I don't like reading documentation that is missing pieces.

Have you ever been to IKEA and picked up a nice piece of furniture and realised that it was missing some of the pieces that you needed, or a page of the manual was missing?

No.

But let's pretend for a moment that you did. Or my introduction will fall apart. So, there I was, trying to get my brand spanking new, non populated website ready for public consumption. I tried in several places to find the information that would refresh me on how to set up my web server for the first time and also install the SSL certificate I have setup with Let's Encrypt because I'm a cheap bastard and I'm not doing any e-commerce on my site.

this is where the pretty picture goes

Once we install Nginx, we should end up with a website that appears like this, and note the address bar:

Just the little info icon. If you try to use the https:// identifier in the URL bar, it simply won't work. Here, why believe me? I haven't been playing with web servers for 25 years, or anything. Here's a picture to prove it.

Now, what I do have, and probably won't go into this time around are SSL certificates from Let's Encrypt that were generated on my primary domain web server.  As you know from a previous post, annwn is not my primary domain system, it's a development box. So I'll have to copy my keys from there in a moment, because what I did do is include the annwn subdomain in the SSL certificate. That means that the single SSL covers everything, domain-wide. While SSL isn't necessarily required for browsing, you're probably behind the times these days if you don't have one for your site, because it verifies that your server is who it says it is and not some 13 year old Ukrainian kid pretending to be you.

I'm not going to make life hard for you. I'm going to show you exactly where this stuff is. Remember that I am on a Debian 9.5 system, so if yours isn't as cool, then upgrade. Since Wordpress likes to take a puke anytime I try to show this path, I put it in as a graphic:

# Default server configuration # server { listen 80 default_server; listen [::]:80 default_server;   # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf;   root /var/www/html;   # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html;   server_name _;   location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; }   # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #}   # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }

So now you can see that we really have a little work to do. But before we fix all of that mess, let's figure out our certificate situation.

unleash the certificate hounds!

In order to get the pretty little green lock that we are coveting right now, we will need four distinct pieces of information:

  • the SSL Certificate - a certificate used to identify you specifically
  • the SSL Chain Certificate - a certificate that specifies your issuing authority
  • the Certificate Signing Request - used to generate your key
  • the SSL Private Key a private key you want to keep safe

All of them will look a little something like this, and probably end in a .crt extension (NOTE: This is not my actual cert. I have mucked with it until its not useable. So there.)

-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----

Now that you have seen one, get them all in the same place, but make certain they all remain differently named. You don't want to mix them up.

For the next few minutes, we will be moving to a different directory. The SSL Certificates do not live in the same place as the Nginx config. They have their own home in the ssl directory under /etc.

Pay attention to this part. You will be combining the certificate and chain together into a single file. Put the CSR somewhere safe, you won't be using it with this. Make sure that you have your key.

You can combine them either by using vi to open a new file with a .crt extension, and then cutting and pasting the two together, or this neato command: cat your_domain.crt chain.crt >> ssl-bundle.crt

Move the bundle.crt into the certs directory, and the private.key into the private directory. If you're lost at this point, and don't know how to move files, either discover the man command, or log out before you break something.

tell nginx what's up, yo

Now we have the certificate files right where we want them, but the web server doesn't know they are there. Nginx isn't all up in everybody's business. You have to explicitly tell it where these are, and that it is now expected to serve secure https://. This is the part that will get you closer to that coveted green lock.

Remember where your nginx config file is currently? It's in the graphic above. You can't miss it. And you are going to make some edits to it.

I am getting really sick of Wordpress fighting me on my code even inside a code block plugin.

Here's a fricking picture.

So, as you can see in the picture I was forced to provide (and this had better not become a habit) I modified the port from 80 to 443, and added the paths to the ssl certificate and key. I also set up the two log files, although two already exist for my reading pleasure in the var directory at log/nginx/. So now the last thing to do is to restart the nginx process, and that is done with the following on Debian:

systemctl restart nginx

You could of course test it with a -t, but you're not really in production yet, so who cares. Remember that little tidbit if you are working on a server in production, because there is nothing quite like testing code on a live system and then getting a ping because you wiped the hostname, affecting about 20 accounts, including 8 of your own. (This one, as a matter of fact.)

So this is what you should see:

Forsooth, is that yon verdant lock of yore I perceive? Yup. We did it. Now there is a website ready to serve secure https on nginx.