{"id":3564,"date":"2019-02-09T08:24:33","date_gmt":"2019-02-09T08:24:33","guid":{"rendered":"http:\/\/myprojects.advchaweb.com\/?p=3564"},"modified":"2019-02-09T15:50:27","modified_gmt":"2019-02-09T15:50:27","slug":"create-self-signed-certificate-with-nginx-on-ubuntu-16-04","status":"publish","type":"post","link":"https:\/\/myprojects.advchaweb.com\/index.php\/2019\/02\/09\/create-self-signed-certificate-with-nginx-on-ubuntu-16-04\/","title":{"rendered":"Create Self-Signed Certificate With Nginx On Ubuntu 16.04"},"content":{"rendered":"

Ref: https:\/\/www.humankode.com\/ssl\/create-a-selfsigned-certificate-for-nginx-in-5-minutes<\/a>
\nhttps:\/\/www.digitalocean.com\/community\/tutorials\/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04<\/a><\/p>\n

In this tutorial, I’m going to show you how you can create a self-signed SSL\/TLS certificate and use it on Nginx in 5 minutes or less. I’m using Ubuntu for this tutorial, but if you’re on Mac OSX you can follow along as the syntax and commands are nearly identical.<\/p>\n

Why Create a Self-Signed Certificate?
\nSelf-signed certificates are useful for local development where you want to simulate an HTTPS environment. Take note that self-signed certificates are not meant for production, but they are ideal for localhost development.<\/p>\n

An Overview of Creating a Self-Signed Certificate
\nBefore continuing, let’s take a step back and look at the steps involved in generating a self-signed certificate for Nginx:<\/p>\n

Generate a self-signed certificate using OpenSSL
\nCopy the certificate to the certificates folder on Ubuntu
\nUpdate the Nginx configuration file to load the certificate
\nCopy the certificate’s public key to the CA trusted root database to prevent Google Chrome from showing the site as insecure<\/p>\n

Step 1: Generate a Self-Signed Certificate using OpenSSL
\nI’ll use OpenSSL to generate the certificate on Ubuntu. OpenSSL is installed on Mac OSX by default and the commands are exactly the same.<\/p>\n

OpenSSL will generate 2 files which consist\u00a0of a private key and a public key. Even though most people refer to an SSL\/TLS certificate in the singular sense, it is the combination of the private key and the public key that makes a certificate.<\/p>\n

Before running the OpenSSL command to generate a self-signed certificate, I’m going to create a certificate configuration file that will specify the certificate bits and the Subject Alternative Names. The Subject Alt Names are required in Google Chrome 58 and later, and is used to match the domain name and the certificate. If the domain name is not listed in the certificate’s Subject Alternative Names list, you’ll get a\u00a0NET::ERR_CERT_COMMON_NAME_INVALID\u00a0error message.<\/p>\n

