Create directory for certificates:
sudo mkdir /etc/nginx/ssl
Now generate ssl certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
- openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
- req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.
- -x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
- -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
- -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
- -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The
rsa:2048portion tells it to make an RSA key that is 2048 bits long. - -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
- -out: This tells OpenSSL where to place the certificate that we are creating.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]: New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme, Inc.
Organizational Unit Name (eg, section) []:Research dep.
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:admin@your_domain.com
Now self signed certificate generated, we need to configure NGINX to use SSL.
open nginx site config file. (usually /etc/nginx/sites-available/<some_name>.conf
you will find something like this:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
location / {
try_files $uri $uri/ =404;
}
}
Add the following lines:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
save and close file, then restart nginx:
sudo service nginx restart
Then test is your site accessible via https. Open browser and select https: instead of http.
You likely get a warning that you site use untrusted certifcate. That is normal because we use self-signed certificate.
Now if we want to communicate with this server from another machine using https: we need to add our certificate to "trusted list" on another machine:
go to /usr/local/share/ca-certificates/, create new folder folder and copy .crt file.
cd /usr/local/share/ca-certificates
sudo mkdir <dir_name>
make sure that permissions are OK. 755 for the folder and 644 for file.
Next you should update certificate list:
sudo update-ca-certificates
-------- method 2 -----------
go to /usr/share/ca-certificates:
cd /usr/share/ca-certificates
create new dir.
sudo mkdir <dir_name>
issue command:
sudo dpkg-reconfigure ca-certificates sudo dpkg-reconfigure ca-certificates calls update-ca-certificates internally
P.S.
I noticed that this will not help if you use try to connect to server using python and urllib3. I always got message:
[SSL: CERTIFICATE_VERIFY_FAILED]
this was solved to add VERIFY='path_to_certificate_file' in requests.post() function
No comments:
Post a Comment