Is it possible to create my own SSL Certificate that is trusted in browsers? so if a user enter my website they dont need to trust my website. Just like be professional websites?
i'm using nginx.
You can't create one because you are not a certification authority trusted by browsers.
What you can do though is getting a free one from Let'sEncrypt. You have to renew it every 90 days but you can make this on a cronjob quite easily
If you want to create your own certificate authority, I can't help you. But if you just want a free SSL Certificate, that is pretty easy: You can use Letsencrypt.
For example if you have SSH Access to your server, you can use Certbot.
Then just download it for your distribution and type:
./certbot-auto certonly --webroot -w /var/www/your_web_root -d yourdomain.com
Then all you need to do is changing your nginx site config so it supports SSL.
You can look at my example on github:
https://github.com/NLDev/dotfiles/blob/master/nginx.conf
This config scores an A+ on the SSL-Labs test.
Or you can use this stripped down version:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://example.com$request_uri;
location ~ /.well-known {
allow all;
}
}
server {
listen 443 ssl default_server;
root /var/www/example.com/public_html;
index index.html index.htm index.php;
server_name example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
location ~ /.well-known {
allow all;
}
}
Replace example.com with your domain and change
/var/www/example.com/public_html;
to your webroot.
You can create your own self-signed certificate, but it is not trusted by browsers due to absence of root certificate in the browser list. Browsers will only trust on preinstalled trusted root certificate which are issued by third-party certificate authorities.
Each browser uses a different set of certificate authority (CA) certificates. You can check the trusted root certificates for the major browsers.
Firefox: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
Chrome: http://www.chromium.org/Home/chromium-security/root-ca-policy
Opera: https://certs.opera.com/
iOs: https://support.apple.com/kb/ht5012
You should get an SSL certificate from trusted certificate authority that recognized by browsers. To install an SSL on your nginx server, you can follow this quick guideline - https://www.ssl2buy.com/wiki/how-to-install-ssl-certificate-on-nginx-server
Related
When I check my website through Digicert, it says that SSL Certificate is not trusted
Here's the NGINX configuration
server {
listen 80;
listen 443 default_server ssl;
server_name ~. "";
location / {
proxy_pass http://localhost:8080;
}
# Wildcard certificate
ssl_certificate /etc/ssl/certs/STAR_mydomain_com-bundle.crt;
ssl_certificate_key /etc/ssl/private/STAR_mydomain_com.key;
}
The STAR_mydomain_com-bundle.crt and STAR_mydomain_com.key are the only two files emailed by Comodo when I registered the SSL. So I'm not sure which file is missing in the chain.
So when you register for an SSL from Comodo (e.g. via Namecheap) you get two files (in zip format):
e.g.
STAR_mydomain_com.crt
STAR_mydomain_com.ca-bundle
Combine the two files based on the instruction here.
So it would be
cat STAR_mydomain_com.crt STAR_mydomain_com.ca-bundle > STAR_mydomain_com-bundle.crt
To install this certificate into NGINX first do:
cat STAR_mydomain_com-bundle.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt > tls.crt
The certificate combined here can be then used with NGINX and is valid without issues.
I've set up an Nginx server serving ssl, with an http server block redirecting to a secured server block. The certificate is issued by my domain provider (1&1). It works perfectly fine on most desktop browsers, but I get an SSL_ERROR_INTERNAL_ERROR_ALERT on Firefox on mobile, and an ERR_SSL_PROTOCOL_ERROR on Chrome mobile (Android Pie).
Here is the nginx configuration:
server {
listen 80 deferred;
listen [::]:80 deferred;
server_name meetoko.com www.meetoko.com;
return 301 https://meetoko.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/ssl/meetoko.com.pem;
ssl_certificate_key /etc/ssl/meetoko.com.key;
root /var/www/html;
server_name meetoko.com;
server_name www.meetoko.com;
try_files $uri $uri/ /index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
}
location /public/ {
alias /root/oko-back/public/;
}
}
The .pem key is a concatenation of the primary and the intermediate issued certificates, and the .key is the private key.
All was working well before going to HTTPS on both mobiles and desktop, so it's hard to figure out what might be wrong... Any ideas?
Thanks !
The site has an inconsistent configuration as shown by SSLLabs. It is properly configured for IPv4 but has no configuration for IPv6 although it has an IPv6 address.
My guess is that the tested desktop environment is IPv4 only (at least regarding internet access) and therefore no problem occurs. The mobile environment instead is IPv6 capable and in this case IPv6 is the preferred protocol. Only, accessing the site with IPv6 fails due to an incomplete configuration.
try to set this option in config:
ssl_verify_client optional_no_ca;
ssl_verify_client
when ssl_verify_client optional or on
nginx server asks client (mobile browser) to provide certificate with trusted CA. Several firmwares have no client certificates issued and signed by trusted CA.
