I know this is a super similar question to many other questions, but none of them either give a straight answer or one that works for me...
I have gotten two files from Let's encrypt:
cert.pem
key.pem
I need to get them into a crt and key format for use on an nginx server.
I have tried:
openssl rsa -outform der -in key.pem -out key.key
and
openssl x509 -outform der -in cert.pem -out cert.crt
but get the following error when starting up nginx:
# service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] cannot load certificate "/etc/ssl/nginx/cert.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
The extension .pem indicates that the file format is PEM (Privacy-Enhanced Mail). However, the extension does not tell anything about the content of the file. The content may be a certificate, a private key, a public key, or something else.
The extension .crt indicates that the content of the file is a certificate. However, the extension does not tell anything about the file format. The file format may be PEM, DER (Distinguished Encoding Rules) or something else. If the file is text and contains -----BEGIN CERTIFICATE-----, the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.
The extension .key indicates that the content of the file is a private key. However, the extension does not tell anything about the file format. The file format may be PEM, DER or something else. If the file is text and contains -----BEGIN PRIVATE KEY----- (or something similar), the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.
Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).
Both ssl_certificate and ssl_certificate_key of ngx_http_ssl_module expect that the file format is PEM as the reference document says. Therefore, you don't have to change the file format of your cert.pem and key.pem because their file extension .pem indicates that their file format is already PEM. Just write like below in your Nginx configuration file.
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
If you prefer .crt and .key extensions, just rename them like below.
$ mv cert.pem cert.crt
$ mv key.pem key.key
When you want to set up NGINX with Let's Encrypt, then you can do it automatically by using the application certbot.
To install certbot for nginx:
on Ubuntu/Debian:
sudo apt install python-certbot-nginx
on Arch linux:
sudo pacman -S certbot-nginx
on Centos:
sudo yum install epel-release
sudo yum install certbot-nginx
Then you need to make a very simple configuration file for your domain. The directory should be the same for all the mentioned operating systems
/etc/nginx/sites-available/example.com
In here you just add this information:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:5000 #Example
}
}
Then create the symlink to activate the domain
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
Remember to change example.com with your domain, and switch proxy_pass to your service or directory of hosted files.
Now you should restart NGINX:
sudo nginx -t
This one will return an error if you have errors in your configuration.
If everything is ok then restart NGINX
sudo systemctl restart nginx.service
Now certbot comes into the picture:
sudo certbot --nginx -d example.com -d www.example.com
At this point Let's encrypt will try to reach your nginx server, and if everything is OK - this means:
Firewall settings allow for port 80 and 443 to pass
Portforwarding throug network for the 2 ports are allowed
Then you will get to pick easy or secure access. I recommend the secure option.
When you have clicked [enter] then the process will be finished and certbot will have generated all your certification files and added them to the correct path.
Your configuration file in /etc/nginx/sites-avalible/example.com will have been updated with all the correct settings.
You may be required to restart nginx once again.
I hope it was helpful. Good luck
[Sources]
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
https://wiki.archlinux.org/index.php/Certbot#Nginx
Related
I'm trying to set up a SSL certificate on a site using nginx web server. In the past, I generated SSL certs from Let's Encrypt/Certbot with no issues. This time, I purchased a .com domain and a Positive SSL certificate from MyDomain.com. MyDomain.com doesn't provide a .zip file or ca-bundle file for the cert (i.e., there doesn't appear to be an intermediate certificate or root certificate). Instead, it gives me two plaintext lines of code to manually copy: one for Certificate and one for Key.
The Certificate line contains -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
The Key line contains -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
I paste each of these lines into its own text editor file (using Atom on Ubuntu 18.0) and save as .crt and .key, respectively. (I was told by MyDomain.com support that the Certificate should be .crt, but who knows?)
I then add these file paths to my nginx site config file as below:
ssl_certificate /etc/ssl/certs/mysite.com.crt;
ssl_certificate_key /etc/ssl/private/mysite.com.key;
However, nginx fails on restart and when I check the config file I get the following:
$ sudo nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/ssl/certs/mysite.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
Some things I've tried:
Saving the Certificate as a .pem = same error.
Manually adding the word TRUSTED to the certificate's beginning and ending = same error.
Trying to convert the file based on its encoding:
$ sudo openssl x509 -in /etc/ssl/certs/mysite.com.crt -out /etc/ssl/certs/mysite.com.pem -outform PEM
unable to load certificate
140561005191616:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
$ sudo openssl x509 -in /etc/ssl/certs/mysite.com.crt -inform der -outform pem -out /etc/ssl/certs/mysite.com.pem
unable to load certificate
139831375835584:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139831375835584:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
$ sudo openssl x509 -inform DER -in /etc/ssl/certs/mysite.com.crt -out /etc/ssl/certs/mysite.com.pem -text
unable to load certificate
139993835831744:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139993835831744:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
I'm not sure what to do from here. Has anyone successfully installed a SSL certificate on nginx using just a .crt file and .key file?
Should anyone see this and feel curious, I had to reach out to MyDomain.com support and ask for the certificate bundle. They got it to me (.crtc bundle as well as individual files for cert and intermediate cert) and now it works just fine on my nginx server. It wasn't going to work without those additional files.
I have a SSL-certificate Comodo PositiveSSL.
There are files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.key
domain_com.crt
Requirements vendor:
The certificate, private key, and certificate chain must be PEM-encoded
/ssl/test1.bx.key.pem
/ssl/test1.bx.cert.pem
/ssl/test1.bx.ca-chain.cert.pyem
Do I create PEM files correctly?
cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > domain.com.ca-chain.cert.pem
cat domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.cert.pem
cat domain.com.key domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.key.pem
Do I create PEM files correctly?
