{"id":4585,"date":"2019-10-29T16:44:12","date_gmt":"2019-10-29T13:44:12","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4585"},"modified":"2024-03-12T22:05:04","modified_gmt":"2024-03-12T19:05:04","slug":"configure-nginx-with-ssl-tls-certificates-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-nginx-with-ssl-tls-certificates-on-centos-8\/","title":{"rendered":"Configure Nginx with SSL\/TLS certificates on CentOS 8"},"content":{"rendered":"\n<p>In this tutorial, we are going to learn how to configure Nginx with SSL\/TLS certificates on CentOS 8. The use of <a rel=\"noreferrer noopener\" aria-label=\"SSL\/TLS certificates (opens in a new tab)\" href=\"https:\/\/www.thesslstore.com\/new-to-ssl\/what-is-ssl-tls.aspx\" target=\"_blank\">SSL\/TLS certificates<\/a> ensures secured as well as authentic communications between the web server and the web clients.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configure Nginx with SSL\/TLS certificates<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Install Nginx and SSL\/TLS module on CentOS 8<\/h3>\n\n\n\n<p>In order to configure Nginx HTTP server to use SSL\/TLS certificates, you first need to install it and the SSL\/TLS module. Nginx as the <strong><code>mod_ssl<\/code><\/strong> packages are available on the default CentOS 8 repositories and can simply be installed by executing the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install nginx mod_ssl<\/code><\/pre>\n\n\n\n<p>Once installed, start and enable it to run on system boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now nginx<\/code><\/pre>\n\n\n\n<p>To allow external access, allow Nginx through the firewall. This can be done by simply opening port 80 (HTTP) or 443 (HTTPS) depending on the traffic to server.<\/p>\n\n\n\n<p>In this guide, since we configuring Nginx to the TLS certificates, we are opening port 443\/tcp.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-port=443\/tcp --permanent<\/code><\/pre>\n\n\n\n<p>You can as well open port 80\/tcp if you may want to redirect HTTP to HTTPS traffic.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-port=80\/tcp --permanent<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --reload<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Generate SSL\/TLS Certificates<\/h3>\n\n\n\n<p>Well, in this guide, we are going to use Self-signed SSL\/TLS certificates for the demonstration purposes.<\/p>\n\n\n\n<p>If you want to use the commercially trusted certificates, you need to generate your Certificate Signing Request (CSR) and submit it to your preferred CA to order for the trusted certificate.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">How to generate CSR?<\/h4>\n\n\n\n<p>Well, if you choose to go with commercially trusted certificates, you can generate the CSR by running the command below. Replace the names of the key and the CSR accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl req -new -newkey rsa:4096 -nodes -keyout kifarunix-demo.key -out kifarunix-demo.csr<\/code><\/pre>\n\n\n\n<p>You are required to provide the following details;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The two-letter code of the country (<strong>C)<\/strong> where your organization is located.<\/li>\n\n\n\n<li>The name of State or Province (<strong>S)<\/strong> of where your organization is located<\/li>\n\n\n\n<li>The Locality Name (eg, city) (<strong>L)<\/strong> of where your organization is located<\/li>\n\n\n\n<li>The name of your Organization (<strong>O<\/strong>).<\/li>\n\n\n\n<li>The name of your Organizational Unit (<strong>OU<\/strong>).<\/li>\n\n\n\n<li>The <strong>Common Name<\/strong> (<strong>CN<\/strong>) (usually the fully qualified domain name you want to generate the certificates for. You can use wildcard if using for sub-domains, e.g. *.kifarunix-demo.com.\n<ul class=\"wp-block-list\">\n<li><strong>This is the most important detail since it ties the your domain to the certificate to be generated.<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Optional email contact address.<\/li>\n<\/ul>\n\n\n\n<p>To enter these details on the command line, use the <strong><code>-subj<\/code><\/strong> option as follows. Replace the highlighted values accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>-subj \"\/C=<strong>CN<\/strong>\/ST=<strong>STATE<\/strong>\/L=<strong>CITY<\/strong>\/O=<strong>ORG NAME<\/strong>\/OU=<strong>Department<\/strong>\/CN=<strong>DOMAIN_NAME<\/strong>\/emailAddress=<strong>name@domain<\/strong>\"<\/code><\/pre>\n\n\n\n<p>Once generated, submit the CSR content to the signing Certificate Authority.<\/p>\n\n\n\n<p>The command above generates both the private key and the CSR. Keep the private key as safe as it is required later when installing the certificate.<\/p>\n\n\n\n<p>Note that you can also use the <a href=\"https:\/\/letsencrypt.org\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Let&#039;s Encrypt, the commercially free certificate (opens in a new tab)\">Let&#8217;s Encrypt, the commercially free certificate<\/a> instead.