Step 1: Download the SSL certificate
- Log in to the digital certificate management service console .
- On the left navigation bar, click SSL Certificates .
- On the SSL certificate page, locate the target certificate, and in the Action column, click Download .
-
In the Action column where the server type is Nginx , click Download .
-
Unzip the downloaded SSL certificate compression package.
Depending on the CSR generation method you selected when submitting the certificate application, the files obtained after decompression are different, as shown in the following table.
zoom in viewCSR generation method
Files included in the certificate zip package
The system generates or selects an existing CSR
Include the following files:
-
Certificate file (PEM format): By default, it is named after certificate ID_certificate binding domain name. The certificate file in PEM format is a text file encoded with Base64.
-
Private key file (TXT format): the password of the certificate file, named after the domain name bound to the certificate by default .
Fill in manually
Only the certificate file (in PEM format) is included, and you need to manually create the certificate private key file. For details, see Creating a Private Key .
illustrateAccording to actual needs, you can convert the certificate file in PEM format to other formats. For details on how to convert the certificate format, see Certificate Format Conversion .
-
Step 2: Install the certificate on the Nginx server
The operations for installing certificates on Nginx stand-alone servers and Nginx virtual hosts are different. Please choose the corresponding installation steps according to your actual environment.
Install certificates on Nginx standalone server
-
Execute the following command to create a directory for storing certificates under the Nginx conf directory.
Zoom in to view the copy codecd /usr/local/nginx/conf #Enter the Nginx default configuration file directory. This directory is the default directory for manually compiling and installing Nginx. If you have modified the default installation directory or installed it in other ways, please adjust it according to the actual configuration. mkdir cert #Create a certificate directory named cert.
-
Upload the certificate file and private key file to the certificate directory (/usr/local/nginx/conf/cert) of the Nginx server.
-
Edit the Nginx configuration file nginx.conf to modify certificate-related configurations.
-
Execute the following command to open the configuration file.
Zoom in to view the copy codevim /usr/local/nginx/conf/nginx.conf
importantnginx.conf is saved in the /usr/local/nginx/conf directory by default. If you have modified the location of nginx.conf, you can execute it
nginx -t
to view the path of the nginx configuration file and/usr/local/nginx/conf/nginx.conf
replace it. -
Press the i key to enter edit mode.
-
Locate the server attribute configuration in nginx.conf.
-
Delete the comment symbol # at the beginning of the line, and modify it according to the following content.
Zoom in to view the copy codeserver { #HTTPS default access port 443. #If the default access port of HTTPS is not configured here, it may cause Nginx to fail to start. listen 443 ssl; #Fill in the domain name bound to the certificate server_name <yourdomain>; # Fill in the certificate file name ssl_certificate cert/<cert-file-name>.pem; #Fill in the certificate private key file name ssl_certificate_key cert/<cert-file-name>.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; #default cipher suite ssl_ciphers HIGH:!aNULL:!MD5; #Customize the type of TLS protocol used and the cipher suite (the following is a configuration example, please evaluate whether you need to configure it yourself) #The higher the version of the TLS protocol, the higher the security of HTTPS communication, but compared with the lower version of the TLS protocol, the higher version of the TLS protocol is less compatible with browsers. #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; #Indicates that the server-side cipher suite is preferred. enabled by default ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }
-
Optional: Set HTTP requests to automatically redirect to HTTPS.
importantrewrite
If you want all HTTP visits to automatically redirect to HTTPS pages, you can add statements under the redirected HTTP sites .The following code snippets need to be placed after the code snippets in the nginx.conf file
Zoom in to view the copy codeserver {}
, that is, after HTTP requests are automatically redirected to HTTPS, there will be twoserver {}
code snippets in the nginx.conf file.server { listen 80; #Fill in the domain name bound to the certificate server_name <yourdomain>; #Redirect all HTTP requests to HTTPS through the rewrite command. rewrite ^(.*)$ https://$host$1; location / { index index.html index.htm; } }
The configuration effect is shown in the figure below:
-
After the modification is complete, press the Esc key, enter: wq and press the Enter key to save the modified configuration file and exit the editing mode.
-
-
Run the following command to restart the Nginx service.
Zoom in to view the copy codecd /usr/local/nginx/sbin #Enter the executable directory of the Nginx service. ./nginx -s reload #Reload the configuration file.
illustrate-
Error
the "ssl" parameter requires ngx_http_ssl_module
: You need to recompile Nginx and add--with-http_ssl_module
configuration when compiling and installing. -
Error
"/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
: You need to remove the first part of the relative path of the certificate/
. For example, you need to strip/cert/cert-file-name.pem
the leading one/
and use the correct relative pathcert/cert-file-name.pem
.
-
Install certificates on Nginx virtual hosts
To install certificates on different virtual hosts, you need to perform different steps. If you are using Alibaba Cloud's cloud virtual host, for details, see Enabling HTTPS encrypted access . If you are using a virtual host of another brand, please refer to the operation guide of the corresponding virtual host to install the certificate.
Step 3: Verify that the SSL certificate is successfully installed
After the certificate is installed, you can verify whether the certificate is successfully installed by accessing the bound domain name of the certificate. Zoom in to view the copy code
https://yourdomain #Need to replace yourdomain with the domain name bound to the certificate.
If a small lock symbol appears in the address bar of the webpage, it means that the certificate has been installed successfully.