Install SSL certificates on NGINX or Tengine servers - Certificate Management Service

This topic describes how to install an SSL certificate on an NGINX server or a Tengine server, including downloading and uploading the certificate file, configuring parameters required for the server, and checking the installation result. The parameters include a certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the server over HTTPS.

Important

In this topic, an NGINX 1.14.2 server that runs a 64-bit CentOS 8.0 operating system is used as an example to illustrate the installation. Installation operations vary based on the versions of servers and operating systems. If you have questions, contact your account manager.
If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, you must allow port 443 on the Security Groups page of the ECS console. Otherwise, exceptions may occur when your website is accessed. For more information, see Add a security group rule.
In this topic, a certificate named cert-file-name is used as an example to illustrate the installation. The certificate file is named cert-file-name.pem, and the private key file is named cert-file-name.key. In actual installation, you must replace cert-file-name with the name of your certificate.

Prerequisites

A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.
If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.

Step 1: Download the certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.
On the SSL Certificate Management page, find the certificate that you want to manage and click Download in the Actions column.
Find Nginx in the Server Type column and click Download in the Actions column.

Decompress the downloaded certificate package.

The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

Value of the CSR Generation parameter	File extracted from the certificate package
Automatic	Certificate file in the PEM format: NGINX servers support PEM files. A certificate file in the PEM format is a Base64-encoded text file that contains a complete certificate chain. The file is named in the `Certificate ID_Domain name bound to the certificate` format after decompression. Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual	If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic. If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the NGINX server

Run the following commands to create a directory in the conf directory of the NGINX server to store the certificate:

cd /usr/local/nginx/conf  # Go to the default configuration file directory of the NGINX server. The directory is used when you manually compile and install NGINX. If you changed the default NGINX installation directory or installed NGINX by using other methods, specify the actual directory. 
mkdir cert  # Create a directory named cert.

Upload the certificate file and private key file to the following directory of the NGINX server: /usr/local/nginx/conf/cert.
Note
You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.

Open the nginx.conf configuration file of the NGINX server and modify certificate-related settings in the file.

Run the following command to open the configuration file:
```
vim /usr/local/nginx/conf/nginx.conf
```
Important
By default, the nginx.conf configuration file is stored in the /usr/local/nginx/conf directory. If you moved the nginx.conf configuration file to a different location, you can run the nginx -t command to obtain the new path to the configuration file and replace /usr/local/nginx/conf/nginx.conf with the new path.
Find the server configuration item in the nginx.conf configuration file.
Note
If the nginx.conf configuration file or the file that is referenced by the include directive does not contain the server configuration item, manually add the server configuration item.

Remove the # comment symbol from the beginning of each line and modify the settings based on the following sample code:

server {
     # Specify the default HTTPS port 443. 
     # If you do not specify the default HTTPS port, the NGINX service may fail to start. 
     listen 443 ssl;
     
     # Enter the domain name that is bound to the certificate.
     server_name <yourdomain>;
 
     # Enter the absolute path to the certificate file.
     ssl_certificate cert/<cert-file-name>.pem;
     # Enter the absolute path to the private key file.
     ssl_certificate_key cert/<cert-file-name>.key;
 
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 5m;
	 
     # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference.
     # A later TLS version offers higher security but lower compatibility with browsers. 
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
     ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

     # A server-side cipher suite is preferentially used. The default value is on.
     ssl_prefer_server_ciphers on;
 
 
    location / {
           root html;
           index index.html index.htm;
    }
}

Optional. Configure settings to automatically redirect HTTP requests to HTTPS requests.
If you want to redirect all HTTP requests to HTTPS requests, you can add the rewrite directive to your configuration file.
Important
You must append the following configuration item to the server {} configuration item in the nginx.conf configuration file. The nginx.conf file contains two server {} configuration items after you configure the redirection settings.
```
server {
    listen 80;
    # Enter the domain name that is bound to the certificate.
    server_name <yourdomain>;
    # Add the rewrite directive to redirect all HTTP requests to HTTPS requests. 
    rewrite ^(.*)$ https://$host$1;
    location / {
        index index.html index.htm;
    }
}
```
The following figure shows the result after configuration.

Run the following commands to restart the NGINX service:
```
cd /usr/local/nginx/sbin  # Go to the executable directory of the NGINX service. 
./nginx -s reload  # Reload the configuration file.
```
Note
- If the error the "ssl" parameter requires ngx_http_ssl_module is reported, recompile NGINX and add --with-http_ssl_module when you install NGINX.
- If the error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) is reported, remove the forward slash (/) that precedes the relative path to a certificate file. For example, remove the forward slash (/) that precedes the relative path /cert/cert-file-name.pem. The required relative path is cert/cert-file-name.pem.

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

image..png

References

After I deploy a certificate to a website, the certificate does not take effect or the website is reported as insecure when I access the website. What do I do?