Install Nginx and a StartSSL Certificate on Debian 7 (Wheezy)

Updated by Ryan Laverdiere Contributed by Ryan Laverdiere

Contribute on GitHub

View Project | View File | Edit File

This is a Linode Community guide. Write for us and earn $250 per published guide.


This guide is going to show you how to install the latest stable version of Nginx on Debian Wheezy. It will also deploy a free SSL certificate from StartSSL that will get you an A on the Qualys SSL Labs SSL Server Test. In order to achieve an “A” on the test, we are going to configure Nginx to prefer server ciphers, only use strong ciphers, and disable vulnerable protocols SSLv2 and SSLv3.

Prerequisites

This article assumes that you already have Debian 7 Wheezy running on a Linode. If you do not, follow the Getting Started guide and them come back here.

Please note, in order to obtain an SSL certificate for your Linode, you must have registered a domain name, and have access to an email account like webmaster@yourdomain.com. This is necessary for StartSSL to verify that you have control of the domain you are requesting an SSL certificate for.

All of the commands below should be executed as the root user.

Add the Nginx Debian Repository to Your Linode Package Sources

  1. Create a new file in /etc/apt/sources.list.d/ that instructs the package manager to download packages from the Nginx repositories using your favorite text editor. Here we’ll use nano, but you could also use vi or emacs. If you have not used Nano before, I highly recommend reading Using Nano before continuing.

    1
    nano /etc/apt/sources.list.d/nginx.list
    
  2. Add the following lines to the file. Save your changes and exit your text editor.

    1
    2
    deb http://nginx.org/packages/debian/ wheezy nginx
    deb-src http://nginx.org/packages/debian/ wheezy nginx
    
  3. Download the PGP key used to sign the packages in the Nginx repository using wget:

    1
    wget http://nginx.org/keys/nginx_signing.key
    
  4. Import the PGP key into the keyring used by the package manager to verify the authenticity of packages downloaded from the repository:

    1
    apt-key add nginx_signing.key
    
  5. Delete the PGP key from the file system:

    1
    rm nginx_signing.key
    
  6. Update your list of available packages:

    1
    apt-get update
    

Install Nginx

  1. Instruct the package manager to install the Nginx package:

    1
    apt-get install nginx
    

Generate a Private Key and Certificate Signing Request (CSR)

  1. Create a directory to store your certificate and private key. On Debian systems, the default location for storing certificates and private keys is in /etc/ssl/. To keep things simple we are going to create a new /etc/ssl/nginx directory to store your certificate and private key for Nginx:

    1
    mkdir /etc/ssl/nginx
    
  2. Navigate to the newly created directory:

    1
    cd /etc/ssl/nginx
    
  3. Generate a 2048 bit RSA private key. If you are paranoid you could change 2048 to 4096 to create a 4096 bit private key. Currently, most certificate authorities are requring customers to use a 2048 bit or higher RSA private key.

    1
    openssl genrsa -out server.key 2048
    
  4. Generate a certificate signing request (CSR). When prompted for a Common Name, be sure to enter the domain name that you will be using to access your Linode, all other fields can be filled as you see fit. Optionally, you may enter a sub domain, for instance www.yourdomain.com. This must be a domain that you have control over and which you can receive email sent to webmaster@yourdomain.com. Any certificate issued for yourname.yourdomain.com is also valid for yourdomain.com.

    1
     openssl req -new -key server.key -out server.csr
    

    CSR Creation

Sign-up With StartSSL

  1. Launch a web browser and naviagte to the StartSSL Control Panel. If this is your first time requesting a certificate from StartSSL, click on the “Sign-up” button. If you have already requested a certificate from StartSSL, log into your account, and skip to the next section.

    StartSSL Control Panel

  2. Provide the requested information and a click “Continue » »”

    StartSSL Sign-up Page

  3. A verification code will be sent to the email address provided. Log into your email account and provide the verification code. Then click “Continue » »”.

  4. Once your email address has been verified. Choose to generate a high grade private key. This private key and certificate pair will be used to identify you to StartSSL. If you ever loose it, you will be unable to regain access to your account, make sure to backup this certificate and private key.

    StartSSL Generate Private Key Page

  5. Click “Install » »” to install your personal certificate into your browser to identify yourself to StartSSL.

    StartSSL Certificate Installation Page

  6. Click “Finish » »”.

You should now be logged into your StartSSL account.

Verify Your Domain Name with StartSSL

  1. If you have already verified your domain name within the past 30 days, you may skip to the next step. Click on the “Validations Wizard” button in your StartSSL account.

