Nginx HTTPs (TLS/SPDY support) set up for Dokku on Ubuntu 13.04

  17 Apr 2014


The reason that I still use the end of life version Ubuntu 13.04 is that there are known issues for Docker/Dokku for 13.10. Also, OpenSSL that is pre-built in Ubuntu 13.04 is Heartbleed bug vulnerable. So, the following is not common way to setup nginx/https but the hard way. First, just open /etc/apt/sources.list for editing

vim /etc/apt/sources.list

Add a new source specially for patched openssl. ( credit for the source )

deb https://apcera-apt.s3.amazonaws.com public raring-openssl

Save the file and run

apt-key adv --recv-keys --keyserver keyserver.ubuntu.com DB4363B3
apt-get update
apt-get install libssl-dev openssl

You should be safed with the patched version of OpenSLL now. After that choose a good place to store your certificate and key. Personally, I prefer to store it at /etc/nginx/ssl. Therefore, create an ssl directory in /etc/nginx path.

mkdir /etc/nginx/ssl

Step into the directory you have just created.

cd /etc/nginx/ssl

Now you’re ready to create server’s private Key (.key).

openssl genrsa -des3 -out server.key 1024

Then using the server private key as a cipher to create the Certificate Signing Request (.csr) as needed.

openssl req -new -key server.key -out server.csr

You will be prompted to enter some information. Please enter your domain name ( Must be matched with domain name is /home/dokku/VHOST, unless dokku won’t do things automatically for you ).

 Common Name

In order to please Nginx. Remove the key passphase is sometimes required by

cp server.key server.key.org && openssl rsa -in server.key.org -out server.key

Ok, sign it!

openssl x509 -req -days 731 -in server.csr -signkey server.key -out server.crt

Above signed certificate will be expired in 2 years. Create ‘tls’ directory (if it doesn’t exist in the app directory).

mkdir /home/dokku/$APP/tls

Note: $APP is a placeholder for your application name

cd /home/dokku/$APP/tls
ln -sf /etc/nginx/ssl/server.crt .
ln -sf /etc/nginx/ssl/server.key .

After you deploy your app, now your site will be served via HTTPs with SPDY support (accessing from http will be redirected to https as well)

Somehow, your nginx config should look similar to this config in gist:

comments powered by Disqus