Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Fabricate Self-Signed SSL Certificate for Nginx on Ubuntu 18.04

Table Of Contents


    ## Table of Contents
    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Creating the SSL Certificate](#creating-the-ssl-certificate
    – [Configuring Nginx to Use SSL](#configuring-nginx-to-use-ssl
    – [Arranging Snippet Pointing to the SSL Key and Certificate](#arranging-snippet-pointing-to-the-ssl-key-and-certificate
    – [Arranging Snippet With Strong Encryption Settings](#arranging-snippet-with-strong-encryption-settings
    – [Arrange the Nginx Configuration to Run SSL](#arrange-the-nginx-configuration-to-run-ssl
    – [Arranging the Firewall](#arranging-the-firewall
    – [Enable the Changes in Nginx](#enable-the-changes-in-nginx
    – [Testing SSL Certification Secure / Unsecured](#testing-ssl-certification-secure-unsecured
    – [Conclusion](#conclusion

    ## Introduction

    SSL (secure sockets layer which followed by TLS or transport layer security is a standard security technology which is to establish an encrypted link between a web server and a browser. After making a secure connection the transmitted data will be encrypted using a session key, by itself, browser requests server identify then the server sends its SSL certificate, including with server public key.

    Now following on we going to discuss how to fabricate(create SSL certification by using Nginx on ubuntu 18.04 server.

    ## Prerequisites

    You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, [Initial server setup with Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-do-initial-server-setup-with-ubuntu-18.04.

    You should have installed Nginx by following our guide, [install Nginx web server on Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-install-nginx-on-ubuntu-18.04.

    ## Creating the SSL Certificate

    SSL works is a combination of public key and private key at server point, And here SSL certificate kept as a secret because it helps to encrypt the data sent to the client. SSL certificate is freely shared with the public to request data and also decrypt the data signed by the related SSL key.

    If you want to do some modifications at configuration file to get upgrade levels. To generate a self-signed key and certificate pair with OpenSSL with single command:

    “`
    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
    “`

    By executing the command it has some questions to build server in order to place the information properly in the certificate.

    output

    ![nginxquestions](https://grid.media/assets/images/questions-to-build-certificate-02132019.png

    Both files you created will be placed in subdirectories of the /etc/ssl directory.

    When we using OpenSSL, externally we create a strong Diffie-Hellman group, which recommends using in negotiating perfect forward secrecy with clients.

    “`
    $ sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
    “`

    When you execute the above command it took some time to get a process strong DH group at /etc/Nginx/dhparam.pem.

    ## Configuring Nginx to Use SSL

    Finally, we created an SSL certificate by using /etc/ssl directory.

    ### By considering our key and certificate file locations we need to generate configuration snippet.
    ### By considering strong SSL settings, we can use any certificates for the next generations.
    ### By using two snippets we can handle SSL requests using nginx blocks.

    The above configuration method of Nginx will permit to delete blocks and for reusable configuration purpose, it keeps similar configuration segments.

    ## Arranging Snippet Pointing to the SSL Key and Certificate

    let’s create a new Nginx arrangement snippet in the /etc/nginx/snippets directory.
    To properly distinguish of a file, let’s call:

    “`
    $ sudo nano /etc/nginx/snippets/self-signed.conf
    “`

    Where executing the above command you need to set the given at bottom two line place into that SSL certificate.

    output

    ![nginxsslkeylines](https://grid.media/assets/images/ssl-certificate-and-ssl-certificate-key-lines-02132019.png

    When you place those lines at the editor save the file and terminate it.

    ## Arranging Snippet With Strong Encryption Settings

    Here we generate another snippet which explains some SSL settings. which secure nginx with a strong SSL chipper suite and also enable with advanced settings apart that our server also secure.

    “`
    $ sudo nano /etc/nginx/snippets/ssl-params.conf
    “`

    For our secure purpose, we place provided settings throughout to do some modifications.

    ### The first step we need to add required DNS resolver for an opposite request, For that you may search on google.
    ### Second step here we place the comment line which fit for strict transport security header, before uncommenting those lines read on HTTP Strict Transport Security, or HSTS,

    Insert the below lines into your ssl-params.configration snippet file:

    ![nginxsslparamsfile](https://grid.media/assets/images/ssl-params-configuration-file-02132019.png

    Finally, save and terminate the file.

    ## Arrange the Nginx Configuration to Run SSL

    Already we have our snippets for that, we can fix nginx configuration to enable SSL certificate.

    In particular, this content you are using custom server block /etc/nginx/sites-available directory. We will use /etc/nginx/sites-available/example

    “`
    $ sudo cp /etc/nginx/sites-available/example.com /etc/nginx/sites-available/example.com.bak
    “`

    Now, we do some changes at the configuration file :

    “`
    $ sudo nano /etc/nginx/sites-available/example.com
    “`

    ![nginxconfigurationfile](https://grid.media/assets/images/nginx-configuration-file-02132019.png

    Note: Here the file should be in a different order in place of root and index directives, are in some other locations proxy pass and that will be ok. Here we need to modify listen to directives on port 443.

    ![nginxsslrootandindex](https://grid.media/assets/images/nginx-configuration-file-root-and-index-02132019.png

    Insert a second server block into the configuration file, after the closed bracket of the previous command.

    ![nginxsslserverblock](https://grid.media/assets/images/nginx-second-server-block-02132019.png

    At finally listens come on to port 80 to execute the redirects of HTTPS. After completion of editing save the file.

    ## Arranging the Firewall

    If in case you have a ufw firewall enabled then you need to arrange the settings to allow for accessing SSL traffic.

    Let see the profiles editing at a terminal:

    “`
    $ sudo ufw app list
    “`

    Output

    ![nginxsslufwstatus](https://grid.media/assets/images/ssl-certificate-nginx-ufw-app-list-02132019.png

    To check the current setting by typing :

    “`
    $ sudo ufw status
    “`

    The output display only HTTP traffic server to access the web server.

    In advance HTTPS traffic, we can access the Nginx full profile and then delete the previous “Nginx HTTP” profile allowance:

    “`
    $ sudo ufw allow ‘Nginx Full’
    $ sudo ufw delete allow ‘Nginx HTTP’
    “`

    “`
    $ sudo ufw status
    “`

    output

    ![sslnginxufwstatus](https://grid.media/assets/images/ssl-certificate-nginx-ufw-status-02132019.png

    ## Enable the Changes in Nginx

    We make some changes to arrange our firewall, for the new setting we can restart nginx. Before that, we need to check any syntax error at our files. For that, we need to type

    “`
    $ sudo nginx -t
    “`

    output

    ![nginxsslchanges](https://grid.media/assets/images/changes-in-nginx-02132019.png

    If the output same as the above, the configuration file has no syntax errors. Now We can restart Nginx to update our changes:

    “`
    $ sudo systemctl restart nginx
    “`

    ## Testing SSL Certification Secure / Unsecured

    Now, its time to check SSL server.

    Insert https:// followed by your server domain name or IP address in the web browser.

    https://server_domain_or_IP

    ![testsslsecurity](https://grid.media/assets/images/test-ssl-certificate-security-02132019.png

    ## Conclusion

    Finally, you have arranged your nginx server to make a connection with clients for strong encryptions.