The optional_no_ca parameter (1.3.8, 1.2.5) requests the client
certificate but does not require it to be signed by a trusted CA
certificate.
But mobile Opera browser don't work even with these settings. Opera asks user to offer certificate anyway. So to stop bothering client ssl_verify_client setting should be:
ssl_verify_client off;
I have two domains set up on a Digital Ocean droplet (with nginx). I've installed a SSL certificate in one of them (domain1) and everything is fine with that one. The second domain (domain2), does not require a SSL certificate but if I try to access https://domain2 is showing me the content of domain1 and giving me a certificate error (This page is not secure).
I understand the certificate error, but I don't want the contents of domain1 being displayed in https://domain2
Is it a configuration problem?
nginx always has a default server, the one that is used if the server_name does not match. If you only have one server block with listen 443, then that is the implicit default server for all https connections irrespective of server name.
You will need to set up an explicit catch-all server for https connections, or add listen 443 ssl to an existing server block to act as the catch-all server.
You can reuse the same certificate file and you will continue to get certificate errors if anyone attempts to use it, but at least your other domains will not be exposed.
For example:
ssl_certificate /path/to/crt;
ssl_certificate_key /path/to/key;
server {
listen 443 ssl;
server_name domain1;
...
}
server {
listen 443 ssl default_server;
return 403;
}
See this document and this document for more.
I currently use Cloudflare as a CDN and DNS manager and until recently I used the shared and universal SSL that it has for free but, due to needs, I hired an EV SSL. Through the cloudflare panel I can not, for free, insert a custom certificate (only starting at $ 200). I use nginx on my server running with Ubuntu and I have all the settings ready to use my EV SSL that has already been inserted into the server but, by disabling SSL in the cloudflare and keeping the settings in Nginx, I get the ERR_TOO_MANY_REDIRECTS error return. PS: I have currently configured a page rule in Cloudflare to always use HTTPS in requests for this domain.
Below is my nginx configuration and I would like to know if it would be possible to confirm server side SSL, without inserting the certificate in Cloudflare, continuing with the free plan that it has available to me and using my EV SSL.
server{
listen 443;
root /var/www/redeestrela.com.br;
server_name www.redeestrela.com.br;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/redeestrela.crt;
ssl_certificate_key /etc/nginx/ssl/redeestrela.key;
error_log /var/log/nginx/redeestrela.error.log;
include global/php.conf;
include global/wordpress.conf;
include global/restrictions.conf;
}
server{
listen 443;
server_name redeestrela.com.br;
return 301 https://www.redeestrela.com.br$request_uri;
}
In order to serve an EV SSL certificate from Cloudflare, you would need to upload that certificate as a custom SSL certificate. This is a Business and Enterprise only Cloudflare feature, however is fairly straight-forward to do.
How do I upload a custom SSL certificate? (Business or Enterprise only)
In the future, we're hoping to have EV SSL certs as an add-on at any plan-level. Meaning we acquire, manage and renew the certificate for you. Feel free to email supportATcloudflareDOTcom if you'd be interested in trying the beta when available.
I have an easy one, I think. I purchased a rapid SSL, I installed it on my website. It seems to be ok (I have a key file, the intermediate and final crs files), but there is a little mess: the SSL is correctly installed on https://xxxxx.com BUT NOT on https://www.xxxxx.com .
This is the error that I got from SSL checker:
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
I have a Nginx machine. This is a portion of config file:
server {
listen 80; ## listen for ipv4
listen 443 ssl;
set $myHost "xxxx.com";
set $site "xxxx";
server_name xxxx.com www.xxxx.com local.xxxx.com staging.xxxx.com s.xxxx.com;
#ssl_certificate /var/www/sites/ssl/oldfile.cert;
#ssl_certificate_key /var/www/sites/ssl/oldfile.key;
ssl_certificate /var/www/sites/ssl/122015/newfile.crt;
ssl_certificate_key /var/www/sites/ssl/122015/newfile.key;
root /var/www/sites/xxxx/current/web/;
access_log /var/www/sites/xxxx/current/app/logs/xxxx.com.access.log;
error_log /var/www/sites/xxxx/current/app/logs/xxxx.com.error.log;
....
When I got the key file, I set xxxx.com as domain name of course, because www was not allowed.
I need the SSL on www. Thanks for your help!!
M :)
You need a separate SSL certificate for each domain. You will then need to split your configuration for each domain into virtual hosts (nginx) and reference each individual SSL certificates for each domain you wish to use.