Setup Nginx HTTP Server Self-Signed SSL/TLS Certificates on Ubuntu 16.04 LTS Servers

We have previously used Let’s Encrypt free SSL/TLS in many of our tutorials on this sites… however, if you’re testing in environments without public IPs or registered domains, you can use self-signed certificates to accomplish the same goal…

SSL/TLS certificate is mechanism that allows private communication between two network devices. It’s a protocol that enable secure communication between webservers and web clients and many others network services…

When it comes to SSL/TLS implementations, there are basically two types of certificates: A public and private certificates… Public certificates are those that are used on websites and other public facing resources… and the private or self-signed are those that are generated internally, mostly for testing purposes..When you’re ready to setup Nginx with self-signed certificates, continue below:

Step 1: Install Nginx HTTP Web Server

If you don’t already have Nginx HTTP Server installed, the commands below can help you install it on Ubuntu 16.04 LTS… Just copy and paste each line and run it.

sudo apt update
sudo apt install nginx

After installing Nginx, go to step 2 to generate a self-signed SSL/TLS certificate for the Nginx website..

 Step 2: Creating Self-signed Certificates

When you can’t install or afford trusted certificates from a certificate authority, you may get by with self-signed certificates. Both trusted and self-signed certificates are the same and use the same protocols… the only difference is, one is trusted by a third party and the other is not.

When you’re ready, run the commands below to generate the server private key as well as the self-signed SSL/TLS certificate for the example.com domain you’ll be using.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.crt

After running the commands above, you’ll be prompted to answer few questions about the certificate you’re generating… answer them and complete the process.

Generating a 2048 bit RSA private key
........+++
.....................+++
writing new private key to 'mydomain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brookly
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Company
Organizational Unit Name (eg, section) []:SSL Unit
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:webmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: LEAVE BLANK
An optional company name []:

When you’re done above, the private key file will be stored in /etc/ssl/private/ folder called example.com.key and the certificate file stored in /etc/ssl/certs/ folder called example.com.crt as defined on the command line above.

You’ll need both files to be referenced in the Nginx configuration settings..

Step 3: Installing the certificates

After generating the certificate, the next step will be to install it on Nginx server. To do that, open Nginx config file in Ubuntu and add the highlighted lines below…

sudo nano /etc/nginx/sites-available/default

Then reference the certificate files in Nginx configuration as shown below:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
         listen 443 ssl default_server;
         listen [::]:443 ssl default_server;
        #
        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name example.com;
        ssl on;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
        ssl_certificate     /etc/ssl/certs/example.com.crt;
        ssl_certificate_key /etc/ssl/private/example.com.key;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
        #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #}
..............
..............
}

Save the file and close out….

After making the changes above, run the commands below to test your settings.

sudo nginx -t

If you don’t see any error messages then you’re good. Restart nginx  web server by running the commands below.

sudo systemctl restart nginx

Next, browse to the server domain using https in your browser and you’ll get a certificate warning because it’s a self-signed. If you see a cert warning that the cert can be trusted, then it’s working..

nginx ubuntu self-signed certs

 

Continue the the site… since you trust your own self-signed certificates…. Going to sites you don’t trust is not recommended.

ubuntu self-signed nginx certs

That’s it! This is how to create self-signed certificates to support Nginx HTTP server.

Enjoy!

You may also like this post:

Setup NFS Mounts on Ubuntu 16.04 LTS Servers for Client Computers to Access

3 Replies to “Setup Nginx HTTP Server Self-Signed SSL/TLS Certificates on Ubuntu 16.04 LTS Servers

  1. Thank you so much for your valuable time,
    I am interested in more information, I am already running java application in ubuntu EC2 machine for 80 port and DNS mapping also done.
    1. Should I need to change port from 80 to 443?
    2. Consumer for these APIs are both web apps(react based) and mobile react native, Is there any extra configuration required
    from client side to configure?
    3. http://api.example.com to https://api.example.com is enough to consume API?

    Please help me to resolve my issue,

    Thanks

  2. hey thank you for your time in this!
    Question: do we need to repeat the above procedure for each subdomain, or does it work one time as wildcard certificate from root ? (*.example.com)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: