How to install a certificate from WoSign to a site on nginx?

A

Andrew Lays2015-08-06 15:52:25

Nginx

Andrew Lays, 2015-08-06 15:52:25

For an hour I have been trying to install a certificate from WoSign on my site on nginx. From WoSign I received an archive with folders, among which was a folder called nginx, which contained two files example.com_bundle.crt and example.com.key . The first one consists of a chain:

As I understand it, there are three certificates in the chain.
The second consists of:

-----BEGIN RSA PRIVATE KEY-----абракадабра-----END RSA PRIVATE KEY-----

/etc/nginx/nginx.conf :

user www-data;
worker_processes 2;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;


        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

/etc/nginx/sites-enabled/example.com :

server {
        server_name ip.add.re.ss example.com www.example.com;
        listen 80;

        root /var/www/example.com;
        index index.php;

        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;

        location / {
                try_files $uri $uri/ /index.php;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

nginx -V :

nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-echo --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module

uname -a :

Linux server 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux

Can someone tell me what and where to register so that there is a redirect from http to https and that this https works. I also read something about OCSP Stamping, but first you need to configure https.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

TyzhSysAdmin, 2015-08-06
@Andrew_Lays

server {
listen   443 ssl default_server;
server_name exemple.com;
ssl on;
ssl_session_cache    shared:SSL:10m;
ssl_session_timeout  10m;
ssl_prefer_server_ciphers on;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /path_to/exemple.crt;
ssl_certificate_key /path_to/exemple.key;
ssl_ciphers 'HIGH:!aNULL:!MD5:!kEDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/cert/ca-certs.pem;

well, at the beginning of the virtual host conf, a permanent redirect to https

server{
listen 80 default_server;
server_name exemple.com;
    rewrite ^(/.*)$ https://$host$1 permanent;
}

habrahabr.ru/post/254231