When I check my website through Digicert, it says that SSL Certificate is not trusted
Here's the NGINX configuration
server {
listen 80;
listen 443 default_server ssl;
server_name ~. "";
location / {
proxy_pass http://localhost:8080;
}
# Wildcard certificate
ssl_certificate /etc/ssl/certs/STAR_mydomain_com-bundle.crt;
ssl_certificate_key /etc/ssl/private/STAR_mydomain_com.key;
}
The STAR_mydomain_com-bundle.crt and STAR_mydomain_com.key are the only two files emailed by Comodo when I registered the SSL. So I'm not sure which file is missing in the chain.
So when you register for an SSL from Comodo (e.g. via Namecheap) you get two files (in zip format):
e.g.
STAR_mydomain_com.crt
STAR_mydomain_com.ca-bundle
Combine the two files based on the instruction here.
So it would be
cat STAR_mydomain_com.crt STAR_mydomain_com.ca-bundle > STAR_mydomain_com-bundle.crt
To install this certificate into NGINX first do:
cat STAR_mydomain_com-bundle.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt > tls.crt
The certificate combined here can be then used with NGINX and is valid without issues.
Related
Is it possible to create my own SSL Certificate that is trusted in browsers? so if a user enter my website they dont need to trust my website. Just like be professional websites?
i'm using nginx.
You can't create one because you are not a certification authority trusted by browsers.
What you can do though is getting a free one from Let'sEncrypt. You have to renew it every 90 days but you can make this on a cronjob quite easily
If you want to create your own certificate authority, I can't help you. But if you just want a free SSL Certificate, that is pretty easy: You can use Letsencrypt.
For example if you have SSH Access to your server, you can use Certbot.
Then just download it for your distribution and type:
./certbot-auto certonly --webroot -w /var/www/your_web_root -d yourdomain.com
Then all you need to do is changing your nginx site config so it supports SSL.
You can look at my example on github:
https://github.com/NLDev/dotfiles/blob/master/nginx.conf
This config scores an A+ on the SSL-Labs test.
Or you can use this stripped down version:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://example.com$request_uri;
location ~ /.well-known {
allow all;
}
}
server {
listen 443 ssl default_server;
root /var/www/example.com/public_html;
index index.html index.htm index.php;
server_name example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
location ~ /.well-known {
allow all;
}
}
Replace example.com with your domain and change
/var/www/example.com/public_html;
to your webroot.
You can create your own self-signed certificate, but it is not trusted by browsers due to absence of root certificate in the browser list. Browsers will only trust on preinstalled trusted root certificate which are issued by third-party certificate authorities.
Each browser uses a different set of certificate authority (CA) certificates. You can check the trusted root certificates for the major browsers.
Firefox: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
Chrome: http://www.chromium.org/Home/chromium-security/root-ca-policy
Opera: https://certs.opera.com/
iOs: https://support.apple.com/kb/ht5012
You should get an SSL certificate from trusted certificate authority that recognized by browsers. To install an SSL on your nginx server, you can follow this quick guideline - https://www.ssl2buy.com/wiki/how-to-install-ssl-certificate-on-nginx-server
How do I set a reverse proxy for nextcloud?
This is my current config but it doesn't work:
server {
listen 8000;
server_name cloud.prjctdesign.com;
return 301 https://$host$request_uri;
}
server {
listen 4430 ssl http2;
server_name cloud.prjctdesign.com;
ssl_certificate /certs/cloud.prjctdesign.com.crt;
ssl_certificate_key /certs/cloud.prjctdesign.com.key;
include /etc/nginx/conf/ssl_params.conf;
client_max_body_size 10G; # change this value it according to $UPLOAD_MAX_SIZE
location / {
proxy_pass http://192.168.178.32;
include /etc/nginx/conf/proxy_params;
}
}
Also I enabled SSL using a let's encrypt cert. I run Nextcloud in the official VM image provided by Nextcloud / Techandme
I believe there is something wrong with the HSTS but I have no idea how it works. Also I based my forwarding off of this
I figured it out.
The reference to the ssl certificate is incorrect. Either run NGINX on the same server you are running nextcloud and redirect nginx to the position of the .cert file as in these lines:
ssl_certificate /certs/cloud.prjctdesign.com.crt;
ssl_certificate_key /certs/cloud.prjctdesign.com.key;
or generate a new cert on the nginx server and point the config towards it.
I've used letsencrypt to install an SSL cert for the latest nginx on ubuntu.