  2. Select “Domain Name Validation” and click “Continue » »”.

    StartSSL Validation Wizard Start Page

  3. Enter your domain name and click “Continue » »”.

    StartSSL Validation Wizard Domain Name Validation Page

  4. Choose an email address @ your domain that you access to and click “Continue » »”. Note that the domain being used for this tutorial has been omitted from the screenshot below.

    StartSSL Validation Wizard Domain Control Email Validation Page

  5. A verification code should be sent to the email address selected. Access your email account and provide the verification code and click “Continue » »”.

    StartSSL Validation Wizard Email Verification Code Page

  6. Your domain has now been verified. Click “Finish » »”.

    StartSSL Validation Wizard Complete Page

Submit Your Certificate Signing Request to StartSSL

  1. Click on the “Certificates Wizard” button in your StartSSL account.

  2. From the “Certificate Target” drop down menu select “Web Server SSL/TLS Certicate” and click “Continue » »”.

    StartSSL Certificates Wizard Start

  3. Click “Skip » »” to skip generating a RSA private key. In the previous step an RSA private key was generated before creating a certificate signing request.

    StartSSL Certificates Wizard Skip Creating a RSA Private Key

  4. Using the text editor of your choice, open up your certificate signing request and copy it. If you’re using Putty on Windows, highlight the entire certificate signing request to copy it to the clipboard, then exit the text editor.

    1
    nano /etc/ssl/nginx/server.csr
    
  5. Paste your certificate signing request into the empty text box and then click “Continue » »”.

    StartSSL Certificates Wizard Submit CSR

  6. Click “Continue » »”.

    StartSSL Certificates Wizard CSR Received

  7. Choose the domain you would like a certificate for and click “Continue » »”.

    StartSSL Certificates Wizard CSR Domain Selection

  8. Enter the sub domain you entered when creating the CSR before (ex. www.yourdomain.com, server1.yourdomain.com), or if your entered yourdomain.com before, enter www into this field to make your certificate valid for www.yourdomain.com as well. Then click “Continue » »”.

    StartSSL Certificates Wizard Choose a SubDomain

  9. Click “Continue » »”.

    StartSSL Certificates Wizard CSR Ready for Issuing Certificate

  10. Once your certificate has been issued paste the certificate into a new server.crt file. Then save your changes and exit the editor.

    1
    nano /etc/ssl/nginx/server.crt
    
  11. You can now exit the StartSSL website.

Gather Additional Required Certificate Files

  1. Navigate to the directory you are storing your certificate and private key in:

    1
    cd /etc/ssl/nginx
    
  2. Download the StartSSL CA Certificate using wget:

    1
    wget http://www.startssl.com/certs/ca.pem
    
  3. Download the StartSSL Intermediate CA Certificate using wget:

    1
    wget http://www.startssl.com/certs/sub.class1.server.ca.pem
    
  4. Create a unified CA Certificate file:

    1
    cat sub.class1.server.ca.pem >> ca.pem
    
  5. Delete the no longer needed StartSSL Intermediate CA Certificate file:

    1
     rm -rf sub.class1.server.ca.pem
    
  6. Create a single file containing your signed certificate and the StartSSL CA certificates for Nginx:

    1
    cat server.crt ca.pem > nginx.crt
    

Install Your StartSSL Certificate

  1. By default, Nginx is configured to only serve HTTP requests on TCP port 80. You need to configure Nginx to server HTTPS requests on TCP port 443. Open up the sample Nginx SSL virtual host configuration file.

    1
    nano /etc/nginx/conf.d/example_ssl.conf
    
  2. Adjust your configuration so it matches the example below.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  YOUR DOMAIN OR SUB DOMAIN NAME HERE;
    
        ssl_certificate      /etc/ssl/nginx/nginx.crt;
        ssl_certificate_key  /etc/ssl/nginx/server.key;
    
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  5m;
    
        ssl_ciphers  "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !EXPORT !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
        ssl_prefer_server_ciphers   on;
            
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
    }
    

    The changes are to server_name, ssl_certificate, ssl_certificate_key, ssl_session_cache, ssl_ciphers, and the removal of # signs. Also note, the addition of ssl_protocols.

  3. Restart Nginx to apply your changes.

    1
    service nginx restart
    

Test

Launch a web browser and navigate to https://yourdomainorsubdomainhere and you should see the default nginx page. Please note, this will not work until you have created an A record for your hostname at your domain provider pointing to the IP address of your Linode. Please contact your domain provider if you need assistance.

Up and Running

You have successfully installed the latest version of Nginx and configured your free StartSSL SSL Certificate. You can now run an SSL test on your server and get an A! Now you can place any files you would like Nginx to make available in the /usr/share/nginx/html folder.

This guide is published under a CC BY-ND 4.0 license.