SSL Switch from http to https and http/2

So, I bought Comodo Essential SSL, which is verified.
What are my steps on server to use this certificaate. Also, how to redirect all non-www to www and http to https.
I belive that in my nginx 1.9.6 I can use http/2 and not spdy

Thank you

---

 

I have 3 files downloaded from site where I bought ssl certification.
CA-Bundle
CSR
Security certificate

Where should I upload them?

 

Lol, I am lost again.
I will try to read that manuals couple of times again.

 

I am confused with allready on my server certifikates in /usr/local/nginx/conf/ssl/pijanitvor.com/
Should I overvrited with files I downloaded from my payed ssl cerifikates

 

I have three files from my ssl provider:

• www_pijanitvor_com.ca-bundle
• www_pijanitvor_com.crt
• www_pijanitvor_com.csr

If I understand procedure:
upload www_pijanitvor_com.crt and overwrite existing one to /usr/local/nginx/conf/ssl/pijanitvor.com/

also another two files www_pijanitvor_com.csr and www_pijanitvor_com.ca-bundle copy and overwrite existing one to /usr/local/nginx/conf/ssl/pijanitvor.com/

delete old one dhparam.pem file in /usr/local/nginx/conf/ssl/pijanitvor.com and create new one

Code:

 cd /usr/local/nginx/conf/ssl/pijanitvor.com
openssl dhparam -out dhparam.pem 4096

add in (nginx) virtual.conf on the bottom of file:

Code:

ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;

then this three commands:

Code:

cd /usr/local/nginx/conf/ssl/pijanitvor.com/
cat www_pijanitvor_com.crt www_pijanitvor_com.ca-bundle > ssl-unified.crt
cat www_pijanitvor_com.ca-bundle > ssl-trusted.crt

then I need change /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf

find:

Code:

server {
  listen 443 ssl http2;
  server_name pijanitvor.com www.pijanitvor.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

replace with:

Code:

server {
  listen 443 ssl http2;
  server_name pijanitvor.com www.pijanitvor.com;
  ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

About pijanitvor.com.key. Manual say change ssl.key to newdomain.com.key, I allready have in there pijanitvor.com.key (when created virtual host via installing centminmod), and from my ssl provider I do not have any similiar to that, or this is the generated key which is in certificate? So, should I live that row as it is or not (ssl_certificate_key /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;)


find:

Code:

# enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com-trusted.crt;  

replace with:

Code:

  enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt;  

then run this command to disable http:

Code:

mv /usr/local/nginx/conf/conf.d/pijanitvor.com.conf /usr/local/nginx/conf/conf.d/pijanitvor.com.conf-disabled

then again change /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf and make changes to redirect from Pijani Tvor and Pijani Tvor to https://www.pijanitvor.com

Find:

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#  server_name pijanitvor.com www.pijanitvor.com;
#  return 302 https://$server_name$request_uri;
# }

replace with:

[CODE]# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
   server {
   server_name pijanitvor.com www.pijanitvor.com;
   return 302 https://www.$server_name$request_uri;
 }

then restart nginx and php-fpm

Code:

nprestart

then check ssl is it OK

Code:

openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status

And after few days if all is OK, change 302 to 301

Is this setup OK?
Am I missing some step or do I need to change any other file?
Most confused to me is ssl files generated in the creation of virtual host, and I am not sure should I replace them with providers ssl files or put them somwhere else (default one).
Also, pijanitvor.com.key (ssl.key to newdomain.com.key), I do not have that file from my ssl provider

 

yep, I see this now. Have overlooked that

Hm, I use their online generator, so I think that default key is not the same. I have e-mailed that key from provider in txt file. Should I backup default key and create new file with provider key with same name and upload there?
So rename old .key to something else and create new file with name pijanitvor.com.key (in notepad++ copy/paste private key, and save with .key extension)?

 

Ok, will not create new one.
but, do I still have to add on the bottom in (nginx) virtual.conf

Code:

ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;

 

After trying to restart nginx

Code:

[root@tvor-ocean conf.d]# nprestart
Restarting nginx (via systemctl):  Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
                                                           [FAILED]
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@tvor-ocean conf.d]# systemctl status nginx.service
nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
   Loaded: loaded (/etc/rc.d/init.d/nginx)
   Active: failed (Result: exit-code) since Thu 2015-11-26 00:27:21 CET; 13s ago
  Process: 12355 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
  Process: 12409 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
Main PID: 2388 (code=exited, status=0/SUCCESS)

Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Starting SYSV: Nginx is...
Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: Starting nginx: nginx...
Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: [FAILED]
Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: nginx.service: control ...
Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Failed to start SYSV: N...
Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Unit nginx.service ente...
Hint: Some lines were ellipsized, use -l to show in full.
[root@tvor-ocean conf.d]# systemctl status nginx.service -l
nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
   Loaded: loaded (/etc/rc.d/init.d/nginx)
   Active: failed (Result: exit-code) since Thu 2015-11-26 00:27:21 CET; 27s ago
  Process: 12355 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
  Process: 12409 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
Main PID: 2388 (code=exited, status=0/SUCCESS)

Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: Starting nginx: nginx: [emerg] unknown directive "enable" in /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf:35
Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: [FAILED]
Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: nginx.service: control process exited, code=exited status=1
Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Unit nginx.service entered failed state.

 

found an error and solved (delete # on comment row so command enable is set active, but there is not command enable )

Still, bellow question is still an answered...

 

Hmmm, only main page is showing, every other link (include relative one) is broken. Also, baloon (for alerts) when selected by mouse, showing error.
Nginx 404 error

 

Nothing is working on forum except home page and Admin CP.
I tried click on resources tab, and this is error from log on server:

Code:

2015/11/26 02:14:58 [error] 2858#2858: *786 "/home/nginx/domains/pijanitvor.com/public/resources/index.php" is not found (2: No such file or directory), client: 93.137.185.104, server: pijanitvor.com, request: "GET /resources/ HTTP/2.0", host: "www.pijanitvor.com", referrer: "https://www.pijanitvor.com/"

Somewhere is not enabled redirection or some step is missing. @eva2000 could you help?

 

I found it
lol, last few hours I am talking here with my self.

Problem was in friendly url code. They were missing in pijanitvor.com.ssl.conf.
I added them, but then show up old error for double location in file, so I commented last location cause main rows for that were commented allready.

@eva2000, @RoldanLT or anybody else, could you please make this .conf to include commented location, but friendly urls work as they work OK now. Two commented rows are near bottom (last location, open row and close row) :
#location / {

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

# Enables directory listings when index file not found
#autoindex on;

# Shows file listing times as local time
#autoindex_localtime on;

# Enable for vBulletin usage WITHOUT vbSEO installed
# More example Nginx vhost configurations at
# Nginx Configuration Examples - CentminMod.com LEMP Nginx web stack for CentOS
#try_files $uri $uri/ /index.php;

#}

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
   server_name pijanitvor.com www.pijanitvor.com;
    return 301 https://www.$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name pijanitvor.com www.pijanitvor.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
  ssl_prefer_server_ciphers   on;
  ##add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  ##spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;
 
  #enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt; 

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/pijanitvor.com/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/pijanitvor.com/log/error.log;

  root /home/nginx/domains/pijanitvor.com/public;

  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
    }

    location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow 46.101.130.248;
        deny all;
    }

    location /library/ {
        internal;
        allow 127.0.0.1;
        allow 46.101.130.248;
        deny all;
    }
 
  # prevent access to ./directories and files
    location ~ (?:^|/)\. {
   deny all;
    } 

  #location / {

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  #}

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}