Configuring HTTPS with OpenSSL self-built CA + nginx

Ubuntu 16.04 (ECS), OpenSSL 1.0.2g 1 Mar 2016,nginx 1.10.3 (Ubuntu),

Browser: Chrome 67,firefox 61,edge 40,ie 11

Preface

Lonely before never built HTTPS website, feel very high, very difficult, although also read a lot of blog, information, ten years ago in the university, also used the OpenSSL operation has established a certificate, but later forgotten.

Former colleagues said it was easy to build an HTTPS website, and was not believed at the time, and there was some controversy, and I apologize for that.

Due to the establishment of the site, provide registration, login functions, so there are security considerations. The first two days of research on the front-end encryption, Base64 coding and other schemes (CRYPTO-JS), but can not be very good to ensure user data security.

Most of the time after the final decision to upgrade the site to HTTPS website, this document recorded the test process of the key steps-two steps:

1. Build your own CA and sign the server certificate

2. Configuring the Nginx Server

Self-built CA and signed server certificate

This step fully references the self-built CA and signs the server certificate to implement HTTPS by Andy____li, only to modify some file names and configuration parameters.

Note: Before you perform this procedure, make sure that OpenSSL is installed on the Linux operating system.

This can be divided into the following small steps (copy the command from the reference link):

1. Self-built CA

Generate CA private key
OpenSSL genrsa-out Icatchtek.key 2048

Execution Result: Prompt to create success, can also prompt unable to what, why? We need dig,

Generating RSA private key, 2048 bit long modulus
................+++
...........................................................................................+++
Unable to write ' random State '
E is 65537 (0x10001)

Generate a CA certificate request
OpenSSL req-new-key icatchtek.key -out ICATCHTEK.CSR
PS: A certificate request is a signed request and requires a private key to be used for signing

After this command is entered, you need to fill in the information.

Generate CA Root Certificate
OpenSSL x509-req-in icatchtek.csr -extensions v3_ca-signkey icatchtek.key -out icatchtek.crt
PS: Certificates are self-signed or CA-signed credentials that are used for authentication

Execution Result:

Signature OK
subject=/c=cn/st=guangdong/l=shenzhen/ou= ... /cn= ... /emailaddress=[email protected]
Getting Private Key
Unable to write ' random State '

2. Self-built server-side certificate

Generate Server Private key
OpenSSL genrsa-out Smarthome_server.key 2048

The result is ibid.

Generate a server certificate request
OpenSSL req-new-key smarthome_server.key -out SMARTHOME_SERVER.CSR

As a result, you need to enter parameters.

Generate the server certificate: The purple part of the command below is the set of files created above, no mistaking it.
To generate the server certificate, you need a copy of the configuration file, see: VI openssl.cnf
OpenSSL x509-days 365-req-in smarthome_server.csr -extensions v3_req-cakey icatchtek.key -CA ICA TCHTEK.CRT -cacreateserial-out smarthome_server.crt -extfile openssl.cnf

For the production server certificate step, the orphan is directly copied the contents of the reference link, and modified. About this file how to write, lonely is not familiar with, but also need to see more information, such as the reference link in the OpenSSL Master profile openssl.cnf.

Here is your own open.cnf (no private information) (in the reference link, [req] The following sections are indented and do not know why):

Guangdong Shenzhenlocalityname_default = shenzhenorganizationalunitname   ... Organizationalunitname_default   ... ... Commonname_max  @alt_namesxxx.xxx.xxx.xxxwww.example.com

Note that each of the above steps will create the corresponding file in the current directory where the command is executed! The following are established during the solitary test:

$ ls
BEN_SERVER.CRT Ben_server.key ICATCHTEK.CSR ICATCHTEK.SRL
BEN_SERVER.CSR ICATCHTEK.CRT Icatchtek.key openssl.cnf

Configuring the Nginx Server

As the reference link says, Add the following statement after the listen port in the server block :

SSL on;
SSL_CERTIFICATE/HOME/UBUNTU/WEBVIDEO/NGINX/CONF/SMARTHOME_SERVER.CRT;
Ssl_certificate_key/home/ubuntu/webvideo/nginx/conf/smarthome_server.key;

Note that the paths to the *.CRT, *.key files need to be changed, and the orphan is placing them inside the /etc/nginx/conf.d/ca .

