Installing SSL certificate on your website is a major step towards secure data transfer.

The setup of SSL slightly differs depending on the SSL provider and the web server. At times, following wrong steps for adding AlphaSSL in web servers like Nginx can cause broken website.

Here at Bobcares, we help customers to fix their SSL websites as part of our Server Support for web hosts.

Today, we’ll see how our Support Engineers install AlphaSSL in Nginx without breaking websites.

How to setup AlphaSSL in Nginx?

The steps for SSL install differs with the web server used on the server. For example, the setup will not be same in Apache or Nginx web server. Unfortunately, a wrong installation of SSL can easily break the website too.

Let’s now see how our Support Engineers set up AlphaSSL in Nginx server.

1.Getting the certificate files

As the first step, we get the necessary SSL certificate files for the website. Upon SSL purchase, AlphaSSL team will send all the certificate files to the customer’s email. This file contains the intermediate and primary certificate of the website.

We download both certificate files and copy the files to the server directory along with “.key file“. This .key file is created as part of the CSR (Certificate Signing Request) generation process.

2.Combining certificate files

When an intermediate certificate is not present in the certificate base of well-known trusted certificate authorities, it can create problems with website access in certain browsers.

Therefore, we need to combine the primary certificate and intermediate certificate into a single file.

By this step, we can avoid this problem and ensure proper working of the SSL website in all the browsers.

For example, to combine the domain_name.crt  and domain_name.ca-bundle to ssl-bundle.crt, our Server Engineers use the command :

cat domain_name.crt domain_name.ca-bundle > ssl-bundle.crt

3. Edit Nginx Virtual Host

After combining the certificate files, we need to add them into the Nginx configuration files.

For example, in Ubuntu servers, we add the file ssl-bundle.crt to the folder /etc/SSL/certs/

Additionally, our Support Engineers turn ON the SSL option, configure Listen directive to listen on port 443, etc. in Nginx. To enable the AlphaSSL on a particular website, we need to edit the per domain config file at  /etc/nginx/sites-available/ too.

Here, we add the path to the SSL certificate and key file as :

ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/domainname.key;

4. Nginx restart

After adding the files, we do a syntax check of the Nginx configuration. This is followed by restart and SSL will start working for the domain.

Common problems with AlphaSSL in Nginx and their fixes

From our experience in managing servers, we often see customers reporting problems with SSL installation in Nginx. Now, let’s see how our Support Engineers deal with it.

1. Problems with intermediate certificate

Out of the problems reported with Alphassl, a major share contributes to the intermediate certificate. This include:

a) Choosing the wrong intermediate certificate

For the proper working of SSL, we need to choose the intermediate certificate that matches the SSL certificate. And, if there is a mismatch, SSL will fail.  For example, in one case, customer had set up SHA256 intermediate cert while he had SHA1 certificate installed in the domain.

In another case, there was no errors in the Nginx error log. However, Alphassl was not showing as trusted in mobile Chrome browser.

To fix this, our Server Engineers had to reinstall the correct intermediate certificate for the domain in Nginx. And secure connection on the website started working again.

b) Error while combining certificates

Similarly, Alphassl can fail when you follow wrong order in combing the primary certificate and intermediate certificate. The order of the certificates in the file is important. The certificate for the domain name should go first, intermediate certificates should follow it.

Here, we correct this by combing the files in the correct order once again. Then we reinstall SSL to make it working again.

2. OCSP stapling verification failure

The Online Certificate Status Protocol (or OCSP) is a way for a web browser to determine the validity of an SSL certificate. Here, the web server downloads a copy of the SSL provider’s response which it can deliver directly to the browser. When a web browser connects to the server, it compares the SSL cert with these details. If it matches, website page will open up.

Often, we see issues with OSCP stapling with AlphaSSL in Nginx. Here, to fix our Support Engineers first add the directive in Nginx configuration to turn ON verification.

ssl_stapling_verify on;

Then, we configure the certificate of the issuer, the root certificate, and all intermediate certificates as trusted using the ssl_trusted_certificate directive. And, that normally resolves the problem with OSCP stapling.

[Finding problems with AlphaSSL setup in Nginx? We can install it for you.]

Conclusion

Securing Nginx websites with AlphaSSL involves a series of steps. Today, we’ve seen how our Support Engineers set up AlphaSSL in Nginx without breaking website and solve common problems with it.