DevOps
Adding a trusted SSL cert on Nginx
Adding a trusted SSL certificate for the local environment in Nginx on Debian/Ubuntu (using root CA)
1 Creating an OpenSSL configuration
nano /tmp/openssl.cnf[req]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = US
ST = New York
L = Rochester
O = Localhost CA
OU = Development
CN = localhost
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
# Support subdomains
#DNS.2 = *.domain.local2 Creating a root certification authority (CA)
We will use the root certificate authority (CA) to create all the SSL certificates. But first, we need to create a root certificate. Let's create a private key rootCA.key by running the command in the terminal:
sudo openssl genrsa -out /etc/ssl/private/rootCA.key 2048or using a passphrase
sudo openssl genrsa -des3 -out /etc/ssl/private/rootCA.key 2048
Now let's create the rootCA.pem certificate file using the private key rootCA.key by running the command in the terminal:
sudo openssl req -x509 -new -nodes -key /etc/ssl/private/rootCA.key -sha256 -da
3 Creating SSL certificates
It is already possible to create new certificates using the root certificate rootCA.pem. But first, we need to create a private key and a key (CSR) to request a signature by running the command in the terminal:
sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/localhost.key -out /etc/ssl/private/localhost.csr -config /tmp/openssl.cnf
Now we will create our certificate file using the root certification authority that we created earlier by running the command in the terminal:
sudo openssl x509 -req -in /etc/ssl/private/localhost.csr -CA /etc/ssl/certs/rootCA.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/localhost.crt -sha256 -days 3650 -extfile /tmp/openssl.cnf -extensions v3_ca
4 Configuring Nginx to use SSL
Let's enable SSL in the Nginx server configuration. We will specify listening on port 443 (HTTPS) and the path to the certificate and private key files. Edit the server configuration file /etc/nginx/sites-available/default:
sudo nano /etc/nginx/sites-available/defaultserver {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
Save the changes and close the file. Check the configuration for validity by running the command in the terminal:
sudo nginx -t
Now apply the configuration changes by running the command in the terminal:
sudo service nginx reload5 Adding a certification authority to the browser
- Google Chrome
Settings -> Advanced -> Privacy and security -> Manage certificates -> Authorities -> Import (select rootCA.pem file and set all trust settings) - Mozilla Firefox
Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import (select rootCA.pem file and set all trust settings)
6 Encryption testing
Let's check that our Nginx server is accessible via the HTTPS protocol by entering the following address in the browser:
https://localhostIf you did everything correctly, you will see that the browser has begun to trust your SSL certificate. Your connection will now be encrypted using the HTTPS protocol without displaying a warning about an insecure connection
Sources:
Добавление доверенного SSL-сертификата для локальной среды в Nginx на Debian/Ubuntu (используя корневой ЦС)https://develike.com/ru/stati/dobavlenie-doverennogo-ssl-sertifikata-dlya-lokalnoj-sredy-v-nginx-na-debian-ubuntu
Leave a reply