I have a SSL-certificate Comodo PositiveSSL.
There are files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.key
domain_com.crt
Requirements vendor:
The certificate, private key, and certificate chain must be PEM-encoded
/ssl/test1.bx.key.pem
/ssl/test1.bx.cert.pem
/ssl/test1.bx.ca-chain.cert.pyem
Do I create PEM files correctly?
cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > domain.com.ca-chain.cert.pem
cat domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.cert.pem
cat domain.com.key domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.key.pem
Do I create PEM files correctly?
No. The key file should not be the result of concatenated files. I don't know your vendor, but I believe domain.com.key = /ssl/test1.bx.key.pem
What I suppose to be expected from your vendor, but I can't be sure of course
/ssl/test1.bx.cert.pem = domain_com.crt
/ssl/test1.bx.ca-chain.cert.pyem = AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt
To setup certificates in bitrix env you need to do next:
Concatenate the CAbundle and the certificate file which we sent you using next:
1.1. To concatenate the certificate files into single bundle file, first open domainname.crt and domainname.ca-bundle files using any text editor.
1.2 Now copy all the content of domainname.crt and paste it on the top of domainname.ca-bundle file.
1.3 Now save the file name as ‘ssl-bundle.crt’.
Store the bundle and private key in the appropriate nginx ssl folder /etc/nginx/ssl/example_com/
Add this lines to your nginx config:
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/domainname.key;
ssl_prefer_server_ciphers on;
Restart nginx running command systemctl restart nginx.service.
Take a look into Comodo Knowledgebase about certificate installation on nginx. They described step-by-step how to install certificates on different web-servers.
Related
I know this is a super similar question to many other questions, but none of them either give a straight answer or one that works for me...
I have gotten two files from Let's encrypt:
cert.pem
key.pem
I need to get them into a crt and key format for use on an nginx server.
I have tried:
openssl rsa -outform der -in key.pem -out key.key
and
openssl x509 -outform der -in cert.pem -out cert.crt
but get the following error when starting up nginx:
# service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] cannot load certificate "/etc/ssl/nginx/cert.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
The extension .pem indicates that the file format is PEM (Privacy-Enhanced Mail). However, the extension does not tell anything about the content of the file. The content may be a certificate, a private key, a public key, or something else.
The extension .crt indicates that the content of the file is a certificate. However, the extension does not tell anything about the file format. The file format may be PEM, DER (Distinguished Encoding Rules) or something else. If the file is text and contains -----BEGIN CERTIFICATE-----, the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.
The extension .key indicates that the content of the file is a private key. However, the extension does not tell anything about the file format. The file format may be PEM, DER or something else. If the file is text and contains -----BEGIN PRIVATE KEY----- (or something similar), the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.
Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).
Both ssl_certificate and ssl_certificate_key of ngx_http_ssl_module expect that the file format is PEM as the reference document says. Therefore, you don't have to change the file format of your cert.pem and key.pem because their file extension .pem indicates that their file format is already PEM. Just write like below in your Nginx configuration file.
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
If you prefer .crt and .key extensions, just rename them like below.
$ mv cert.pem cert.crt
$ mv key.pem key.key
When you want to set up NGINX with Let's Encrypt, then you can do it automatically by using the application certbot.
To install certbot for nginx:
on Ubuntu/Debian:
sudo apt install python-certbot-nginx
on Arch linux:
sudo pacman -S certbot-nginx
on Centos:
sudo yum install epel-release
sudo yum install certbot-nginx
Then you need to make a very simple configuration file for your domain. The directory should be the same for all the mentioned operating systems
/etc/nginx/sites-available/example.com
In here you just add this information:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:5000 #Example
}
}
Then create the symlink to activate the domain
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
Remember to change example.com with your domain, and switch proxy_pass to your service or directory of hosted files.
Now you should restart NGINX:
sudo nginx -t
This one will return an error if you have errors in your configuration.
