Nginx and godaddy ssl cert. How to?

Hello nginx people.

I want to use nginx to serve https for my site.

I followed directions given by godaddy to generate a csr file.

I gave $25 and the csr file to godaddy.

They gave me 2 files:

gd_bundle.crt
toadfrog.com.crt

I am curious about what to do with these files.

How do I declare that I want my /etc/nginx/nginx.conf file to use
these 2 crt files?

Also I used a file to help create the csr file which I sent to godaddy.

It call it: toadfrog.key

I used toadfrog.key to create the csr, where do I put toadfrog.key now?

Here is a screendump of me creating the csr with toadfrog.key:

deploy@domU-12-31-38-00-95-21 ~ $
deploy@domU-12-31-38-00-95-21 ~ $ openssl genrsa -des3 -out toadfrog.key
2048
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)

Enter pass phrase for toadfrog.key:
Verifying - Enter pass phrase for toadfrog.key:

Then to create the csr:

deploy@domU-12-31-38-00-95-21 ~ $
deploy@domU-12-31-38-00-95-21 ~ $ openssl req -new -key toadfrog.key
-out toadfrog.csr
Enter pass phrase for toadfrog.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NV
Locality Name (eg, city) []:Reno
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Toadfrog,
Inc.
Organizational Unit Name (eg, section) []:IT

Common Name (eg, YOUR name) []:Audrey L.
Email Address []:[email protected]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
deploy@domU-12-31-38-00-95-21 ~ $
deploy@domU-12-31-38-00-95-21 ~ $

If you have a 2 or 3 minutes, feel free to post some tips or comments.

Thanks

On Thu, Jul 15, 2010 at 2:16 PM, Audrey L. [email protected]
wrote:

Hello nginx people.

I want to use nginx to serve https for my site.

1. Generate the CSR:
   openssl genrsa 2048 > yourhost.com.key
   openssl req -new -key yourhost.com.key > yourhost.com.csr

2. Enter in only a couple pieces of information:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Something
Here
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:yourhost.com
Email Address []:.

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Paste the CSR into Godaddy, get back the .crt file

4. Combine the cert + godaddy chain
   cat yourhost.com.crt gd_bundle.crt > yourhost.com.pem

Then in nginx:

ssl_certificate /etc/nginx/certs/yourhost.com.pem;
ssl_certificate_key /etc/nginx/certs/yourhost.com.key;

Additionally I have these:

ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
ssl_session_cache shared:SSL:10m;

Helps maintain a better SSL experience, passes McAfee Secure’s SSL
checks, etc.

Michael,

Thanks for the writeup.
It is very easy to follow; bravo!

It appears that nginx does not like my key.

I created it using instructions from godaddy:

deploy@domU-12-31-38-00-95-21 ~ $ openssl genrsa -des3 -out toadfrog.key
2048
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Enter pass phrase for toadfrog.key:
Verifying - Enter pass phrase for toadfrog.key:

Anyway, here is what nginx is now telling me:

domU-12-31-39-0B-15-75 ~ # /etc/init.d/nginx restart

• Checking nginx’ configuration …

2010/07/15 15:32:05 [emerg] 24186#0:
SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/toadfrog.key")

failed (SSL: error:0D07207B:asn1 encoding
routines:ASN1_get_object:header too long

error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
header error:0D07803A:asn1 encoding routine:: dοTlhο4?dο)?

2010/07/15 15:32:05 [emerg] 24186#0: the configuration file
/etc/nginx/nginx.conf test failed

Would you agree that godaddy gave me the wrong shell command to create
toadfrog.key ?

I have no clue. All I know is mine has worked a lot

I have sites that get crawled and analyzed by mcafee secure. They
consider the site to be out of compliance without it.

It is very easy to follow; bravo!
It appears that nginx does not like my key.

Try to use only crt file for ssl_certificate directive. You may append
godaddy’s CA later.

(to read fields of the certificates you may use something like “openssl
x509 -text < yourfile.crt | less”)

If nginx (openssl technically) would reject your key, ask godaddy to
reissue cert (not sure if they would charge you a fee).

If you’ll do that - generate new CSR again (do not agree to use old one)
and make sure you saved right key.

BTW, Michael, Unless you’re using banking site or something that
requires 256 bit security I’d not bother to crank ciphers to ALL. Choose
carefully… (Google uses RC4-SHA1 everywhere and it’s fastest 128bit
one at the moment)

Alex.

Hi Folks,

Should each proxy_cache_path “keys_zone” have a separate path?

For instance, should we have?

proxy_cache_path /home/nginx/run/proxy_cache levels=1:2 inactive=1d
max_size=1m keys_zone=Zone1:10m;
proxy_cache_path /home/nginx/run/proxy_cache levels=1:2 inactive=1d
max_size=5m keys_zone=Zone2:100m;

Or:

proxy_cache_path /home/nginx/run/proxy_cache/zone1 levels=1:2
inactive=1d
max_size=1m keys_zone=Zone1:10m;
proxy_cache_path /home/nginx/run/proxy_cache/zone2 levels=1:2
inactive=1d
max_size=5m keys_zone=Zone2:100m;

Thanks,

-peter

On Thu, Jul 15, 2010 at 10:56:31PM -0400, Peter Portante wrote:

Or:

proxy_cache_path /home/nginx/run/proxy_cache/zone1 levels=1:2 inactive=1d
max_size=1m keys_zone=Zone1:10m;
proxy_cache_path /home/nginx/run/proxy_cache/zone2 levels=1:2 inactive=1d
max_size=5m keys_zone=Zone2:100m;

Yes, they must have a separate path.

–
Igor S.
http://sysoev.ru/en/