SSL Certificates Installing an SSL Certificate on an Nginx Server-Certificate Installation-Help & Documentation-Tencent Cloud

The following video shows you how to install an SSL certificate on an Nginx server:
Watch video
Scenario
This document describes how to install an SSL certificate on an Nginx server.
Note
The certificate name cloud.tencent.com is used as an example.
The Nginx version nginx/1.18.0 is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS version.
Before installing an SSL certificate, please enable the default HTTPS port 443 on the Nginx server to ensure that HTTPS can be enabled after the certificate is installed. For more information, refer to How Do I Enable Port 443 on a Server?
For detailed directions on how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Preparations
A remote file copy tool such as WinSCP has been prepared. It is recommended to download the latest version from the official website.
If you need to deploy to Tencent Cloud Server, it is suggested to use the file upload function of the cloud server. For more details, please refer to Uploading Files to Cloud Server.
Install the remote login tool such as PuTTY or Xshell.
The Nginx service, which includes the http_ssl_module module, has been installed and configured on the current server.
The data required to install the SSL certificate includes:
Name
Note
Server IP address
The server IP address, which is used to connect the PC to the server.
Username
The username used to log in to the server.
Password
 The password used to log in to the server.
Note
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password.
Instructions
Certificate Installation
1. Please navigate to the SSL Certificate Service Console and select the certificate you wish to install, then click Download.
2. In the "Certificate Download" window that appears, select Nginx as the server type, click Download and decompress the cloud.tencent.com certificate file package to a local directory. After decompression, you can obtain the relevant type of certificate files, which includes the cloud.tencent.com_nginx folder:
Folder Name: cloud.tencent.com_nginx
Folder content:
cloud.tencent.com_bundle.crt: Certificate file
cloud.tencent.com_bundle.pem: Certificate file (this file can be ignored)
cloud.tencent.com.key: Private key file
cloud.tencent.com.csr: CSR file
Note
The CSR file, either uploaded by you or generated online by the system during the certificate application, is provided to the CA. This file can be disregarded during installation.
3. Log in to the Nginx server using "WinSCP", a tool for copying files between local and remote computers.
Note
For detailed directions, see Uploading files via WinSCP to a Linux CVM from Windows.
We recommend using the file upload feature of the Cloud Virtual Machine (CVM) for deployment to Tencent Cloud CVM. For more details, please refer to Uploading Files to CVM.
4. Copy the obtained certificate file cloud.tencent.com_bundle.crt and the private key file cloud.tencent.com.key from the local directory to the /etc/nginx directory on the Nginx server (this is the default installation directory for Nginx, please operate according to the actual situation).
5. Log in to the Nginx server remotely, for instance, using the "PuTTY" tool.
6. Edit the nginx.conf file in the Nginx root directory. The modifications are as follows:
Note
If the following content is not found, it can be manually added. You can run the command nginx -t to find the path to the nginx configuration file.
As illustrated below: 
﻿
You can edit this file by running the vim /etc/nginx/nginx.conf command.
Due to version differences, configuration files may vary. For instance, if the Nginx version is nginx/1.15.0 or higher, use listen 443 ssl instead of listen 443 and ssl on.
server {
     #The default port for SSL access is 443.
     listen 443 ssl; 
     #Please enter the domain name to bind the certificate to
     server_name cloud.tencent.com; 
     #Please specify the relative or absolute path of the certificate file.
     ssl_certificate  cloud.tencent.com_bundle.crt; 
     Please enter the relative or absolute path of the private key file
     ssl_certificate_key cloud.tencent.com.key; 
     ssl_session_timeout 5m;
     Please configure according to the following protocol
     ssl_protocols TLSv1.2 TLSv1.3; 
     #Please follow the cipher suite configuration below, adhering to the OpenSSL standard.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
     ssl_prefer_server_ciphers on;
     location / {
         # Website home path. This path is for reference only, please operate according to the actual directory.
         #For instance, if your website's homepage is in the /etc/www directory on the Nginx server, please change the html after root to /etc/www.
         root html; 
         index index.html index.htm;
     }
 }
7. Execute the following command to verify the configuration file issues.
nginx -t
If issues exist, please reconfigure or modify according to the provided suggestions.
If it does not exist, please proceed to Step 8.
8. Reload Nginx by executing the following command.
nginx -s reload
9. Upon successful reloading, you can access the server via https://cloud.tencent.com.
(Optional) Security configuration for automatic redirect from HTTP to HTTPS
If you need to automatically redirect HTTP requests to HTTPS, you can set it up using the following steps:
1. Choose the following configuration methods according to your actual needs:
Add a JS script to the page.
Add redirection in the backend program.
Implement redirection through the web server.
Nginx supports the rewrite function. If you did not remove pcre during compilation, you can add return 301 https://$host$request_uri; in the HTTP server to redirect the default port 80 request to HTTPS. Modify the following content:
Note
Uncommented configuration statements can be configured as shown below.
Due to version differences, configuration files may vary. For instance, if the Nginx version is nginx/1.15.0 or higher, use listen 443 ssl instead of listen 443 and ssl on.
server {
 #The default port for SSL access is 443.
 listen 443 ssl;
 #Please enter the domain name to bind the certificate to
 server_name cloud.tencent.com; 
 #Please specify the relative or absolute path of the certificate file.
 ssl_certificate  cloud.tencent.com_bundle.crt; 
 Please enter the relative or absolute path of the private key file
 ssl_certificate_key cloud.tencent.com.key; 
 ssl_session_timeout 5m;
 #Please follow the cipher suite configuration below, adhering to the OpenSSL standard.
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
 Please configure according to the following protocol
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 location / {
   # Website home path. This path is for reference only, please operate according to the actual directory. 
   #For instance, if your website's homepage is in the /etc/www directory on the Nginx server, please change the html after root to /etc/www.
   root html;
   index index.html index.htm;
 }
}
server {
 listen 80;
 #Please enter the domain name to bind the certificate to
 server_name cloud.tencent.com; 
 #Convert HTTP domain requests to HTTPS
 return 301 https://$host$request_uri; 
}
2. Execute the following command to verify the configuration file issues.
nginx -t
If issues exist, please reconfigure or modify according to the provided suggestions.
If it does not exist, please proceed to Step 3.
3. Reload Nginx by executing the following command.
nginx -s reload
4. Upon successful reloading, you can access the server via https://cloud.tencent.com.
If the security lock icon is displayed in the browser, the certificate has been installed successfully. The details are as shown below:
﻿
﻿
﻿
In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
Unable to access the website via HTTPS
After deploying the SSL certificate, the browser indicates "Website connection is not secure"
Is your site indicating an insecure connection?
What should I do if I am prompted that HTTPS is not secure after reapplying for deployment upon expiration of the SSL certificate?
After deploying the SSL certificate on the server, a 404 error occurs when accessing resources
Note
If anything goes wrong during this process, please contact us.
Name	Note
Server IP address	The server IP address, which is used to connect the PC to the server.
Username	The username used to log in to the server.
Password	The password used to log in to the server.
Installing an SSL Certificate on an Nginx Server

On this page:

Scenario

Preparations

Instructions

Certificate Installation

(Optional) Security configuration for automatic redirect from HTTP to HTTPS