No. The key file should not be the result of concatenated files. I don't know your vendor, but I believe domain.com.key = /ssl/test1.bx.key.pem
What I suppose to be expected from your vendor, but I can't be sure of course
/ssl/test1.bx.cert.pem = domain_com.crt
/ssl/test1.bx.ca-chain.cert.pyem = AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt
To setup certificates in bitrix env you need to do next:
Concatenate the CAbundle and the certificate file which we sent you using next:
1.1. To concatenate the certificate files into single bundle file, first open domainname.crt and domainname.ca-bundle files using any text editor.
1.2 Now copy all the content of domainname.crt and paste it on the top of domainname.ca-bundle file.
1.3 Now save the file name as ‘ssl-bundle.crt’.
Store the bundle and private key in the appropriate nginx ssl folder /etc/nginx/ssl/example_com/
Add this lines to your nginx config:
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/domainname.key;
ssl_prefer_server_ciphers on;
Restart nginx running command systemctl restart nginx.service.
Take a look into Comodo Knowledgebase about certificate installation on nginx. They described step-by-step how to install certificates on different web-servers.
I'm trying to install ssl certificates created using the ZeroSSL.com page for Let's Encrypt, into the Google Cloud Platform.
I followed the FREE SSL Certificate Wizard to do so.
The ZeroSSL page generates four files in the process:
domain-crt.txt
domain-key.txt
account-key.txt
domain-csr.txt
The google Cloud Platform asks for two files:
PEM encoded X.509 public key certificate
Unencrypted PEM encoded RSA private key
I've made all the combinations, and followed all suggestion I could find in the web, but I had no success.
I asked this to the zeroSSL people, and Alexander answers me with the solution.
SSL Certificate Wizard generates a longer more secure 4096 bits key by default, but Google only accepts 2048 bits key. So you should generate the new CSR separately first by using CSR Generator at https://zerossl.com/free-ssl/#csr and making sure you select 2048 bits. Then download the produced key and CSR (please note that this is the domain key, not the LE key) and then use the same LE key as you used originally and this new CSR with the SSL Certificate Wizard.
At the last Wizard step, you might need to split the domain-crt.txt file in two. The first part between ---BEGIN CERTIFICATE----- and ---END CERTIFICATE----- will go into "Public key certificate" field.
Finally, the content of domain-key.txt should be pasted into "Private key" field.
You can do this from the command line for free:
Install Certbot client:
$ sudo brew install wget
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ ./certbot-auto --help
Then, to generate cert:
$ cd certbot (if not already there)
$ sudo ./certbot-auto certonly --debug -a manual -d www.yoursite.com -d yoursite.com (<--if you want naked too.)
You should get to a screen telling you the challenge url and response needed to verify domain. Add each & deploy. Leave each url working. (They will be needed for renewing.)
If you do both naked and www, you will need to do the challenge urls twice, once for each subdomain. Finally, you should get this message:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.yoursite.com/fullchain.pem. Your cert will
expire on 2016-xx-07. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew all of your certificates, run
"certbot-auto renew"
Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
Go to: https://console.cloud.google.com/appengine/settings/certificates?project=yoursite. Click on Upload a new SSL certificate
Open these PEM files in a text editor, and copy/paste the contents in the fields. (fullchain.pem is the public key. unencrypted_key.pem is the unencrypted private key.)
NOTE: Make sure you delete any trailing spaces or line feeds!
That should do it.
Debugging:
If, when you paste the certs into the GAE Settings page, you get an invalid error:
Make sure you delete any trailing line feeds or spaces!
If it still won't accept your PEM files, replace the code from unencrypted_key.pem with the code from the original privkey.pem
If you get homebrew error:
$ cd /usr/local/Library
$ sudo git pull origin master
if get augeas error:
$ brew install augeas
if get Warning: augeas-1.4.0 already installed, it's just not linked
$ sudo brew link augeas
if ExecutableNotFound:
$ brew install dialog
if get Warning: dialog-1.2-20150920 already installed, it's just not linked
$ sudo brew link dialog
Renewing:
$ cd certbot
$ ./certbot-auto certonly --debug --force-renew -a manual -d www.yoursite.com -d yoursite.com
( You may get an "unable to reach..." error, but the certs still created.)
Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
fullchain.pem is the public key.
unencrypted_key.pem is the unencrypted private key
Go to GAE Settings and install as outlined above.
I'm trying to get HTTPS work on all subdomains using"Nginx", but receive:
This server could not prove that it is api.wokcraft.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
URL: https://api.wokcraft.com/
Can any one inform what missing?
thx
edit: I followed this instructions: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1091/0/certificate-installation--nginx
Nginx doesn't send the correct list of intermediate certificates: https://www.ssllabs.com/ssltest/analyze.html?d=api.wokcraft.com&latest
Create the correct bundle:
You want to create Comodo Bundle this way (replacing your_cert with actual name of your file):
cat your_cert.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > your_cert.ca-bundle
Get the new ca-bundle onto your server
Once that is done copy this to your server as in the Nginx set it this way:
ssl_certificate /your/ssl/path/your_cert.ca-bundle;
ssl_certificate_key /your/ssl/path/your_cert_privateKey.key;
Verify the cert and key are matching after they have been copied (compare md5 hashes).
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
Test the config (need to run as sudo):
sudo nginx -t
If no errors, reload nginx and re-run you SSLlabs check:
https://www.ssllabs.com/ssltest/analyze.html?d=api.wokcraft.com
I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).