to your config file

      Host host_name
        Hostname IP_address_of_server
        User ubuntu
        IdentityFile ~/.ssh/.pem_file_from_key-pair_download
    2. SSH on to server using the following command

      $ ssh host_name
    3. Run the following commands.
      # To install Nginx and verify the installation worked
      $ sudo apt-get update
      $ sudo apt-get install nginx
      $ sudo ufw app list
      
      Expected output:
      
      
      Available applications:
        Nginx Full
        Nginx HTTP
        Nginx HTTPS
        OpenSSH
      
      # To allow connections to the server
      $ sudo ufw allow OpenSSH
      $ sudo ufw allow 'Nginx HTTP'
      $ sudo ufw allow 443
      $ sudo ufw allow HTTP
      
      # To enable the firewall and verify it worked
      $ sudo ufw enable
      $ sudo ufw status
      
      Expected output:
      
      Status: active
      
      To                         Action From
      --                         ------ ----
      OpenSSH                    ALLOW Anywhere           
      Nginx HTTP                 ALLOW Anywhere           
      80                         ALLOW Anywhere           
      443                        ALLOW Anywhere           
      OpenSSH (v6)               ALLOW Anywhere (v6)           
      Nginx HTTP (v6)            ALLOW Anywhere (v6)           
      80 (v6)                    ALLOW Anywhere (v6)           
      443 (v6)                   ALLOW Anywhere (v6) 
      
      # To ensure Nginx is running as expected
      $ systemctl status nginx
      
      Expected output: 
      
      nginx.service - A high performance web server and a reverse proxy server
         Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
         Active: active (running) since Thu 2018-05-31 20:58:15 UTC; 1 weeks 4 days ago
       Main PID: 17606 (nginx)
          Tasks: 2
         Memory: 2.1M
            CPU: 842ms
         CGroup: /system.slice/nginx.service
                 ├─17606 nginx: master process /usr/sbin/nginx -g daemon on; master_process on
                 └─17607 nginx: worker process                           
      
      Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
    4. Check this by going to your website, a “Welcome to Nginx” page should appear
  5. Add an index.html file that will appear once Nginx is complete
    1. Run the following commands

      $ ssh host_name
      $ cd /var/www/html
      $ touch index.html
      $ sudo nano index.html
    2. Add the following text to the file
      Hello!
      
    3. Use Control + O to write to the file, click enter, then Control + X to quit nano. 
    4. Purchase and set up SSL from Namecheap
      1. Choose a PositiveSSL
      2. Generate a CSR in your terminal by running

        $ openssl req -new -newkey rsa:2048 -nodes -keyout site_name.key -out site_name.csr
        
        Generating a 2048 bit RSA private key
        ............................+++
        .....................................................................+++
        writing new private key to 'site_name.key'
        -----
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        
        -----
        Country Name (2 letter code) [AU]:US
        State or Province Name (full name) [Some-State]:Maryland
        Locality Name (eg, city) []:Hampstead
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bytelion
        Organizational Unit Name (eg, section) []:Bytelion
        Common Name (e.g. server FQDN or YOUR name) []:site_name.com
        Email Address []:your_email@domain.com
        
        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:
        An optional company name []:
      3. Copy the CSR by running
        $ cat site_name.csr
      4. Paste the CSR into Namecheap when asked.
      5. Follow steps in namecheap for domain validation. This can be done 1 of 3 ways, but via email(if yours is listed) or DNS is recommended. For help with this validation, refer to the links in Namecheap.
      6. Once this is complete, the certificate will be emailed to you, but be patient because it can take a while for the email to come through.
    5. Install SSL on server
      1. Download the SSL files from your email and unzip the file. This should leave you with a folder by the name site_name_com containing the files site_name_com.crt and site_name_com.ca-bundle
      2. Open the folder in the terminal and run the following commands

        # To combine the two files into one
        $ cat site_name_com.crt site_name_com.ca-bundle >> site_name-bundle.crt
        
        # To copy the file into the .ssh folder to then put them onto the server
        $ sudo cp site_name-bundle.crt ~/.ssh
      3. Navigate to the site_name.key file that was created with your CSR, then run the following commands

        # To copy the file into the .ssh folder to then put them onto the server 
        $ sudo cp site_name.key ~/.ssh
        
        # To verify the files were successfully moved
        $ cd
        $ cd .ssh
        $ ls
      4. Verify the site_name-bundle.crt and site_name.key files are there.
      5. Run the following commands to put the files on to the server.

        $ scp site_name-bundle.crt ubuntu@IP_address_of_server:
        $ scp site_name.key ubuntu@IP_address_of_server:
      6. SSH onto the server

        $ ssh host_name
        $ ls
        
      7. Verify the site_name-bundle.crt and site_name.key files are there.
      8. Run the following commands to move the files to their appropriate folders.
        $ sudo mv site_name-bundle.crt /etc/ssl/certs/
        $ sudo mv site_name.key /etc/ssl/private/
      9. Run the following commands to begin the set up of the Nginx configurations

        $ cd /etc/nginx/sites-enabled
        $ touch site_name
        $ sudo nano site_name
      10. Edit the file to contain the following.

        error_log /var/log/nginx/error.log;
        
        server {
           listen       80;
           server_name  site_name.com;
           return 301 https://site_name.com$request_uri;
        }
        
        server {                       
           listen       443;
           server_name  site_name.com;
           ssl on;
           ssl_certificate /etc/ssl/certs/site_name-bundle.crt;
           ssl_certificate_key /etc/ssl/private/site_name-server.key;
           ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
           root /var/www/html/;
        }
      11. Use Control + O to write to the file, click enter, then Control + X to quit nano.
      12. Run the following commands to stop and start nginx

        $ sudo systemctl stop nginx
        $ sudo systemctl start nginx
        
        
  6. Go to your website. The site should say “Hello!” and the word Secure with the padlock should be shown. Navigating to site_name.com should now redirect to https://site_name.com. 

 

Leave a Reply