I'm currently in the process of migrating the hosting of a service of mine from a Managed hosting (running Lighspeed + Cpanel) to my own Managed hosting, running Nginx.
Everything is running fine in Nginx 1.6.0, but my problem is that my certificate shows as self-signed. I installed the SSL certificate including the chained certificate as per
http://www.digicert.com/ssl-certificate-installation-nginx.htm
However, even trying the configuration on NGinx SSL certificate authentication signed by intermediate CA (chain) it does not work.
If I input my website on http://sslcheck.globalsign.com/en_US it shows as it's a self-signed certificate.
Below is my virtual host configuration regarding SSL:
server {
listen 80;
listen 443 ssl;
server_name host02.website.com *.website.com;
root /spacedata/website.com;
index index.php index.html /;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security max-age=31536000;
ssl_certificate /etc/pki/tls/certs/bundle-alpha.crt;
ssl_certificate_key /etc/pki/tls/certs/private.key;
...
}
I confirm that I installed the right Cert and Private Keys.
Bear in mind that I run the AlphaSSL Wildcard certificate.
I suspect that I'm missing something in regards to the configuration as in my other hosting I installed the same .crt file and .key.
I had the same issue before, had todo with the order of the certs that reside inside your ssl_certificate file.
You need to include all intermediate CA certs in this file, and have them in the right order.
All I had to do was reverse the order of the certs within that file, and my problem was solved.
Your server cert should be on top, then simply go down the CA chain.
PS. My config looks like:
listen 443 default ssl;
ssl_certificate /etc/nginx/ssl/server_plus.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
Related
My client bought a PositiveSSL Certificate, and he gave me 2 files, crt and ca-bundle.
How can I install these files to the ubuntu server and make the https protocol work?
FYI, I'm using nginx.
Any clue?
key file
First off: you need the secret key as well, from the extensions on the filenames you are missing that file.
ngnix
nginx expects a chained certificate, but that's easy enough to create:
$ cd /path/to
$ cat www.example.com.crt ca-bundle.crt > example.bundle.crt
While at it create the Diffie–Hellman parameters:
$ openssl dhparam -out dh4096.pem 4096
You need to add a few statements to the appropriate place in your configuration file(s).
It's the server block that needs something like this:
server {
listen 443 ssl http2;
server_name www.example.com ;
ssl on;
ssl_certificate /path/to/example.bundle.crt;
ssl_certificate_key /path/to/example.key;
# take care: a single add_header *will* wipe all the inherited ones!
# HSTS (be careful, this is irreversible!)
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
Something like this can be added to the http block:
http {
#ssl parameters (certificates in the virtual servers)
ssl_dhparam /path/to/dh4096.pem;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS:!DES";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
}
[that way you only need to maintain that stuff once for all virtual servers, is also ok to add it in the server blocks that use ssl]
More info:
http://nginx.org/en/docs/http/configuring_https_servers.html
Test it
Free tests are available, e.g. this one: https://www.ssllabs.com/ssltest/
Fix it to make sure you're set at a high enough rating.
After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com
I'm getting Handshake fail 525 when trying to use Full SSL option with Cloudflare. Since this is my first time trying to implement some sort of SSL certificate I don't know what could be wrong here.
My SSL cert is generated this way:
sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt
My nginx default config looks like this:
server {
listen 443;
listen [::]:443;
root /var/www/site-laravel/public;
index index.php index.html index.htm;
server_name site.ee;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
}
Make sure you select full SSL in CloudFlare, but no "Full (Strict)". Strict mode requires a validated SSL certificate and does not work with a self-signed one.
I faced a similar issue recently. I'm not entirely sure why this occurs either, but make sure your default_server has an SSL certificate set.
ssl should be added.
server {
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/site-laravel/public;
index index.php index.html index.htm;
server_name site.ee;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
}
I am trying to configure a subdomain to proxy requests to an other server on which I have no control. A friend run that server, and he uses his own CA to avoid paying for an ssl certificate. I tried my configuration proxying to one of my own subdomain, running a valid ssl certificate, and it worked fine, but as soon as I proxy to him and his "invalid" ssl certificate, nginx keep asking me for my credentials.
Here is my configuration :
server
{
listen [::]:443 ssl spdy;
listen 443 ssl;
server_name subdomain.mydomain.tld;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:RC4';
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_certificate /etc/ssl/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/startssl.pem;
add_header Strict-Transport-Security max-age=63072000;
root /path/;
location /
{
index /_h5ai/server/php/index.php;
auth_basic "mydomain";
auth_basic_user_file auth_file;
}
location /friend/
{
rewrite ^/friend/(.*) /$1 break;
proxy_set_header Authorization "Basic base64_encoded";
proxy_pass https://subdomain.friend.tld:443/blah/;
}
location ~ .php$
{
fastcgi_pass 127.0.0.1:4242;
include fastcgi.conf;
fastcgi_read_timeout 3600;
}
}
I do not have any errors in the logs.
I can browse everything fine outside of /friend, it authenticate fine, but as soon as I get into /friend the authentication just keep poping like I had a wrong password.
I know my base64 encoded is valid, and I tested it by replicating the same auth on one of my subdomain and it worked fine, so the only explanation left I can think of is that nginx doesn't like his certificate.
Is there some configuration I would have missed allowing me to trust his CA ?
Or just to disable the verification, the data aren't sensible at all, it'd be fine even over http, but he doesn't want to bother with configuring that on his server. So disabling the verification would be a good enough solution for me.
Thanks
You should install your friend's CA cert (not the webserver cert, but the CA cert he created and used to sign his webserver cert) into the default OpenSSL CA store.
First you need to determine where OpenSSL keeps its files on your system. On Linux it's usually:
cd /etc/ssl/certs
Save your friend's CA cert, in PEM format, into that directory.
Then you need to determine the hash of that cert:
openssl x509 -noout -hash -in your-friends-ca.pem
and create a symlink to the cert file with the hash as the filename and with the filename extension .0:
ln -s your-friends-ca.pem 34ae50c5.0
Then restart Nginx.
So I'm having trouble getting my ssl cert working properly in a rails app with nginx. Do I need to use the sites-available folder, or can I just stick all my cert info in the /opt/nginx/conf/nginx.conf file? Currently, my nginx.conf file looks like this, but when I try to access the site using https it doesn't work. Before this, I have another server block that listens on port 80, and that works for http, but this one for https doesn't work. Any ideas?
server {
listen 443;
server_name www.mysite.com;
#localhost;
ssl on;
ssl_certificate reference to my pem file
ssl_certificate_key reference to my key file
root reference to app in /var/www
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
}
I spent a lot of time today setting up SSL on nginx. First thing I would suggest checking is that port 443 is open from something like www.checkmyports.net
Also, do you get an error when you restart nginx?