Skip to main content

Adding an SSL wildcard certificate to an Ubuntu server involves several steps.  A wildcard certificate can secure subdomains of a domain with a single certificate. Here's a general outline of the process:

I'll be using an existing wildcard certificate.

sudo apt update && sudo apt upgrade -y

 

Copy the certificate

sudo cp /etc/letsencrypt/live/your_domain/fullchain.pem /etc/ssl/your_domain.crt
sudo cp /etc/letsencrypt/live/your_domain/privkey.pem /etc/ssl/your_domain.key

Add the certificate and corresponding key files to the following locations

ssl_certificate /etc/ssl/certs/{certificate-name}.crt
ssl_certificate_key /etc/ssl/private/{certificate-key-name}.key

 

Create a Nginx Configuration File

Create an Nginx server block configuration file for your domain. You can create a new configuration file in the /etc/nginx/sites-available/ directory.

sudo nano /etc/nginx/sites-available/example.com

Here's a basic Nginx configuration for a website:

server {
   listen 80;
   server_name example.com www.example.com;

   location / {
       # Your regular server configuration
   }
}

server {
   listen 443 ssl;
   server_name example.com www.example.com;

   ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

   location / {
       # Your SSL-specific configuration
   }
}

The actual Nginx configuration file was 

proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;

server {
    client_max_body_size 100M;

    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/{certificate-name}.crt;
    ssl_certificate_key /etc/ssl/private/{certificate-key-name}.key;

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }

    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $host;
        proxy_cache cache;
        proxy_cache_bypass $cookie_auth_tkt;
        proxy_no_cache $cookie_auth_tkt;
        proxy_cache_valid 30m;
        proxy_cache_key $host$scheme$proxy_host$request_uri;
        # In emergency comment out line to force caching
        # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

}

 

Create a Symbolic Link

Create a symbolic link to enable the configuration by running the following command:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

 

Test Nginx Configuration

Run the following command to check the syntax of your Nginx configuration:

sudo nginx -t

If the configuration test is successful, you can proceed.  A successful response will be

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

 

Restart Nginx

Restart Nginx to apply the changes:

sudo systemctl restart nginx

 

Testing

Test your SSL configuration by accessing your website via HTTPS.  Make sure there are no errors.

Your wildcard SSL certificate is now installed and configured on your Ubuntu server, securing the specified domain and all of its subdomains. Be sure to follow best practices for securing your server and regularly renewing your SSL certificate to maintain security.

Related articles

Andrew Fletcher01 May 2024
Common commands used in Ubuntu - in progress
A growing list of commands I've used and what they do in no specific ordersudo snap install bw ps aux | grep java whoami ip addr show uptime sudo apt update && sudo apt upgrade -y cat /etc/os-release sudo apt-get install needrestart sudo reboot sudo needrestart sudo ckan sysadmin...
Andrew Fletcher18 Mar 2024
Resolving CVE-2022-48624 less issue
To resolve the CVE-2022-48624 vulnerability on Ubuntu using Nginx, it's crucial to understand that the issue lies within the "less" package, not Nginx itself. The vulnerability affects "less" before version 606, where close_altfile in filename.c in less omits shell_quote calls for LESSCLOSE,...