If everything is ok then restart NGINX
sudo systemctl restart nginx.service
Now certbot comes into the picture:
sudo certbot --nginx -d example.com -d www.example.com
At this point Let's encrypt will try to reach your nginx server, and if everything is OK - this means:
Firewall settings allow for port 80 and 443 to pass
Portforwarding throug network for the 2 ports are allowed
Then you will get to pick easy or secure access. I recommend the secure option.
When you have clicked [enter] then the process will be finished and certbot will have generated all your certification files and added them to the correct path.
Your configuration file in /etc/nginx/sites-avalible/example.com will have been updated with all the correct settings.
You may be required to restart nginx once again.
I hope it was helpful. Good luck
[Sources]
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
https://wiki.archlinux.org/index.php/Certbot#Nginx
I don't know much about ssl certificates but I need to do ssl termination in haproxy. The team in charge of the certificate gave me a zip file which i assume is an entrust bundle when i check the crt files in it. So it seems like haproxy will only accept pem file(correct me if im wrong) and the bundle i have contains 5 files: ca.crt <domain>.key intermediate.crt root.crt and ServerCertificate.crt Can anyone help me on how I can convert these to a pem file that haproxy will accept?
You will need to concate everything in one file.
cat ServerCertificate.crt intermediate.crt root.crt ca.crt <domain>.key > <domain>_haproxy.pem
After wards can you configure HAProxy to handle TLS/SSL as described in the doc How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound
I've got 3 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
and also a keystore. How can I create a .pem file out of these? I was trying to put its content to a file called .pem, but nginx says
SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
Also those file haven't got any attributes. Only -----BEGIN CERTIFICATE----- , key and -----END CERTIFICATE-----.
You are missing a certificate for your domain. After you get it, concatenate all those files together. This is your file to be used in nginx configuration.
cat yourdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.crt
Also don't forget to configure path to private key. It is a different file.
I recently purchased an SSL cert and need to setup HAProxy to use it.
The instructions from HAProxy are the following
The certificate specified in dockercloud/haproxy or in the linked application services is a pem file, containing a private key followed by a public certificate(private key must be put before the public certificate and any extra Authority certificates, order matters).
This article explains in more detail that the order should be the following...
—–BEGIN RSA PRIVATE KEY—–
(Your Private Key: your_domain_name.key) —
–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
(Your Primary SSL certificate:
your_domain_name.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Intermediate certificate: DigiCertCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Root
certificate: TrustedRoot.crt)
—–END CERTIFICATE—–
I received the following files after purchasing the SSL cert.
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_domain.crt
As well as I have a key file from CSR generation.
I ran the following
cat my_key_from_csr >> my_domain.pem
cat my_domain.crt >> my_domain.pem
cat COMODORSAAddTrustCA.crt >> my_domain.pem
cat AddTrustExternalCARoot.crt >> my_domain.pem
I copied the contents of my_domain.pem into HAProxy SSL_CERT variable, but it doesn't work. Am I doing something wrong?
You do not need to include the csr file as part of the pem. The following works 100% and I am using it w/ haproxy too.
cat your_domain_private_key.key >> your_domain.pem
cat your_domain_issued_certificate.crt >> your_domain.pem
cat COMODORSADomainValidationSecureServerCA.crt >> your_domain.pem
cat COMODORSAAddTrustCA.crt >> your_domain.pem
It is not necessary to add the Root CA (AddTrustExternalCARoot.crt) to the pem file as this is pre-installed already on all computers.
I've got 3 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
and also a keystore. How can I create a .pem file out of these? I was trying to put its content to a file called .pem, but nginx says
SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
Also those file haven't got any attributes. Only -----BEGIN CERTIFICATE----- , key and -----END CERTIFICATE-----.
You are missing a certificate for your domain. After you get it, concatenate all those files together. This is your file to be used in nginx configuration.
cat yourdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.crt
Also don't forget to configure path to private key. It is a different file.