Contents of this article
2. Install the certificate on the Nginx (or Tengine) server
3. Install the certificate on the Nginx type server
Step 1: Use remote login tools (such as PuTTY, Xshell) to log in to the server.
Step 5: Verify that the installation is successful
SSL certificate service supports downloading certificates and installing them to your web server. After the certificate is installed, the website bound to the certificate uses the SSL protocol to communicate to ensure the security of your website data transmission. This document introduces the download and installation operations of nginx server type certificates.
1. Download the certificate
1. Log in to the Alibaba Cloud SSL certificate console.
2. On the SSL certificate page, locate the certificate to be downloaded and click Download in the lower right corner of the certificate card. As shown below
3. Locate the server type where you need to install the certificate and click Download in the operation bar on the right to download the certificate compression package to the local. As shown below:
Note: As of the end of 2020, Alibaba Cloud SSL certificates support the installation of the following types of web servers: Tomcat, Apache, Nginx, IIS, GlassFish, JBoss and Jetty server types. .
2. Install the certificate on the Nginx (or Tengine) server
1. Prerequisites
- The certificate issuance has been completed through the SSL certificate service.
- A remote login tool (such as PuTTY, Xshell) is ready to log in to your web server.
2. Background information
This article takes CentOS 7 operating system and Nginx 1.16.2 server system as examples. Due to the different server system versions, the commands you use during the operation may be slightly different.
Where the name of the certificate file appears in this article, cert-file-name is used as an example for description. For example, the certificate file used in this article is cert-file-name.pem, and the certificate key file is cert-file-name.key.
3. Install the certificate on the Nginx type server
To put it bluntly, the Nginx server is the client accessing your project through the nginx service. The nginx service first intercepts and filters. The following default is that your Nginx installation directory is /usr/local/nginx/, which can be modified according to your own actual installation directory.
Step 1: Use remote login tools (such as PuTTY, Xshell) to log in to the server.
Step 2: Execute the following command to create a directory (named cert) for storing certificates under the Nginx installation directory (/usr/local/nginx/conf).
cd /usr/local/nginx/conf #Enter the default installation directory of Nginx. If you have modified the default installation directory, please adjust it according to the actual configuration.
mkdir cert #Create a certificate directory and name it cert.
Step 3: Upload the local certificate file and key file to the certificate directory of the Nginx server (/usr/local/nginx/conf/cert in the example). As shown below:
Step 4: Edit the Nginx configuration file (nginx.conf) to modify the configuration content related to the certificate.
- Execute the following command to open the configuration file. Before using the example commands, please note: nginx.conf is saved in the /usr/local/nginx/conf directory by default. If you have modified the location of nginx.conf, please
/usr/local/nginx/conf/nginx.confreplace it with the modified location.vim /usr/local/nginx/conf/nginx.conf- Press the i key to enter the editing mode.
- Locate the HTTP protocol code snippet (
http{}) in the configuration file , and add the following server configuration in the HTTP protocol code (if the server configuration already exists, you can modify the corresponding configuration according to the following comments). Before using the sample code, please pay attention to replace the following:
yourdomain.com: Replace with the domain name bound to the certificate.If you purchased a single domain name certificate, you need to modify it to a single domain name (for example
www.aliyun.com); if you purchased a wildcard domain name certificate, you need to modify it to a wildcard domain name (for example*.aliyun.com).cert-file-name.pem: Replace with the name of the certificate file you uploaded in step 3.cert-file-name.key: Replace with the name of the certificate key file you uploaded in step 3.#以下属性中,以ssl开头的属性表示与证书配置有关。 server { listen 443 ssl; #配置HTTPS的默认访问端口为443。 #如果未在此处配置HTTPS的默认访问端口,可能会造成Nginx无法启动。 #如果您使用Nginx 1.15.0及以上版本,请使用listen 443 ssl代替listen 443和ssl on。 server_name yourdomain.com; #需要将yourdomain.com替换成证书绑定的域名。 root html; index index.html index.htm; ssl_certificate cert/cert-file-name.pem; #需要将cert-file-name.pem替换成已上传的证书文件的名称。 ssl_certificate_key cert/cert-file-name.key; #需要将cert-file-name.key替换成已上传的证书密钥文件的名称。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #表示使用的加密套件的类型。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #表示使用的TLS协议的类型。 ssl_prefer_server_ciphers on; location / { root html; #站点目录。 index index.html index.htm; } }- Optional: Set the HTTP request to automatically redirect to HTTPS.
If you want all HTTP visits to be automatically redirected to HTTPS pages, you can add the following
rewritestatement under the HTTP site that needs to be redirected .Before using the sample code, please be careful to
yourdomain.comreplace it with the domain name bound to the certificate.- After the modification is completed, press the Esc key and enter: wq! And press Enter to save the modified configuration file and exit the editing mode.
- Execute the following command to restart the Nginx service.
If you receive an error when restarting the Nginx service, you can use the following methods to troubleshoot:cd /usr/local/nginx/sbin #进入Nginx服务的可执行目录。 ./nginx -s reload #重新载入配置文件。
- Received an
the "ssl" parameter requires ngx_http_ssl_moduleerror: You need to recompile Nginx and add--with-http_ssl_moduleconfiguration when compiling and installing .- Received an
"/cert/3970497_pic.certificatestests.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_pic.certificatestests.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)error: You need to remove the first of the relative path of the certificate/. For example, you need to remove the/cert/cert-file-name.pemfirst one/and use the correct relative pathcert/cert-file-name.pem.- To verify that the certificate is installed successfully, refer to step 5.
Step 5: Verify that the installation is successful
After the certificate is installed, you can verify the successful installation of the certificate by accessing the bound domain name of the certificate.
https://yourdomain.com #需要将yourdomain.com替换成证书绑定的域名。If a small lock icon appears in the address bar of the webpage, it means that the certificate has been installed successfully.
Different types of certificates have different effects after successful installation, as follows:
- After the DV SSL and OV SSL digital certificates are deployed on the server, the following effects will be displayed when your browser visits the website.
- After the EV SSL digital certificate is deployed on the server, the following effects will be displayed when your browser visits the website.
Reference: Ali official help document: https://help.aliyun.com/document_detail/98728.html
end!