How to config SSL on Nginx

Hole How to config SSL on Nginx

How to config SSL on Nginx

Nginx SSL Config

How to config SSL on Nginx

First things first:
You can generate your config using Mozilla's Generator
And Nginx's config itself is very well documented on their own Website.

Getting a B Grade is just not good enough

One of first Problems i stumbled over, was only getting a B Grade on Qualy's ssllabs.
The Grade is capped there, if you havnt properly set up SSL OCSP

The relevant config settings for it to work are the following:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/your/file;

Using the Nginx Error log you can also keep track what went wrong.

sudo tail -f /var/log/nginx/error.log

Many Hosters make it easy to get the SSL Certs, but it is also very easy to confuse which is which.
For SSL OCSP to work properly we need to provide all Certificates in the SSL Chain in a single File.
Doesn't matter if you copy'n'paste them using notepad or pipe them into a new file.

The File should look like this:

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----

SSL_Chain
Source: Digicert

With OpenSSL installed you can also make sure it's working as intented:

echo QUIT | openssl s_client -connect www.your-website.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Once you've succeded you will also get a better grade on Qualy's ssllabs

Previous Post Next Post

How to config SSL on Nginx

How to config SSL on Nginx

Getting a B Grade is just not good enough

Related Posts

Random Article

Popular Tags