You can install an issued SSL certificate on an NGINX server or Tengine server. This
topic describes how to download and install an SSL certificate on an NGINX server
or Tengine server.
Prerequisites
- The certificate is issued in the Certificate Management Service console. For more
information, see Apply for a certificate.
- A remote logon tool, such as PuTTY or Xshell, is available for you to log on to your
web server.
Version description
In this example, CentOS 8 and NGINX 1.14.1 are used. If you use CentOS and NGINX of
other versions, the operations may be slightly different.
Step 1: Download a certificate to your computer
- Log on to the SSL Certificates Service console.
- In the left-side navigation pane, click SSL Certificates Service.
- Find the certificate that you want to download and click Download in the Actions column.
- In the Download Certificate dialog box, find the certificate for Nginx and click Download in the Actions column.
This operation downloads the certificate package to your computer and stores the package
in the default download folder of your browser.
- Open the folder and decompress the certificate package.
The following two files are extracted from the package.

Notice In this example, the certificate name is
cert-file-name. For example, the name of the certificate authority (CA) certificate file is
cert-file-name.pem and the name of the private key file is
cert-file-name.key. In actual use, you must replace
cert-file-name with the name of your certificate. For more information about how to query the name
of a certificate, see the "
Download a certificate to your computer" section in this topic.
Step 2: Install the certificate on an NGINX server
To install the certificate on an NGINX server, perform the following steps:
- Log on to the NGINX server.
You can use a remote logon tool such as PuTTY or Xshell to log on to the NGINX server.
- Run the following commands to go to the NGINX installation directory, and create a
directory named cert to store the certificate. The default installation directory of NGINX is /usr/local/nginx/conf.
cd /usr/local/nginx/conf # Go to the default installation directory of NGINX. You must replace the default installation directory with the actual directory.
mkdir cert # Create a directory named cert.
- Use the file upload feature of the PuTTY or Xshell tool to upload the two certificate
files to the cert directory on the NGINX server. In this example, upload the files
to the /usr/local/nginx/conf/cert directory.
Notice If you have selected Manual for CSR Generation when you apply for the certificate, upload the private key file that you manually
create to the /usr/local/nginx/conf/cert directory.
- Open the configuration file nginx.conf of the NGINX server and modify certificate information in the file.
- Run the following command to open the configuration file:
Notice By default, the nginx.conf file is stored in the /usr/local/nginx/conf directory. If you have moved the nginx.conf file to a different directory, replace /usr/local/nginx/conf/nginx.conf
with the directory.
vim /usr/local/nginx/conf/nginx.conf
- Press i to enter the insert mode.
- Find the HTTP settings that are enclosed in
http{}
in the configuration file. Then, add the following server configurations or modify
the existing server configurations based on the comments. The following code is for reference only. You must replace the variables with values
based on your business requirements.
- yourdomain: Replace this variable with the domain name that is bound to your certificate.
If you want to use a single-domain certificate, enter the single domain name such
as www.aliyundoc.com
. If you want to use a wildcard certificate, enter the wildcard domain name such as
*.aliyundoc.com
.
cert-file-name.pem
: Replace this variable with the name of the CA certificate file that you uploaded
in Step 3.
cert-file-name.key
: Replace this variable with the name of the private key file that you uploaded in
Step 3.
# The following configuration items whose names start with ssl are certificate-related settings.
server {
listen 443 ssl;
# Set the default HTTPS port to 443.
# If you do not specify the default HTTPS port, NGINX may fail to start.
# If your NGINX version is 1.15.0 or later, use listen 443 ssl.
server_name yourdomain; # Replace yourdomain with the domain name that is bound to your certificate.
root html;
index index.html index.htm;
ssl_certificate cert/cert-file-name.pem; # Replace cert-file-name.pem with the name of the CA certificate file that you uploaded.
ssl_certificate_key cert/cert-file-name.key; # Replace cert-file-name.key with the name of the private key file that you uploaded.
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
# Specify the cipher suite that you want to use.
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Specify the TLS versions that are supported.
ssl_prefer_server_ciphers on;
location / {
root html; # Specify the directory in which you store the website files on your server.
index index.html index.htm;
}
}
- Optional:Redirect HTTP requests to HTTPS requests.
If you want to redirect all HTTP requests to HTTPS requests, you can add the
rewrite
configuration item for the domain name of the HTTP website.
Notice You must append the following code segment to the server {}
code segment in the nginx.conf file. The nginx.conf file contains two server {}
code segments after you configure the redirection settings.
server {
listen 80;
server_name yourdomain; # Replace yourdomain with the domain name that is bound to your certificate.
rewrite ^(.*)$ https://$host$1; # Redirect all HTTP requests to HTTPS requests.
location / {
index index.html index.htm;
}
}
Warning If your website is hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance,
log on to the
ECS console and go to the
Security Groups page. Then, configure security group rules to allow traffic over ports 80 and 443.
Otherwise, your website may be inaccessible. For more information about how to configure
security group rules, see
Add security group rules.
- After you modify the configuration file, press Esc. Then, enter :wq! and press Enter to save the configuration file and exit the insert mode.
- Run the following commands to restart the NGINX service:
cd /usr/local/nginx/sbin # Go to the directory that contains the NGINX executable file on the NGINX server.
./nginx -s reload # Reload the configuration file.
If an error is reported when the NGINX service restarts, you can use one of the following
methods to fix the error:
- If the error
the "ssl" parameter requires ngx_http_ssl_module
is reported, recompile NGINX and add the --with-http_ssl_module
setting when you install the NGINX program.
- If the error
"/cert/3970497_pic.certificatestests.com.pem":BIO_new_file() failed (SSL: error:02001002:system
library:fopen:No such file or directory:fopen('/cert/3970497_pic.certificatestests.com.pem','r')
error:2006D080:BIO routines:BIO_new_file:no such file)
is reported, remove the forward slash (/
) that precedes the relative path of a certificate file. For example, remove the forward
slash (/
) that precedes the relative path /cert/cert-file-name.pem
. The required relative path is cert/cert-file-name.pem
.
Step 3: Verify the installation
After you install a certificate, you can access the domain name that is bound to the
certificate to verify whether the certificate is installed.
https://yourdomain.com # Replace yourdomain.com with the domain name that is bound to your certificate.
If a lock icon appears in the address bar, the certificate is installed.
If the following issues occur, resolve the issues based on the solutions described
in the following table.
Issue |
Possible cause |
Solution |
You cannot access your website by using HTTPS. |
Port 443 is not enabled on the NGINX server on which you install the certificate,
or traffic over this port is blocked.
|
|
The "Your connection to this site is not fully secure" message appears. |
The code of your website uses HTTP. |
Change the protocol from HTTP to HTTPS in the code of your website.
Note The implementation logic varies based on the website code. Change the protocol based
on your business requirements. If you require additional support, submit a ticket.
|