Gandi Standard SSL Certificate & Nginx

Gandi offers a free SSL certificate during one year for any domain you buy there, nice. But the setup is a bit tedious and the documentation a bit disparate, so here's an attempt for a comprehensive howto for configuring a secured nginx vhost using your free certificate.

Disclaimer: Gandi's quite complicated email confirmation and validation workflow won't be covered in this post. Just ensure you can receive emails at admin@domain.tld where domain.tld is your domain.

Creating your certificate

On your server, ensure you have the openssl command available or install it. Then, generate your CSR (domain.tld is your actual domain):

$ openssl req -nodes -newkey rsa:2048 -keyout domain.tld.key \
    -out domain.tld.csr

Answer a few questions from the program, but here's the most important bit: enter your domain or subdomain when prompted to provide a Common Name:

Common Name (eg, YOUR name) []: domain.tld

As they say:

The process will create 2 files: a public .csr file, and a private .key file which you must absolutely keep private.

Note: Alas, you won't be able to extend your certificate to all possible subdomains using a wildcard as it is only supported starting with their «Pro» offer.

Have a coffee.


Enter Sandman Franz Kafka

Next, head to your Gandi domain management page, select your domain, click on SSL Certificate: Manage, click on Activate this certificate then Paste the content of the generated domain.tld.csr file into the textarea and submit the form. Then wait for some email from Gandi to confirm your demand.

In the meanwhile, retrieve the intermediate certificate from the SSL certificate management page of your Gandi account, clicking on the tiny magnifying glass next to your domain name (the one with a nicely hidden «Get the certificate» tooltip on rollover); you'll get both the certificate and Gandi's operational certificate authority files:

  • cert-domain.tld.pem, where domain.tld is your actual domain
  • GandiStandardSSLCA.pem

Upload them both to your server, store them in eg. /etc/nginx/certificates/ (nope, this directory is unlikely to exist by default; do as you like).

Last, you have to append the Gandi CA to your domain certificate:

$ cat GandiStandardSSLCA.pem >> cert-domain.tld.crt

Have a capuccino.


Configuring the nginx vhost

Here's a sample vhost server configuration for nginx, kept as concise as possible for the sake of brevity and clarity:

server {
    listen 443;
    server_name "domain.tld";
    root /var/www/your_website_root;

    ssl on;
    ssl_certificate     /etc/nginx/certificates/cert-domain.tld.crt;
    ssl_certificate_key /etc/nginx/certificates/domain.tld.key;
}

Restart nginx and you should be able to access your website using https://domain.tld/.

To redirect all HTTP trafic to HTTPS for this server, add this:

server {
    listen 80;
    server_name "domain.tld";
    rewrite ^(.*) https://$host$1 permanent;
}

Have a latte.

Conclusion

At this point, you should be seriously considering quitting caffeine. As a positive note, it looks like the whole process will be revamped in some weeks:

If you're looking for other alternatives than Gandi for getting SSL certs, it seems that many people are speaking well of StartSSL despite their ugly site, but I didn't use the service myself.


References