As the Nginx Novice, the orphan nginx configuration file only one server , the port is 80. is the default port for an HTTPS Web site not 443?

Pre-Modified Nginx configuration file:

server {Listen Default_server;listen [::]:80 default_server;# SSL configuration## Listen 443 SSL default_server;# Liste n [::]:443 SSL default_server;## note:you should disable gzip for SSL traffic.# see:https://bugs.debian.org/773332## Rea D up on ssl_ciphers to ensure a secure configuration.# see:https://bugs.debian.org/765782## self signed certs generated B Y the Ssl-cert package# Don ' t use them in a production server!## include snippets/snakeoil.conf;

Modified configuration file:

server {Listen Default_server;listen [::]:80 default_server;# SSL configuration#listen 443 SSL Default_server;listen [ ::]:443 SSL Default_server;ssl on;ssl_certificate      /etc/nginx/conf.d/ca/smarthome_server.crt;ssl_certificate_ Key  /etc/nginx/conf.d/ca/smarthome_server.key;## note:you should disable gzip for SSL traffic.# see:https:// bugs.debian.org/773332

Access to HTTP, https corresponding Web page, HTTP access failed, but HTTPS access succeeded: The reason is that there is only one server, you can listen to two ports, but also with Nginx rewrite technology , The HTTP request is forwarded to the corresponding HTTPS request.

Finally, two serverswere established: A sever listening 80 port, a listening 443 port, the former HTTP link is rewrite to the latter link, the configuration file is as follows:

There is no default_server behind Port 80-don't know why you are so configured; when there is only one server, its server_name is _, now there are two, how to configure it? Can it be the same?

server {        listen;        Listen [::]:80;        rewrite ^ (. *) $ https://$host $ permanent;} server {        # SSL configuration        #        listen 443 SSL default_server;        Listen [::]:443 SSL default_server;        SSL on;        SSL_CERTIFICATE/ETC/NGINX/CONF.D/CA/BEN_SERVER.CRT;        Ssl_certificate_key/etc/nginx/conf.d/ca/ben_server.key;

After the above configuration, you can access the site via HTTP, HTTPS, but the HTTP is turned to HTTPS, so the page last see is HTTPS.

However, because the browser has the mechanism of certificate security check, so not all browsers can successfully open the page, the test result is that only Firefox can open the page after Setup, several other browsers have failed.

-chrome Browser

-firefox Browser: final access is successful.

IE Browser:

Web pages cannot be accessed because the browser considers the CA that issued the certificate unsafe. The reference link says to add your own CA root certificate to the browser.

After the attempt, found that the problem did not solve--chrome, ie have tried, no Ah! Suspicion is related to the process of establishing a certificate, or it may be related to the latest version of the browser's security upgrade, more likely the former.

And, as mentioned above, oneself in the establishment key is appeared the unable to write ' The random state ' error! After this problem can be resolved and then try to continue dig.

How to import it? Chrome Settings-Search for "certificates", Internet Options for IE, Edge: In fact, both are configured with a thing that belongs to the operating system.

Postscript

Finally know how to make their own website to become HTTPS, since the certificate is not able to use, then to apply for a certificate--Know a free application of the institutions, of course, pay a lot of.

Nginx configuration is not familiar;

Although this article uses OpenSSL to do some operation, but, why do this? Where are the official documents? How to write the configuration file? Now can only step forward in the footsteps of the pioneers, thank you!

It's a long road.

Reference links

Self-built CA and signed server certificate implementation HTTPS by Andy____li

Creation of HTTPS SSL self-built certificate by erice_e

OpenSSL Master Profile openssl.cnf by Park Friends Why do I insist on blogging

Nginx forwards HTTP requests to HTTPS requests

Configuring HTTPS with OpenSSL self-built CA + nginx