How to Install Wildcard SSL on NGINX

So, I got a task from my client today, they give me a zip with three required files to install an SSL:

a private key file privkey.txt
a csr file filecsr.txt
and a crt file cert.crt

I want to install the wildcard SSL on NGINX.

The first thing I have to do is extracted the zip to directory /etc/nginx/ssl. Open ssh terminal and use the following command:

mkdir -p /etc/nginx/ssl
unzip wildssl.zip -d /etc/nginx/ssl

then move to directory /etc/nginx/ssl by using the following command:

cd /etc/nginx/ssl

and in order to make the required ssl files (fullchain.pem, and privkey.pem) properly, let me describe with a picture to make it easy to remember:

First, I must copy and paste all characters including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines from the main certificate file (cert.crt), and then copy Intermediate and Root CA certificates from our SSL Certificates vendor, and combine them into one .pem file.

Open your favorite editor, like maybe nano. I don't comfortable with vim😂
to create a fullchain.pem file

nano fullchain.pem

In this case, I'm using AlphaSSL Wildcard SSL, so I must copy Intermediate Certificate and Root CA with the lines below

New AlphaSSL / Wildcard Intermediate certificate

AlphaSSL Root CA certificate

After a fullchain.pem was created, I need to rename the privkey.txt to privkey.pem.

mv privkey.txt privkey.pem

And lastly, open your vhost NGINX config file whether in your conf.d folder (/etc/nginx/conf.d) or sites-enabled (/etc/nginx/sites-enabled) folder.

Change both lines to:

ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;

NGINX full config

Here's the nginx virtualhost full config:

server {
 
     server_name mywebsite.com;
	root /var/www/mywebsite;
	
	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html index.php;


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

        # This is for php handler, if you don't using php
        # or using different lines, please don't copy
	location ~ [^/]\.php(/|$) {
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
          fastcgi_index index.php;
          fastcgi_param PATH_INFO $fastcgi_path_info;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	  fastcgi_read_timeout 180;
          include fastcgi_params;
        }

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	location ~ /\.ht {
		deny all;
	}
 
    listen 443 ssl; 
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem; 
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

     ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

}

server {
    if ($host = mywebsite.com) {
        return 301 https://$host$request_uri;
    } 

     listen 80;

     server_name mywebsite.com;
    return 404; # managed by Certbot


}

Replace mywebsite.com with your site, and don't forget to check your nginx config first with:

nginx -t

and reload or restart nginx with:

systemctl reload nginx

systemctl restart nginx

Done!

Little note

If you have other subdomains like shop.mywebsite.com and blog.mywebsite.com, you can copy the nginx config above, but make sure to replace every mywebsite.com with your subdomain! then reload nginx

Source for AlphaSSL intermediate and root ca cert: https://www.ssl2buy.com/wiki/alphassl-intermediate-root-ca-certificates

Thanks for reading.

How to Install Wildcard SSL on NGINX

Ariq Naufal

NGINX full config

Little note

Topics