Setting up SSL on Digital Ocean with Node and Nginx

July 14th, 2015

Setting up SSL seems like a daunting task, after watching Emily Stark’s talk at jQuerySF about TLS and SSL I decided it was time to get to it, I want to show you a simple method to set up ssl on Digital Ocean with Nginx and using a Node app. We will use sslmate to make this simple and easy!

SSL on Digital Ocean

First things first, set up a Digital Ocean server. I wrote an article about Deploying a Node app on Digital Ocean using Nginx recently, check it out if you want to get comfortable with the process. I am going to skip a few things here.

So lets a assume by now you are signed into your server. First thing we should do is install sslmate, this is taken from the sslmate site in the getting started section.


wget -P /etc/apt/sources.list.d https://sslmate.com/apt/ubuntu1404/sslmate.list
wget -P /etc/apt/trusted.gpg.d https://sslmate.com/apt/ubuntu1404/sslmate.gpg
apt-get update
apt-get install sslmate

You will have to make sure you are signed up at sslmate, once you have done so you can run:


sslmate buy myurl.com

It will prompt you to sign in with your sslmate login, if you want to avoid this in the future you can use the sslmate link command to link your account.

Once you approve the purchase it will ask you how you would like to approve the certificate. If you have access to make email accounts for the url you can create one of the listed emails. For example admin@myurl.com is one of the approved addresses you can sent to. If you want you can even use dns to approve the cert. sslmate will provide you with a record to add to your settings.

If you are using Digital Ocean and you have pointed your DNS to be handled by Digital Ocean you can use the Digital Ocean API to allow sslmate to add the dns record programatically. You can do this by creating a .sslmate file in your home directory, and add this line to it.


dns.digitalocean.key Your DigitalOcean API key

You will have to request an API key from Digital Ocean for this to work.

However, if you are using a different place to host your domains you will have to add the cname record on that host to allow it to be approved. Do this and wait for a while before proceeding to the next step. The dns needs to propagate before you can move on. If you don’t have time to wait, you can continue on and sslmate will prompt you to exit out and it will email you once the cert is approved. To check if it has propagated, you can use this site to test it out.

When the certificate is approved you can use the sslmate download myurl.com to download your certificates, these will be downloaded to /etc/sslmate.

Ngnix Configuration

Now we have to configure our nginx server, change into /etc/nginx/sites-available and open the file default.


server {
	listen 443;

	ssl on;
	ssl_certificate /etc/sslmate/myurl.com.chained.crt;
	ssl_certificate_key /etc/sslmate/myurl.com.key;

	location / {
		...
	}
}

After you save this run nginx -s reload to reload the nginx config. Now you should be able to go to https://myurl.com and see a nice green lock!

There are a lot more settings you can add to tighter security, they can be found here. I hope this helps you getting started with SSl!