How to set up SSL with SPDY and Nginx

UPDATE: It’s about time to update this article or write a new one with the fact that there is letsencrypt now & that the SPDY protocol has been deprecated in favor of http 2.0.

Also see https://certbot.eff.org/ if you haven’t already.

Recently, I spent sometime setting up the Transport Layer Security (SSL) for the sites https://bubbl.in and https://marvindanig.com each. It was simple to do and went pretty much smoothly except for a few warts here and there that I found SSL industry is generally plagued with. But more on that later.

Starting today, both Bubblin and Marvindanig sites are going to be served only on secured http a.k.a https. For the record all our traffic is now forced over TLS, and we have ensured forward secrecy as well.

Marvindanig::Application.configure do

config.force_ssl = true

I sourced our SSL certificate for $9 via NameCheap (a referral URL) but you can buy it from anywhere you like. Remember to use a working email address of the domain name you wish to buy the certificate for. Your SSL provider will validate you with the domain name of the email address you provide.

Setting up SSL certificate is easy but it does take some time. It took about 45 minutes for me to get it up and running so that will give you some idea about what follows below.

Here are the steps, if you’re on a Ubuntu/Linux distro with Nginx/Unicorn to serve your app:

SSH/login to your server

1. Install OpenSSL

$ apt-get update

$ apt-get upgrade

$ apt-get install openssl

$ mkdir /etc/ssl/certs #if this directory doesn’t exist already.

2. Issue a Certificate Signing Request (CSR)

Go into the certs directory

$ cd /etc/ssl/certs

$ openssl req -new -newkey rsa:2048 -nodes -days 365 -keyout http://www.mydomain.com.key -out http://www.mydomain.com.csr

This is what you’ll see next:

Generating a 2048 bit RSA private key
......................................................++++++
....++++++
writing new private key to 'www.mydomain.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: MountainView
Organization Name (eg, company) [YourCompanyName]
Organizational Unit Name (eg, section) []: Web Product
Common Name (eg, YOUR name) []:www.yourdomain.com
Email Address []:admin@yourdomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Ignore the extra attributes if you want. Now you’ll have a .key and a .csr file generated inside your certs directory.

Secure the generated key with the following command:

$ chmod 400 /etc/ssl/certs/www.mydomain.com.key

You can also move the .key file into private (etc/ssl/private) directory of your server (where you’ll also find another file with an interesting name: ssl-cert-snakeoil.key.) and secure it there.

3. Buy a Commericial SSL

Now use the .csr file created above to obtain a signed certificate from NameCheap or another provider. Once you’ve completed purchasing SSL, upon validation of email you’ll receive a zipped package containing all your certs – a signed domain_name cert and root and intermediary certificates.

1. Download the zipped folder and unpack its contents. You’ll see a couple of cert files that look something like this:

www_bubbl_in.crt (www_yourdomain_com.crt)

COMODORSADomainValidationSecureServerCA.crt

COMODORSAAddTrustCA.crt

AddTrustExternalCARoot.crt

2. Login into your server and copy all the certs into /etc/ssl/certs directory.

You can also use the latest version 3+ Capistrano-Unicorn-Nginx recipe to handle all things SSL from the comfort of your computer, but I recommend doing it step-by-step manually.

Now chain up all the certificates provided up there into one file with cat command like shown below. I fail to understand why this complication of chaining SSL certificates into one file has been left to customers at all, but:

$ cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > http://www.yourdomain.chained.crt

Order of appearance of filenames as shown above is important. We’re all set.

4. Configure Nginx and Restart

The server block on your nginx configuration (inside /etc/nginx/sites-enabled folder) will look something like this:

server {

listen 443 ssl spdy;

ssl_certificate /etc/ssl/certs/www.yourdomain.com.chained.crt; ssl_certificate_key /etc/ssl/private/www.yourdomain.com.key;

…

}

Note we’ve also enabled SPDY alongside SSL in there. ☺ .

Simply restart Nginx and voila!, your site is SSL-ready!

While you’re at it, you might want to patch up the heartbleed and other known SSL/TLS related vulnerabilities. Ask your hosting provider for more details.

To verify if everything is set up correctly use the Qualys SSL Analyzer online.

We scored an A+ score there.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s