setup ssl on nearlyfreespeech host with namecheap-provided positivessl

The following outlines steps on how to enable SSL for a NearlyFreeSpeech hosted site. The SSL service used in this example is Namecheap’s PositiveSSL.

prerequisites

  • Hosted service with NearlyFreeSpeech with SSH access.
  • A purchased PositiveSSL certificate from Namecheap.

steps

Prepare a directory on your NearlyFreeSpeech server and move into it:

$ mkdir /home/protected/ssl
$ cd /home/protected/ssl

Generate your private key and csr (certificate signing Request) file (adjust myserver to your own domain, if desired):

$ openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
Generating a 2048 bit RSA private key
...

The command will prompt you with a series of questions. Provide:

  • Your country name code, state/province, city.
  • Enter your company name and unit name; or just NA for an individual.
  • For common name, enter the domain you wish to enable the certificate for (for example, www.example.org).
  • Provide your Email address.
  • Default values for the rest.

After generation, you should have two (2) files:

File Description
myserver.key Private Key File
myserver.csr Certificate Signing Request File

With a purchased SSL certificate from Namecheap, start the activation process (an “Activate” button should exist for your newly purchased key). The start of the activation process will ask your for your CSR. Copy-n-paste the content from your myserver.csr file into the input. Validate that your “Primary Domain” matches your target domain. For “Server Type”, ensure the option with Apache is selected. Complete the confirmation process.

../../_images/nearlyfreespeech_ssl_and_namecheap_positivessl-download-cert.png

When your certificate moves from in-progress image to issued image you should be able to download the certificate by going to “Details –> Download Certificate”. This will invoke a download of a ZIP file which contains the following important files:

File Description
www_example_org.ca-bundle The Certificate Chain
www_example_org.crt Your Certificate

Upload both the ca-bundle and crt files to your /home/protected/ssl directory.

Verify your certificate by using the following command:

$ openssl verify -untrusted www_example_org.ca-bundle www_example_org.crt
www_example_org.crt: OK

Enable TLS on your site by invoking the following command:

$ cat myserver.key www_example_org.crt www_example_org.ca-bundle | nfsn -i set-tls
INFO: Enabling TLS for example.org
INFO: Enabling front-end HTTPS for example.org
INFO: Enabling TLS for www.example.org
INFO: Enabling front-end HTTPS for www.example.org
INFO: Flagging canonical name as HTTPS-enabled.
e4: OK (example.org, www.example.org)
e3: OK (example.org, www.example.org)
e6: OK (example.org, www.example.org)
e5: OK (example.org, www.example.org)
OK: Setup was fully confirmed.

In a few moments, your certificate should be up and running.