Introduction
Enabling SSL/TLS certificates is essential for securing data transmission on your website. Domain registrars like Namecheap often provide free SSL certificates. This guide explains how to configure such certificates on an Nginx server.
Note that enabling SSL adds a small overhead to server CPU and memory usage, but this is generally acceptable for modern servers.
Part 1: Requesting the Certificate
Follow these steps via SSH on your server. Replace the example domain xiaohost.com with your own.
1. Generate Private Key and CSR
First, navigate to your Nginx configuration directory (path may vary):
cd /usr/local/nginx/conf/Generate a 2048-bit RSA private key:
openssl genrsa -out xiaohost.pem 2048Successful output will look similar to:
Generating RSA private key, 2048 bit long modulus
.....+++
.+++
e is 65537 (0x10001)Next, create a Certificate Signing Request (CSR) using this key:
openssl req -new -key xiaohost.pem -out xiaohost.csrFill in the prompts. Example (modify for your details):
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SiChuan
Locality Name (eg, city) []:ChengDu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Xiao Host
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:youquso.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Important: The Common Name must be the exact domain name for the certificate (e.g., blog.youquso.com). www.blog.youquso.com and blog.youquso.com are considered different domains; for coverage of both, you typically need a multi-domain certificate or to specify during application.
2. Submit CSR to Namecheap
View and copy the CSR content:
cat xiaohost.csrThe output begins with -----BEGIN CERTIFICATE REQUEST----- and ends with -----END CERTIFICATE REQUEST-----. Copy everything between these lines (including them).
Log into your Namecheap account, navigate to SSL certificate management, and activate your free SSL. When submitting the CSR, select "Other" from the dropdown menu (as "Nginx" may not be listed) and paste the CSR content.
Choose an email for verification (preferably one from the domain's WHOIS info) and follow the process. You'll receive a verification email; click the link to confirm domain ownership.
After verification, you should receive an email from the Certificate Authority (e.g., Comodo/Sectigo) containing your digital certificate file, usually within minutes to hours.
Part 2: Configuring Nginx to Use the Certificate
1. Prepare Certificate Files
Download the certificate ZIP file from the email (e.g., xiaohost_com.zip), upload it to /usr/local/nginx/conf/ on your server, and extract it.
Typically, you need to append the intermediate certificate (CA Bundle) to your main certificate file. Assuming your main certificate is xiaohost_com.crt and the intermediate is PositiveSSLCA.crt, run:
cat PositiveSSLCA.crt >> xiaohost_com.crtThis appends the intermediate certificate to the end of the main certificate file. Ensure you use the correct filenames.
2. Modify Nginx Configuration
Edit your Nginx virtual host configuration file (e.g., nginx.conf or sites-available/your-site). Below is an example enabling SSL for a site:
server {
listen 80;
listen 443 ssl; # Modern Nginx style, listens on both ports
server_name www.blog.youquso.com;
# SSL configuration
ssl_certificate /usr/local/nginx/conf/xiaohost_com.crt;
ssl_certificate_key /usr/local/nginx/conf/xiaohost.pem;
# Optional: enhance security with stricter protocols/ciphers
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers HIGH:!aNULL:!MD5;
root /home/wwwroot/youquso.com/;
index index.html index.htm index.php;
# Redirect HTTP to HTTPS (optional but recommended)
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param HTTPS $https if_not_empty; # Reliable way to pass HTTPS status
include fastcgi_params; # Usually fcgi.conf or fastcgi_params
}
# Other location blocks (static file caching, etc.)...
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d;
}
access_log /home/wwwlogs/blog.youquso.com.log;
}
# Optional: redirect bare domain to www HTTPS
server {
listen 80;
server_name youquso.com;
return 301 https://www.blog.youquso.com$request_uri;
}Configuration Notes:
- Listen Ports: Modern Nginx versions recommend
listen 443 ssl;over the oldssl on;directive. The example listens on both ports 80 and 443. - Certificate Paths:
ssl_certificateandssl_certificate_keymust point to the absolute paths of your certificate and private key files. - HTTP Redirect: The example includes a rule to automatically redirect HTTP to HTTPS, a security best practice.
- PHP FastCGI Parameter:
fastcgi_param HTTPS $https if_not_empty;is a more reliable method to inform PHP applications that the connection uses HTTPS. - Modify the example according to your actual directory structure, domain, and PHP processing setup.
3. Test and Restart Nginx
After saving the configuration, always test for syntax errors:
/usr/local/nginx/sbin/nginx -tIf the output shows "syntax is ok" and "test is successful", the configuration is correct.
Then, reload Nginx to apply changes:
/usr/local/nginx/sbin/nginx -s reloadOr use your system's service management command, e.g.:
systemctl reload nginxThe kill -HUP method mentioned in some guides also works, but using Nginx's -s reload or system commands is more standard.
Conclusion
After completing these steps, your website should be accessible via HTTPS. You can use online tools (like SSL Labs' SSL Server Test) to verify your SSL configuration is secure and complete.
Note: This guide updates older procedures. Namecheap's interface and certificate issuance flow may change over time, but the core steps (generating CSR, submission/verification, configuring Nginx) remain universal. Always keep your private key file (.pem) secure and never share it.