Ubuntu 14.04 – SSL Certificate on Nginx

TLS, or transport layer security, and its predecessor SSL, secure sockets layer, are secure protocols created in order to place normal traffic in a protected, encrypted wrapper.

These protocols allow traffic to be sent safely between remote parties without the possibility of the traffic being intercepted and read by someone in the middle. They are also instrumental in validating the identity of domains and servers throughout the internet by establishing a server as trusted and genuine by a certificate authority.

Create a self-signed SSL certificate for Nginx on an Ubuntu 14.04 server

Create a Self-Signed SSL Certificate

Create a subdirectory to place the certificate files:

sudo mkdir /etc/nginx/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
-days 365: This specifies that the certificate we are creating will be valid for one year.
-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn’t create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
-keyout: This parameter names the output file for the private key file that is being created.
-out: This option names the output file for the certificate that we are generating.

will be asked a number of questions:

Country Name (2 letter code) [AU]:GR
State or Province Name (full name) [Some-State]:Athens
Locality Name (eg, city) []:Athens
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.com

The most important item that is requested is the line Common Name (e.g. server FQDN or YOUR name). Enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.

The key and certificate will be created and placed in your /etc/nginx/ssl directory.

Configure Nginx to Use SSL

Nginx versions 0.7.14 and above (Ubuntu 14.04 has version 1.4.6) can enable SSL within the same server block as regular HTTP traffic.

The server configuration:

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

root /usr/share/nginx/html;
index index.html index.htm;

server_name your_domain.com;

location / {
try_files $uri $uri/ =404;
}
}

To get SSL working on this same server block, while still allowing regular HTTP connections, add these lines:

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

listen 443 ssl;

root /usr/share/nginx/html;
index index.html index.htm;

server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

location / {
try_files $uri $uri/ =404;
}
}

Save and close the file.

Restart Nginx

sudo service nginx restart

The site now allowing to respond to both HTTP and HTTPS (SSL) requests

Test in a browser

http://server_domain_or_IP

You should see the normal website.

https://server_domain_name_or_IP

You will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.

This is since we have self-signed our certificate. Since this is expected, hit the -Proceed anyway- or similar option in your browser.

Tags: , ,