You can install an issued SSL certificate on an NGINX server or Tengine server. This topic describes how to download and install an SSL certificate on an NGINX server or Tengine server.

Prerequisites

  • The certificate is issued in the Certificate Management Service console. For more information, see Submit a certificate application.
  • A remote logon tool, such as PuTTY or Xshell, is available for you to log on to your web server.

Version description

In this example, CentOS 8 and NGINX 1.14.1 are used. If you use CentOS and NGINX of other versions, the operations may be slightly different.

Step 1: Download a certificate to your computer

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click SSL Certificates Service.
  3. Find the certificate that you want to download and click Download in the Actions column.
  4. In the Download Certificate dialog box, find the certificate for Nginx and click Download in the Actions column.
    This operation downloads the certificate package to your computer and stores the package in the default download folder of your browser.
  5. Open the folder and decompress the certificate package.
    The following two files are extracted from the package.Certificate files
    Notice In this example, the certificate name is cert-file-name. For example, the name of the certificate authority (CA) certificate file is cert-file-name.pem and the name of the private key file is cert-file-name.key. In actual use, you must replace cert-file-name with the name of your certificate. For more information about how to query the name of a certificate, see the "Download a certificate to your computer" section in this topic.
    • CA certificate file in the PEM format

      The CA certificate file is encoded in Base64. You can convert the file format from PEM to the required format. For more information about certificate formats, see What formats are used for mainstream digital certificates?

    • Private key file in the KEY format
      Notice If you have selected Manual for CSR Generation when you apply for the certificate, the certificate package does not contain a private key file. In this case, you must manually create a private key file.

Step 2: Install the certificate on an NGINX server

To install the certificate on an NGINX server, perform the following steps:

  1. Log on to the NGINX server.
    You can use a remote logon tool such as PuTTY or Xshell to log on to the NGINX server.
  2. Run the following commands to go to the NGINX installation directory, and create a directory named cert to store the certificate. The default installation directory of NGINX is /usr/local/nginx/conf.
    cd /usr/local/nginx/conf  # Go to the default installation directory of NGINX. You must replace the default installation directory with the actual directory. 
    mkdir cert  # Create a directory named cert. 
  3. Use the file upload feature of the PuTTY or Xshell tool to upload the two certificate files to the cert directory on the NGINX server. In this example, upload the files to the /usr/local/nginx/conf/cert directory.
    Notice If you have selected Manual for CSR Generation when you apply for the certificate, upload the private key file that you manually create to the /usr/local/nginx/conf/cert directory.
  4. Open the configuration file nginx.conf of the NGINX server and modify certificate information in the file.
    1. Run the following command to open the configuration file:
      Notice By default, the nginx.conf file is stored in the /usr/local/nginx/conf directory. If you have moved the nginx.conf file to a different directory, replace /usr/local/nginx/conf/nginx.conf with the directory.
      vim /usr/local/nginx/conf/nginx.conf
    2. Press i to enter the insert mode.
    3. Find the HTTP settings that are enclosed in http{} in the configuration file. Then, add the following server configurations or modify the existing server configurations based on the comments.
      The following code is for reference only. You must replace the variables with values based on your business requirements.
      • yourdomain: Replace this variable with the domain name that is bound to your certificate.

        If you want to use a single-domain certificate, enter the single domain name such as www.aliyundoc.com. If you want to use a wildcard certificate, enter the wildcard domain name such as *.aliyundoc.com.

      • cert-file-name.pem: Replace this variable with the name of the CA certificate file that you uploaded in Step 3.
      • cert-file-name.key: Replace this variable with the name of the private key file that you uploaded in Step 3.
      # The following configuration items whose names start with ssl are certificate-related settings. 
      server {
          listen 443 ssl;
          # Set the default HTTPS port to 443. 
          # If you do not specify the default HTTPS port, NGINX may fail to start. 
          # If your NGINX version is 1.15.0 or later, use listen 443 ssl. 
          server_name yourdomain; # Replace yourdomain with the domain name that is bound to your certificate. 
          root html;
          index index.html index.htm;
          ssl_certificate cert/cert-file-name.pem;  # Replace cert-file-name.pem with the name of the CA certificate file that you uploaded. 
          ssl_certificate_key cert/cert-file-name.key; # Replace cert-file-name.key with the name of the private key file that you uploaded. 
          ssl_session_timeout 5m;
          ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
          # Specify the cipher suite that you want to use. 
          ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Specify the TLS versions that are supported. 
          ssl_prefer_server_ciphers on;
          location / {
              root html;  # Specify the directory in which you store the website files on your server. 
              index index.html index.htm;
          }
      }
    4. Optional:Redirect HTTP requests to HTTPS requests.
      If you want to redirect all HTTP requests to HTTPS requests, you can add the rewrite configuration item for the domain name of the HTTP website.
      Notice You must append the following code segment to the server {} code segment in the nginx.conf file. The nginx.conf file contains two server {} code segments after you configure the redirection settings.
      server {
          listen 80;
          server_name yourdomain; # Replace yourdomain with the domain name that is bound to your certificate. 
          rewrite ^(.*)$ https://$host$1; # Redirect all HTTP requests to HTTPS requests. 
          location / {
              index index.html index.htm;
          }
      }
      Warning If your website is hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance, log on to the ECS console and go to the Security Groups page. Then, configure security group rules to allow traffic over ports 80 and 443. Otherwise, your website may be inaccessible. For more information about how to configure security group rules, see Add a security group rule.
    5. After you modify the configuration file, press Esc. Then, enter :wq! and press Enter to save the configuration file and exit the insert mode.
  5. Run the following commands to restart the NGINX service:
    cd /usr/local/nginx/sbin  # Go to the directory that contains the NGINX executable file on the NGINX server. 
    ./nginx -s reload  # Reload the configuration file. 
    If an error is reported when the NGINX service restarts, you can use one of the following methods to fix the error:
    • If the error the "ssl" parameter requires ngx_http_ssl_module is reported, recompile NGINX and add the --with-http_ssl_module setting when you install the NGINX program.
    • If the error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) is reported, remove the forward slash (/) that precedes the relative path of a certificate file. For example, remove the forward slash (/) that precedes the relative path /cert/cert-file-name.pem. The required relative path is cert/cert-file-name.pem.

Step 3: Verify the installation

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate. 

If a lock icon appears in the address bar, the certificate is installed.

If the following issues occur, resolve the issues based on the solutions described in the following table.
Issue Possible cause Solution
You cannot access your website by using HTTPS. Port 443 is not enabled on the NGINX server on which you install the certificate, or traffic over this port is blocked.
  • If your website is hosted on an Alibaba Cloud ECS instance, log on to the ECS console and go to the Security Groups page. Then, configure security group rules to allow traffic over port 443.

    For more information about how to configure security group rules, see Add a security group rule.

  • If your website is not hosted on an Alibaba Cloud ECS instance, see the instructions on how to allow traffic over port 443 on the server.
The "Your connection to this site is not fully secure" message appears. The code of your website uses HTTP. Change the protocol from HTTP to HTTPS in the code of your website.
Note The implementation logic varies based on the website code. Change the protocol based on your business requirements. If you require additional support, submit a ticket.