Friday 20 November 2015

Create Self signed SSL certificate in ubuntu with Nginx

In this post we will see how to setup HTTPS in ubuntu with Nginx. HTTPS is protocol which works on port 443. Generally our website is served on port 80 i.e HTTP which is not a secure protocol to be used for transferring confidential information like passwords, account number etc.

Information transferred through HTTPS is encrypted and secure. To make use of HTTPS protocol we need to setup SSL certificate on the server which could be a self signed one or one purchased from different authorities like digicert, geotrust, godaddy, thawte etc.

If we buy a certificate than it costs us something per year  which differ from company to company from whom we are buying. The advantage of buying is that our users don't see a page saying this website is not trusted, which might result into loosing our customer.

The advantage of using self signed certificate is that we don't incur any cost but the disadvantage is that our users see a page to accept the certificate saying that this is not a trusted website, which would result in loosing our customer.

So choosing, which one to use depends on our need. In this post we are gonna see how to create and use a self signed certificate.

SSH into your machine
First  update the cache and install nginx

sudo apt-get update
sudo apt-get install nginx

Create SSL certificate
First create a ssl directory in /etc/nginx/

sudo mkdir /etc/nginx/ssl

Now we will create our own ssl certiifcate

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

The above command will result into asking few question which are as follows.

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Madhya Pradesh
Locality Name (eg, city) []:Indore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC corp Pvt Ltd
Organizational Unit Name (eg, section) []:xyz
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:admin@your_domain.com

Now we will be having two file "nginx.key" and "nginx.crt" in /etc/nginx/ssl/ directory.
You can check the existence of these file by the following command.

ls /etc/nginx/ssl/

Following are the option that can be specified in the command to create a SSL certificate
  • openssl: This is the basic command for creating and managing OpenSSL certificates
  • req: This sub-command specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this sub-command.
  • -x509: This modifies the previous sub-command by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
  • -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
  • -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
  • -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
  • -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
  • -out: This tells OpenSSL where to place the certificate that we are creating. 

Configuring Nginx
Nginx by default listen to port 80 and have the following default configuration.

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name your_domain.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

The https protocol works on port 443, hence we need to tell nginx to listen to port 443 using the ssl certificate we have generated. Thus we need to provide the path of certificate as well as the key file we have generated.
So change the configuration by the following configuration.


server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name your_domain.com;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        location / {
                try_files $uri $uri/ =404;
        }
}

We are done with the configuration. Now restart the nginx.

sudo service nginx restart

Now hit the IP or domain on browser with http

http://X.X.X.X

It will show the default nginx page

Now if we hit the IP or domain with https

https://X.X.X.X

It shows a page to accept the certificate as it is not from a trusted certificate authority because we have created a self signed certificate. Hence after accepting it we would be able to communicate with our server over https protocol.

0 comments:

Post a Comment

 

Copyright @ 2013 Appychip.

Designed by Appychip & YouTube Channel