Create the Certificate Configuration File<\/p>\n

teddy@teddy:~$ mkdir Documents\/self_signed_cert\r\nteddy@teddy:~$ cd Documents\/self_signed_cert\/\r\nteddy@teddy:~\/Documents\/self_signed_cert$ sudo gedit fontaineind.test.conf<\/pre>\n
I want to make a self-signed certificate for my local magento 2 site. The site is fontaineind.test
\nHere is the content of fontaineind.test.conf file:<\/p>\n
[req]\r\ndefault_bits       = 2048\r\ndefault_keyfile    = f.key\r\ndistinguished_name = req_distinguished_name\r\nreq_extensions     = req_ext\r\nx509_extensions    = v3_ca\r\n\r\n[req_distinguished_name]\r\ncountryName                 = Country Name (2 letter code)\r\ncountryName_default         = US\r\nstateOrProvinceName         = State or Province Name (full name)\r\nstateOrProvinceName_default = New York\r\nlocalityName                = Locality Name (eg, city)\r\nlocalityName_default        = Rochester\r\norganizationName            = Organization Name (eg, company)\r\norganizationName_default    = localhost\r\norganizationalUnitName      = organizationalunit\r\norganizationalUnitName_default = Development\r\ncommonName                  = Common Name (e.g. server FQDN or YOUR name)\r\ncommonName_default          = localhost\r\ncommonName_max              = 64\r\n\r\n[req_ext]\r\nsubjectAltName = @alt_names\r\n\r\n[v3_ca]\r\nsubjectAltName = @alt_names\r\n\r\n[alt_names]\r\nDNS.1   = fontaineind.test\r\nDNS.2   = 127.0.0.1<\/pre>\n
Create the Certificate using OpenSSL<\/p>\n
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout fontaineind.test.key -out fontaineind.test.crt -config fontaineind.test.conf<\/pre>\n
Here is the terminal output. For the inputs on the terminal asking like country name, etc, just click enter key to accept the default values:<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout fontaineind.test.key -out fontaineind.test.crt -config fontaineind.test.conf\r\nGenerating a 2048 bit RSA private key\r\n............+++++\r\n................................................................................+++++\r\nwriting new private key to 'fontaineind.test.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [US]:\r\nState or Province Name (full name) [New York]:\r\nLocality Name (eg, city) [Rochester]:\r\nOrganization Name (eg, company) [localhost]:\r\norganizationalunit [Development]:\r\nCommon Name (e.g. server FQDN or YOUR name) [localhost]:<\/pre>\n
It’ll create two new files. There are fontaineind.test.crt and fontaineind.test.key:<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ ls\r\nfontaineind.test.conf  fontaineind.test.crt  fontaineind.test.key<\/pre>\n
Step 2: Copy the Certificate Key Pair to the Certificates folder on Ubuntu
\nCopy the public key to the \/etc\/ssl\/certs directory<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ sudo cp fontaineind.test.crt \/etc\/ssl\/certs\/<\/pre>\n
Copy the private key to the \/etc\/ssl\/private directory<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ sudo cp fontaineind.test.key \/etc\/ssl\/private\/<\/pre>\n
Step 3: Update the Nginx Configuration File to Load the Certificate Key Pair<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ sudo gedit \/etc\/nginx\/sites-available\/fontaineind.test<\/pre>\n
Change it like this:<\/p>\n
server {\r\n    listen 8080;\r\n    listen 443 ssl http2;\r\n    listen [::]:443 ssl http2;\r\n    server_name fontaineind.test;\r\n\r\n    ssl_certificate \/etc\/ssl\/certs\/fontaineind.test.crt;\r\n    ssl_certificate_key \/etc\/ssl\/private\/fontaineind.test.key;\r\n    \r\n    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;\r\n\r\n    set $MAGE_ROOT \/home\/teddy\/Documents\/works\/fontaineind;\r\n    ....\r\n}<\/pre>\n
Reload the Nginx configuration changes<\/p>\n
sudo service nginx reload<\/pre>\n
Then don’t forget to change the secure url on the database. Just find it :<\/p>\n
SELECT * FROM `core_config_data` WHERE value like '%fontaineind.test%'<\/pre>\n
Change ‘http’ to ‘https’ for ‘web\/secure\/base_url’ and ‘web\/secure\/base_link_url’<\/p>\n
\"\"<\/a>NOTE: It’d be better to change to https also for ‘unsecure’ url
\nOpen up the Google Chrome to Verify that Nginx Loads the Site Over HTTP and HTTPS
\nSince I haven’t added the self-signed certificate to Chrome’s CA Root store, Chrome shows the site as insecure. Click proceed to fontaineind.test to verify that Nginx is correctly configured
\nopen: https:\/\/fontaineind.test\/\"\"<\/a>Step 4: Configure Chrome to Trust the Certificate and to Show the Site as Secure
