UCC Cert with NGINX on Ubuntu VPS

Sooooo… I got a little jumpy and bought ZFSFTW.com .org .net .info and a UCC cert.
(I also had to renew colinworld.com so of course I did and .org .net .info as well.)

Now I need to make use of the SSL cert. Use. My domains NEED a signed cert. … whatever, I bought it.

I’ve got NGINX with uWSGI running the HWCDI blog hosted (Currently) on my Ubuntu VPS.

I’ve got all my domains DNS currently pointing there. Here. So I’ll install my cert here (to start).

So in GoDaddy (my registrar), it was too easy to buy this stuff. To set it up is pretty straight forward:

Log into your account and SSL manager, and click setup on your new cert.

We need to generate a CSR on our VPS to put into GoDaddy.

Seeing as I paid good money to have GoDaddy as my CA, I probably want to keep this stuff secure.

Don’t want peeps gettin their hands on my keys!


Since I have a UCC cert, I need to make a conf file:

[ req ]
default_bits = 2048
default_keyfile = HWCDI.key
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Massachusetts
localityName = Locality Name (eg, city)
localityName_default = Pepperell
organizationName = Organization Name (eg, company)
organizationName_default = HWCDI
commonName = Common Name (eg, YOUR name)
commonName_max = 64

[ req_ext ]
subjectAltName = @alt_names

DNS.1 = zfsftw.com
DNS.2 = howwouldcolindoit.com
DNS.3 = colinworld.com
DNS.4 = stgeorgedesign.net

Then run:

root@cloud:~/certs# openssl req -new -nodes -out HWCDI.csr -config HWCDICertReq.conf
Generating a 2048 bit RSA private key
writing new private key to ‘HWCDI.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Massachusetts]:
Locality Name (eg, city) [Pepperell]:
Organization Name (eg, company) [HWCDI]:
Common Name (eg, YOUR name) []:hwcdi.com
root@cloud:~/certs# ls
HWCDICertReq.conf HWCDI.csr HWCDI.key

You’ve now got your CSR! Cat it, Copy it, Paste it into GoDaddy’s Magic CA web interface.

You’ll see your Subject Alt Names liseted. Tick agree and Next! Confirm it. Click Next!

Aaaaannnddd wait… The CA needs to do its thing. (It’s pretty darn quick though nowadays)

GoDaddy will email you to verify the cerificate generation. Click the link to confirm.

Go back into your console – the cert will be ready!! HOOOORAAAAYYYY (Celebrate!!)

Click the cert, and then click the ‘Download’ link.

According to Wikipedia, In computer networks, to download means to receive data to a local system from a remote system, or to initiate such a data transfer. ooohhh.

They list various Webservers to download a properly formatted cert for, I chose NGINX this time and downloaded it.

This was secure as I am logged into GoDaddy over SSL.

I’ve got Apache2 and mod_wsgi running on Centos on an old server at HogHill.
Stay tuned, maybe I’ll install the cert there too! (Sure would make for a nice blog post!)

We downloaded a .ZIP from GoDaddy. Let’s shoot it over and install it on our VPS.

$scp 4728b9e37ba2c.zip colin@hwcdi.com:~/
colin@hwcdi.com’s password:
4728b9e37ba2c.zip 100% 4581 4.5KB/s 00:00
$ssh colin@hwcdi.com
colin@hwcdi.com’s password:
Welcome to Ubuntu 13.04 (GNU/Linux 3.8.0-19-generic x86_64)

* Documentation: https://help.ubuntu.com/
New release ‘13.10’ available.
Run ‘do-release-upgrade’ to upgrade to it.

Last login: Sat Mar 15 00:58:30 2014 from 163.sub-70-192-20.myvzw.com
$ su
root@cloud:/home/colin# mv 4728b9e37ba2c.zip ~/certs/
root@cloud:/home/colin# cd ~/certs/
root@cloud:~/certs# unzip 4728b9e37ba2c.zip
Archive: 4728b9e37ba2c.zip
inflating: gd_bundle-g2-g1.crt
inflating: 4728b9e37ba2c.crt
root@cloud:~/certs# ls
4728b9e37ba2c.crt gd_bundle-g2-g1.crt HWCDI.csr
4728b9e37ba2c.zip HWCDICertReq.conf HWCDI.key

We have the Key we used to generate our cert, and now we have our cert(s) unzipped.
We need to cat them together.

root@cloud:~/certs# cat 4728b9e37ba2c.crt gd_bundle-g2-g1.crt >> HWCDIbundled.crt

OK. Now we need to edit nginx.conf to utilize the new cert. (Back it up first!!)
Here’s what mine looked like when I was finished:

root@cloud:~/certs# cat /etc/nginx/nginx.conf
worker_processes 2;

error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;

events {
worker_connections 1024;

http {
include mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;
types_hash_max_size 2048;
access_log logs/access.log main;

sendfile on;
#tcp_nopush on;
keepalive_timeout 65;

#gzip on;

server {
listen 80;
server_name localhost;

#access_log logs/host.access.log main;

server_name hwcdi.com zfsftw.com howwouldcolindoit.com colinworld.com stgeorgedesign.net;
#access_log logs/host.access.log main;
#redirect http to http
rewrite ^ https://$server_name$request_uri? permanent;

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;

server {
listen 443;
server_name hwcdi.com zfsftw.com howwouldcolindoit.com colinworld.com stgeorgedesign.net;
ssl on;
ssl_certificate /root/certs/HWCDIbundled.crt;
ssl_certificate_key /root/certs/HWCDI.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

location / { try_files $uri @flask; }
location @flask{
include uwsgi_params;
uwsgi_buffer_size 128k;
uwsgi_buffers 4 256k;
uwsgi_busy_buffers_size 256k;
uwsgi_pass unix:/tmp/uwsgi.sock;

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;


Now we need to restart NGINX (Test your conf first!):

root@cloud:~/certs# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@cloud:~/certs# service nginx restart

We need to allow traffic on the port NGINX is listening on for SSL (443).

I’m using Uncomplicated Firewall on my Ubuntu VPS (Easy)

root@cloud:~/certs# ufw allow 443

CELEBRATE AGAIN!!! Test your cert in a browser:


Leave a Reply

Your email address will not be published. Required fields are marked *