My client bought a PositiveSSL Certificate, and he gave me 2 files, crt and ca-bundle.
How can I install these files to the ubuntu server and make the https protocol work?
FYI, I'm using nginx.
Any clue?
key file
First off: you need the secret key as well, from the extensions on the filenames you are missing that file.
ngnix
nginx expects a chained certificate, but that's easy enough to create:
$ cd /path/to
$ cat www.example.com.crt ca-bundle.crt > example.bundle.crt
While at it create the Diffie–Hellman parameters:
$ openssl dhparam -out dh4096.pem 4096
You need to add a few statements to the appropriate place in your configuration file(s).
It's the server block that needs something like this:
server {
listen 443 ssl http2;
server_name www.example.com ;
ssl on;
ssl_certificate /path/to/example.bundle.crt;
ssl_certificate_key /path/to/example.key;
# take care: a single add_header *will* wipe all the inherited ones!
# HSTS (be careful, this is irreversible!)
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
Something like this can be added to the http block:
http {
#ssl parameters (certificates in the virtual servers)
ssl_dhparam /path/to/dh4096.pem;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS:!DES";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
}
[that way you only need to maintain that stuff once for all virtual servers, is also ok to add it in the server blocks that use ssl]
More info:
http://nginx.org/en/docs/http/configuring_https_servers.html
Test it
Free tests are available, e.g. this one: https://www.ssllabs.com/ssltest/
Fix it to make sure you're set at a high enough rating.
Related
After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com
I'm currently in the process of migrating the hosting of a service of mine from a Managed hosting (running Lighspeed + Cpanel) to my own Managed hosting, running Nginx.
Everything is running fine in Nginx 1.6.0, but my problem is that my certificate shows as self-signed. I installed the SSL certificate including the chained certificate as per
http://www.digicert.com/ssl-certificate-installation-nginx.htm
However, even trying the configuration on NGinx SSL certificate authentication signed by intermediate CA (chain) it does not work.
If I input my website on http://sslcheck.globalsign.com/en_US it shows as it's a self-signed certificate.
Below is my virtual host configuration regarding SSL:
server {
listen 80;
listen 443 ssl;
server_name host02.website.com *.website.com;
root /spacedata/website.com;
index index.php index.html /;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security max-age=31536000;
ssl_certificate /etc/pki/tls/certs/bundle-alpha.crt;
ssl_certificate_key /etc/pki/tls/certs/private.key;
...
}
I confirm that I installed the right Cert and Private Keys.
Bear in mind that I run the AlphaSSL Wildcard certificate.
I suspect that I'm missing something in regards to the configuration as in my other hosting I installed the same .crt file and .key.
I had the same issue before, had todo with the order of the certs that reside inside your ssl_certificate file.
You need to include all intermediate CA certs in this file, and have them in the right order.
All I had to do was reverse the order of the certs within that file, and my problem was solved.
Your server cert should be on top, then simply go down the CA chain.
PS. My config looks like:
listen 443 default ssl;
ssl_certificate /etc/nginx/ssl/server_plus.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
SSLlabs still show the following message even after i added the ssl_session_cache
Session resumption (caching) No (IDs assigned but not accepted)
Here is my full configuration
server {
listen 443 spdy; #Change to 443 when SSL is on
ssl on;
ssl_certificate /etc/ssl/domain.com_bundle.crt;
ssl_certificate_key /etc/ssl/domain.com.key.nopass;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/trustchain.crt;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#rest config goes here
}
SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server.
The problem could be that you don't have SSL session caching enabled on the default server. To enable it, you just need to add that ssl_session_cache line to your default_server. Alternatively, if you'd like that configuration the work across all of your nginx virtual servers (which I would recommend), you could move the ssl_session_cache line outside of the server declaration, so it applies to all of them.
Here's the configuration I use:
# All your server-wide SSL configuration
# Enable SSL session caching for improved performance
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
ssl_session_cache shared:ssl_session_cache:10m;
server {
# All your normal virtual server configuration
}
Sources:
I tested both options on my own server and SSL Labs loves it!
This thread on the Nginx mailing list
when you use one server, it be correct. If you have load balance before servers, it may be like this. Because of request can not transmit to same server before. I suggest ssl_session_tickets.
I am trying to configure a subdomain to proxy requests to an other server on which I have no control. A friend run that server, and he uses his own CA to avoid paying for an ssl certificate. I tried my configuration proxying to one of my own subdomain, running a valid ssl certificate, and it worked fine, but as soon as I proxy to him and his "invalid" ssl certificate, nginx keep asking me for my credentials.
Here is my configuration :
server
{
listen [::]:443 ssl spdy;
listen 443 ssl;
server_name subdomain.mydomain.tld;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:RC4';
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_certificate /etc/ssl/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/startssl.pem;
add_header Strict-Transport-Security max-age=63072000;
root /path/;
location /
{
index /_h5ai/server/php/index.php;
auth_basic "mydomain";
auth_basic_user_file auth_file;
}
location /friend/
{
rewrite ^/friend/(.*) /$1 break;
proxy_set_header Authorization "Basic base64_encoded";
proxy_pass https://subdomain.friend.tld:443/blah/;
}
location ~ .php$
{
fastcgi_pass 127.0.0.1:4242;
include fastcgi.conf;
fastcgi_read_timeout 3600;
}
}
I do not have any errors in the logs.
I can browse everything fine outside of /friend, it authenticate fine, but as soon as I get into /friend the authentication just keep poping like I had a wrong password.
I know my base64 encoded is valid, and I tested it by replicating the same auth on one of my subdomain and it worked fine, so the only explanation left I can think of is that nginx doesn't like his certificate.
Is there some configuration I would have missed allowing me to trust his CA ?
Or just to disable the verification, the data aren't sensible at all, it'd be fine even over http, but he doesn't want to bother with configuring that on his server. So disabling the verification would be a good enough solution for me.
Thanks
You should install your friend's CA cert (not the webserver cert, but the CA cert he created and used to sign his webserver cert) into the default OpenSSL CA store.
First you need to determine where OpenSSL keeps its files on your system. On Linux it's usually:
cd /etc/ssl/certs
Save your friend's CA cert, in PEM format, into that directory.
Then you need to determine the hash of that cert:
openssl x509 -noout -hash -in your-friends-ca.pem
and create a symlink to the cert file with the hash as the filename and with the filename extension .0:
ln -s your-friends-ca.pem 34ae50c5.0
Then restart Nginx.
So I'm having trouble getting my ssl cert working properly in a rails app with nginx. Do I need to use the sites-available folder, or can I just stick all my cert info in the /opt/nginx/conf/nginx.conf file? Currently, my nginx.conf file looks like this, but when I try to access the site using https it doesn't work. Before this, I have another server block that listens on port 80, and that works for http, but this one for https doesn't work. Any ideas?
server {
listen 443;
server_name www.mysite.com;
#localhost;
ssl on;
ssl_certificate reference to my pem file
ssl_certificate_key reference to my key file
root reference to app in /var/www
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
}
I spent a lot of time today setting up SSL on nginx. First thing I would suggest checking is that port 443 is open from something like www.checkmyports.net
Also, do you get an error when you restart nginx?