The setup is fine and works great with the exception of:
I don't know enough about SSL to know what's going on but I have a suspicion:
I installed the SSL cert for Apache a while back and just now moved to Nginx for it's http/2 support. As the nginx plugin is not stable yet I had to install the cert myself and this is what I did:
In my nginx config (/etc/nginx/conf/default.conf) I added:
server {
listen 80;
server_name [domain];
return 301 https://$host$request_uri;
}
server {
listen 443 http2;
listen [::]:443 http2;
server_name [domain];
ssl on;
ssl_certificate /etc/letsencrypt/live/[domain]/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem;
}
Is it possible that this breaks the chain somehow? What is the proper way here?
Thanks guys
1) For strong Diffie-Hellman and avoid Logjam attacks see this great manual.
You need extend your nginx config with these directives (after you will generate dhparams.pem file):
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
2) For correct certificate chain use fullchain.pem, not cert.pem, see this great tutorial for details.
And you will get A grade :)
3) and as bonus try this great service:
"Generate Mozilla Security Recommended Web Server Configuration Files".
I have an easy one, I think. I purchased a rapid SSL, I installed it on my website. It seems to be ok (I have a key file, the intermediate and final crs files), but there is a little mess: the SSL is correctly installed on https://xxxxx.com BUT NOT on https://www.xxxxx.com .
This is the error that I got from SSL checker:
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
I have a Nginx machine. This is a portion of config file:
server {
listen 80; ## listen for ipv4
listen 443 ssl;
set $myHost "xxxx.com";
set $site "xxxx";
server_name xxxx.com www.xxxx.com local.xxxx.com staging.xxxx.com s.xxxx.com;
#ssl_certificate /var/www/sites/ssl/oldfile.cert;
#ssl_certificate_key /var/www/sites/ssl/oldfile.key;
ssl_certificate /var/www/sites/ssl/122015/newfile.crt;
ssl_certificate_key /var/www/sites/ssl/122015/newfile.key;
root /var/www/sites/xxxx/current/web/;
access_log /var/www/sites/xxxx/current/app/logs/xxxx.com.access.log;
error_log /var/www/sites/xxxx/current/app/logs/xxxx.com.error.log;
....
When I got the key file, I set xxxx.com as domain name of course, because www was not allowed.
I need the SSL on www. Thanks for your help!!
M :)
You need a separate SSL certificate for each domain. You will then need to split your configuration for each domain into virtual hosts (nginx) and reference each individual SSL certificates for each domain you wish to use.
I am trying to configure a subdomain to proxy requests to an other server on which I have no control. A friend run that server, and he uses his own CA to avoid paying for an ssl certificate. I tried my configuration proxying to one of my own subdomain, running a valid ssl certificate, and it worked fine, but as soon as I proxy to him and his "invalid" ssl certificate, nginx keep asking me for my credentials.
Here is my configuration :
server
{
listen [::]:443 ssl spdy;
listen 443 ssl;
server_name subdomain.mydomain.tld;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:RC4';
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_certificate /etc/ssl/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/startssl.pem;
add_header Strict-Transport-Security max-age=63072000;
root /path/;
location /
{
index /_h5ai/server/php/index.php;
auth_basic "mydomain";
auth_basic_user_file auth_file;
}
location /friend/
{
rewrite ^/friend/(.*) /$1 break;
proxy_set_header Authorization "Basic base64_encoded";
proxy_pass https://subdomain.friend.tld:443/blah/;
}
location ~ .php$
{
fastcgi_pass 127.0.0.1:4242;
include fastcgi.conf;
fastcgi_read_timeout 3600;
}
}
I do not have any errors in the logs.
I can browse everything fine outside of /friend, it authenticate fine, but as soon as I get into /friend the authentication just keep poping like I had a wrong password.
I know my base64 encoded is valid, and I tested it by replicating the same auth on one of my subdomain and it worked fine, so the only explanation left I can think of is that nginx doesn't like his certificate.
Is there some configuration I would have missed allowing me to trust his CA ?
Or just to disable the verification, the data aren't sensible at all, it'd be fine even over http, but he doesn't want to bother with configuring that on his server. So disabling the verification would be a good enough solution for me.
Thanks
You should install your friend's CA cert (not the webserver cert, but the CA cert he created and used to sign his webserver cert) into the default OpenSSL CA store.
First you need to determine where OpenSSL keeps its files on your system. On Linux it's usually:
cd /etc/ssl/certs
Save your friend's CA cert, in PEM format, into that directory.
Then you need to determine the hash of that cert:
openssl x509 -noout -hash -in your-friends-ca.pem
and create a symlink to the cert file with the hash as the filename and with the filename extension .0:
ln -s your-friends-ca.pem 34ae50c5.0
Then restart Nginx.