\nAdd the certificate to the trusted CA root store but need to check if ‘certutil’ if exist. If not install it with sudo apt install libnss3-tools:<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ certutil\r\nbash: teddy@teddy:~\/Documents\/self_signed_cert$: No such file or directory\r\nteddy@teddy:~\/Documents\/self_signed_cert$ The program 'certutil' is currently not installed. You can install it by typing:\r\nNo command 'The' found, did you mean:\r\n Command 'the' from package 'the' (universe)\r\nThe: command not found\r\nteddy@teddy:~\/Documents\/self_signed_cert$ sudo apt install libnss3-tools\r\nReading package lists... Done\r\nBuilding dependency tree       \r\nReading state information... Done\r\nlibnss3-tools is already the newest version (2:3.28.4-0ubuntu0.16.04.3).\r\nThe following packages were automatically installed and are no longer required:\r\n  libtidy5 libzip4 linux-headers-4.15.0-29 linux-headers-4.15.0-29-generic\r\n  linux-headers-4.15.0-30 linux-headers-4.15.0-30-generic\r\n  linux-headers-4.15.0-32 linux-headers-4.15.0-32-generic\r\n  linux-headers-4.15.0-33 linux-headers-4.15.0-33-generic\r\n  linux-headers-4.15.0-34 linux-headers-4.15.0-34-generic\r\n  linux-image-4.15.0-29-generic linux-image-4.15.0-30-generic\r\n  linux-image-4.15.0-32-generic linux-image-4.15.0-33-generic\r\n  linux-image-4.15.0-34-generic linux-modules-4.15.0-29-generic\r\n  linux-modules-4.15.0-30-generic linux-modules-4.15.0-32-generic\r\n  linux-modules-4.15.0-33-generic linux-modules-4.15.0-34-generic\r\n  linux-modules-extra-4.15.0-29-generic linux-modules-extra-4.15.0-30-generic\r\n  linux-modules-extra-4.15.0-32-generic linux-modules-extra-4.15.0-33-generic\r\n  linux-modules-extra-4.15.0-34-generic qtdeclarative5-controls-plugin\r\n  qtdeclarative5-dialogs-plugin\r\nUse 'sudo apt autoremove' to remove them.\r\n0 upgraded, 0 newly installed, 0 to remove and 25 not upgraded.<\/pre>\n
Then run this on the terminal:<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ certutil -d sql:$HOME\/.pki\/nssdb -A -t \"P,,\" -n \"fontaineind.test\" -i fontaineind.test.crt<\/pre>\n
Close all the Google Chrome windows and reopen. Chrome is now showing the site as secure.\"\"<\/a>Now I want to redirect all connection from http to https.
\nMake sure you changed the ‘unsecure’ url on the database to use https instead. Then modify the nginx setting for fontaineind.test<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ sudo gedit \/etc\/nginx\/sites-available\/fontaineind.test<\/pre>\n
Then change like this:<\/p>\n
server {\r\n    listen 8080;\r\n    server_name fontaineind.test;\r\n    return 301 https:\/\/$server_name$request_uri;\r\n}\r\n\r\nserver {\r\n    \r\n    listen 443 ssl http2;\r\n    listen [::]:443 ssl http2;\r\n    #server_name fontaineind.test;\r\n\r\n    ssl_certificate \/etc\/ssl\/certs\/fontaineind.test.crt;\r\n    ssl_certificate_key \/etc\/ssl\/private\/fontaineind.test.key;\r\n    \r\n    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;\r\n\r\n    set $MAGE_ROOT \/home\/teddy\/Documents\/works\/fontaineind;\r\n    ...\r\n}<\/pre>\n
Reload the nginx server. But if you check the nginx config setting, it’d show error like this:<\/p>\n
teddy@teddy:~\/Documents\/self_signed_cert$ nginx -t\r\nnginx: [alert] could not open error log file: open() \"\/var\/log\/nginx\/error.log\" failed (13: Permission denied)\r\n2019\/02\/09 22:33:47 [warn] 25899#25899: the \"user\" directive makes sense only if the master process runs with super-user privileges, ignored in \/etc\/nginx\/nginx.conf:1\r\n2019\/02\/09 22:33:47 [emerg] 25899#25899: SSL_CTX_use_PrivateKey_file(\"\/etc\/ssl\/private\/fontaineind.test.key\") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('\/etc\/ssl\/private\/fontaineind.test.key','r') error:20074002:BIO routines:FILE_CTRL:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)\r\nnginx: configuration file \/etc\/nginx\/nginx.conf test failed<\/pre>\n
It shows error about the certificate. Probably because it’s a self-signed certificate. Anyway we can ignore it on the development stage. If you open http:\/\/fontaineind.test:8080, it’d be redirected to https:\/\/fontaineind.test
\nSo all good.<\/p>\n","protected":false},"excerpt":{"rendered":"
Ref: https:\/\/www.humankode.com\/ssl\/create-a-selfsigned-certificate-for-nginx-in-5-minutes https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 In this tutorial, I’m going to show you how you can create a self-signed SSL\/TLS certificate and use it on Nginx in 5 minutes or less. I’m using Ubuntu for this tutorial, but if you’re on Mac OSX you can follow along as the syntax and commands are nearly identical. Why Create … Continue reading “Create Self-Signed Certificate With Nginx On Ubuntu 16.04”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,17,78],"tags":[],"class_list":["post-3564","post","type-post","status-publish","format-standard","hentry","category-tutorial","category-ubuntu","category-ubuntu-16-04"],"_links":{"self":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts\/3564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/comments?post=3564"}],"version-history":[{"count":8,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts\/3564\/revisions"}],"predecessor-version":[{"id":3654,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts\/3564\/revisions\/3654"}],"wp:attachment":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/media?parent=3564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/categories?post=3564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/tags?post=3564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}