Need help configuring Nginx SSL certificate
Hello, I'm new to Linode and I just set up a Gitea Linode from the marketplace.
I have trouble getting my SSL certificate to work. The default web server for Gitea Linodes is Nginx, which I've never worked with before. I'm following these instructions:
https://www.linode.com/docs/guides/getting-started-with-nginx-part-3-enable-tls-for-https/
I don't understand from this if I need:
1) both /etc/nginx/nginx.conf and a separate config file at /etc/nginx/conf.d/example.com.conf, or just one of these (which one)?
2) Need both the server block and the http block or just one of them (which one)?
I have an SSL cert valid for just the subdomain of my Gitea: gitea.example.org, so this config is for a single site.
Right now I have:
/etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_certificate /root/certs/example.com/sd.my-site.com.crt;
ssl_certificate_key /root/certs/sd.my-site.com/sd.my-site.key;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
/etc/nginx/conf.d/sd.my-site.com:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ;
server_name sd.my-site.com;
root /var/www/sd.my-site.com;
}
The SSL directives in /etc/nginx/nginx.conf are wrong in any case, because the SSL cert is not in that location.
root@my-gitea-ip-address:~# ls /root/certs
#returns an empty line
I created the SSL certificate first though, but can't remember exactly the process I followed, so now I don't know how to align the Nginx config with the existing SSL config.
It's possible I stored the certificate in '/root':
ls /root/
certs gitea http ssinclude-1 ssinclude-401712 ssinclude-632759 ssinclude-666912 StackScript
, where the gitea file might be it. How can I tell if that's my certificate file? When I 'cat' it, it returns a jumble of weird characters:
$H�L$AH�LH�D$f��[�T��|$▒�MHDŽ$�W��$�H�D$`D$hH��$�H�$H�L$HH�LH�T$XH�T$H�\$PH�\$▒H��$�H�t$
If you think the Nginx SSL configuration should otherwise be correct, a first step could be to trace back/diagnose my system-wide SSL config. Do you have any pointers how to do that?
5 Replies
I don't use ngnix and know little about it… However, you presented the following:
ssl_certificate /root/certs/example.com/sd.my-site.com.crt;
ssl_certificate_key /root/certs/sd.my-site.com/sd.my-site.key;
Are the cert and the key really in two different places with two different names? Shouldn't this be:
ssl_certificate /root/certs/sd.my-site.com/sd.my-site.crt;
ssl_certificate_key /root/certs/sd.my-site.com/sd.my-site.key;
It's possible I stored the certificate in '/root'
According to the above, nginx is looking for your cert/key in /root/certs/sd.my-site.com. That's where they need to be.
If this is a self-signed cert, some browsers are going to puke on it; e.g. iOS Safari…which won't accept it at all. Better to use a Let's Encrypt cert…free, universally accepted, easy to acquire/maintain and good for 90 days if you don't renew it. See:
https://certbot.eff.org/instructions
How can I tell if that's my certificate file? When I 'cat' it, it returns a jumble of weird characters
That's not a cert file. Cert files look like this:
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUa4tiVamHfc+1G9ZxIp0X05p0lfwwDQYJKoZIhvcNAQEL
BQAwdzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQHDAhQb3J0bGFu
ZDEMMAoGA1UECgwDRm9vMQwwCgYDVQQLDANCYXIxEDAOBgNVBAMMB2Zvby5jb20x
<stuff redacted for brevity and security>
-----END CERTIFICATE-----
and key files look like this:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDD9aKRGtPwlTmL
g63+Iu8zMNqPuhljak7Q6ddm14q7Fi/ptupF/HD9OJq8Y3tZz0edv9U3l1smKc6y
FLpygjLQZls6PyC6fSTxclw42T6gW9yRuZbb/u114nMw+8nJNnPPCXYNkzHvPZAz
<stuff redacted for brevity and security>
-----END PRIVATE KEY-----
-- sw
Thank you!
I'm not sure if I should go ahead and request a new certificate.
1) There already is an SSL cert for my domain, provided by my webhoster. Can I also use it for this subdomain that Gitea is running on? If yes, is it a good idea?
