How to Install a Porkbun SSL on NGINX

Let’s Encrypt is a free SSL provider. Porkbun is very good domain registrar. We can download free SSL from porkbun dashboard. All we need is to upload it into our VPS server and need to add the path of the certificates into virtual host file.

Download SSL from porkbun.

You shall get a ZIP file containing the following 4 files:-

  1. domain.cert.pem
  2. intermediate.cert.pem
  3. private.key.pem
  4. public.key.pem

Now Upload file no. 1 and 3 only (i.e. domain.cert.pem and private.key.pem) into your VPS home folder (i.e. /home/admin/).

Create a Virtual Host for your domain (for example: yourdomain.com) as shown below:

sudo nano /etc/nginx/sites-available/wbxpress.net.conf
server {
    server_name    yourdomain.com www.yourdomain.com;
    root           /var/www/yourdomain;
    index          index.html index.php;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~* \.php$ {
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
    }

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /home/admin/domain.cert.pem;
    ssl_certificate_key /home/admin/private.key.pem;	
}
server {
    if ($host = www.yourdomain.com) {
        return 301 https://yourdomain.net$request_uri;
    }
    if ($host = yourdomain.com) {
        return 301 https://yourdomain.net$request_uri;
    }
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;
    return 404;
}

Also, we need to replace SSL settings as found from SSL Config File Generator at nginx.conf file.

sudo nano /etc/nginx/nginx.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

The above configuration works perfectly well in our case.