2) I believe I already requested a Let's Encrypt cert for this subdomain a couple months ago, and I thought it should be stored somewhere on this Linode, but can't find it.
If I already have one, what happens to it if I go through the process again?
Is there a way to make sure if I've done this already or not?
EDIT: I went through the Linode instructions for getting an LE cert:
https://www.linode.com/docs/guides/enabling-https-using-certbot-with-nginx-on-debian/
A) I found that I have certbot already installed
B) The instructions also contain the path where Certbot saves its files:
root@sd.my-site.com:/etc/letsencrypt/live/sd.my-site.com# ls
cert.pem chain.pem fullchain.pem privkey.pem README
root@sd.my-site.com:/etc/letsencrypt/live/sd.my-site.com# cat README
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
That begs the question: If I'm not supposed to move the certificate, I should probably point /etc/ngninx/nginx.conf to this directory instead of /root/certs/sd.my-site.com , right?
That would mean in /etc/ngninx/nginx.conf:
ssl_certificate /etc/letsencrypt/live/fullchain.pem/;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
Would this work?
I should probably point /etc/ngninx/nginx.conf to this directory instead of /root/certs/sd.my-site.com , right?
Yes.
That would mean in /etc/ngninx/nginx.conf:
ssl_certificate /etc/letsencrypt/live/fullchain.pem/;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
Would this work?
I dunno…I said I don't use nginx at the very beginning…
Some observations:
You probably need to make the path /etc/letsencrypt/live/sd.my-site.com.
Drop the / at the end of fullchain.pem… fullchain.pem is a file not a directory.
In apache, I have:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem
Is there an nginx equivalent to /etc/letsencrypt/options-ssl-apache.conf? /etc/letsencrypt/options-ssl-nginx.conf?
Is there an nginx equivalent to SSLCACertificateFile? The README file makes explicit reference to nginx >=1.3.7 when describing chain.pem.
-- sw
A) I found that I have certbot already installed
I finally remembered that I followed this video tutorial to set up the SSL cert: https://www.youtube.com/watch?v=WPPBO-QpiJ0
it was suggested by Linode support - so that's how my SSL is configured
- You probably need to make the path /etc/letsencrypt/live/sd.my-site.com.
- Drop the / at the end of fullchain.pem… fullchain.pem is a file not a directory.
Both correct, my bad. Ngninx told me immediately when I tried to reload it with ngninx -s reload
- Is there an nginx equivalent to /etc/letsencrypt/options-ssl-apache.conf? /etc/letsencrypt/options-ssl-nginx.conf?
Yes:
root@172-105-92-146:~# cat /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
- Is there an nginx equivalent to SSLCACertificateFile? The README file makes explicit reference to nginx >=1.3.7 when describing chain.pem.
I don't know, I would venture that fullchain.pem is that equivalent. It says that chain.pem is needed for OCSP stapling, which I don't know what that is and hope I don't need it -_-
Certbot documentation @https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates says this about it:
fullchain.pem
All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates.
This is what Apache >= 2.4.8 needs for SSLCertificateFile, and **what Nginx needs for *ssl_certificate* **.cert.pem and chain.pem (less common)
cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate. If you provide one of these files to your web server, you must provide both of them, or some browsers will show “This Connection is Untrusted” errors for your site, some of the time.
Apache < 2.4.8 needs these for SSLCertificateFile. and SSLCertificateChainFile, respectively.If you’re using OCSP stapling with Nginx >= 1.3.7, chain.pem should be provided as the ssl_trusted_certificate to validate OCSP responses.
I think the current SSL config might actually be okay, except for one detail: the https://sd.my-site.com is currently 404 (with a valid SSL cert).
/etc/nginx/conf.d/sd.my-site.com.conf:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ;
server_name sd.my-site.com;
root /var/www/sd.my-site.com;
}
I suspect the 404 is because I'm pointing to the wrong web root here
root@sd.my-site.com:~# ls /var/www
html
root@sd.my-site.com:~# ls /var/www/html/
index.nginx-debian.html
but for the life of me can't find the correct one. In Gitea docs it says $custom everywhere…