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Generate Self-Signed SSL\/TLS certificate<\/h3>\n\n\n\n<p>Well, for the demonstration purposes, you can generate the self-signed certificate as follows. Replace the domain names and location details accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl req -newkey rsa:4096 -nodes -keyout \/etc\/pki\/tls\/private\/<strong>kifarunix-demo<\/strong>.key -x509 -days 365 -out \/etc\/pki\/tls\/certs\/<strong>kifarunix-demo<\/strong>.crt \\\n-subj \"\/C=US\/ST=Oregon\/L=Springfield\/O=kifarunix-demo\/OU=IT\/CN=*.kifarunix-demo.com\/emailAddress=admin@kifarunix-demo.com\"<\/code><\/pre>\n\n\n\n<p>Once the command runs, you should be having the the self signed certificate and the private key under the <code>\/etc\/pki\/tls\/certs<\/code> and <code>\/etc\/pki\/tls\/private<\/code> respectively, if you used the command above.<\/p>\n\n\n\n<p>To improve the SSL\/TLS security by ensuring a secure cryptographic key exchange, generate Diffie-Hellman (DH) keys parameters.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl dhparam -out \/etc\/pki\/tls\/certs\/dhparam.pem 4096<\/code><\/pre>\n\n\n\n<p>Generating DH parameters may take some time.<\/p>\n\n\n\n<p>To configure Nginx to use DH parameters, <code>ssl_dhparam<\/code> directive is used. You will see how in the next section.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Installing SSL\/TLS Certificate on Nginx<\/h3>\n\n\n\n<p>Once you have the SSL certificates and the key in place, you can now configure Nginx to use them.<\/p>\n\n\n\n<p>Open Nginx configuration file for editing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/nginx\/nginx.conf<\/code><\/pre>\n\n\n\n<p>The default Nginx TLS configurations has been modified to include the ciphers from <a rel=\"noreferrer noopener\" aria-label=\"Cipherli.st (opens in a new tab)\" href=\"https:\/\/cipherli.st\/\" target=\"_blank\">Cipherli.st<\/a>.<\/p>\n\n\n\n<p>NOTE: If you want to redirect HTTP traffic to HTTPS, you can simply add the line below under the Nginx HTTP configuration section.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>return 301 https:\/\/$host$request_uri;<\/code><\/pre>\n\n\n\n<p>See below on how the line is added.<\/p>\n\n\n\n<p>Replace the certificates and server name accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n    server {\n        listen       80 default_server;\n        listen       &#91;::]:80 default_server;\n        server_name  _;\n        root         \/usr\/share\/nginx\/html;\n \n        return 301 https:\/\/$host$request_uri;\n...\n# Settings for a TLS enabled server.\n#\n    server {\n        listen       443 ssl http2 default_server;\n        server_name  web01.kifarunix-demo.com; # The Server FQDN\n        root         \/usr\/share\/nginx\/html;\n \n        ssl_protocols TLSv1.3; # Enable TLS v1.3 only\n        ssl_certificate \"\/etc\/pki\/tls\/certs\/kifarunix-demo.crt\";\n        ssl_certificate_key \"\/etc\/pki\/tls\/private\/kifarunix-demo.key\";\n        ssl_session_cache shared:SSL:1m;\n        ssl_session_timeout  10m;\n        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;\n        ssl_ecdh_curve secp384r1;\n        ssl_prefer_server_ciphers on;\n        ssl_session_tickets off;\n        resolver 8.8.8.8 valid=300s;\n        resolver_timeout 5s;\n        add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\";\n        add_header X-Frame-Options DENY;\n        add_header X-Content-Type-Options nosniff;\n        add_header X-XSS-Protection \"1; mode=block\";\n        # Add DH parameters\n        ssl_dhparam \/etc\/pki\/tls\/certs\/dhparam.pem;\n \n \n#        # Load configuration files for the default server block.\n        include \/etc\/nginx\/default.d\/*.conf;\n        location \/ {\n        }\n\n        error_page 404 \/404.html;\n            location = \/40x.html {\n        }\n\n        error_page 500 502 503 504 \/50x.html;\n            location = \/50x.html {\n        }\n    }\n}<\/code><\/pre>\n\n\n\n<p>Save and quit the configuration file.<\/p>\n\n\n\n<p>If you are using the certificates from CA, you will be provided with two certificate files, the <code>Intermediate certificate<\/code> and the <strong><code>server certificate.<\/code><\/strong> To use them, you need to put them together in a single certificate file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat server.crt intermediate.crt &gt;&gt; \/etc\/pki\/tls\/certs\/ser-int-cert.crt<\/code><\/pre>\n\n\n\n<p>Replace the names and paths accordingly.<\/p>\n\n\n\n<p>Verify Nginx configuration for syntax errors.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nginx -t<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful<\/code><\/pre>\n\n\n\n<p>Restart Nginx<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart nginx<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Access Nginx from Browser using HTTPS<\/h3>\n\n\n\n<p>Navigate to the browser and try to access Nginx using HTTPS to check if all is well using the address, <strong><code>https:\/\/server-IP-or-FQDN<\/code><\/strong>.<\/p>\n\n\n\n<p>If using self-signed SSL. accept the &#8220;Your connection is not private&#8221; warning and proceed. You should land on Nginx test page.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/11\/nginx-https.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1240\" height=\"371\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/11\/nginx-https.png\" alt=\"Configure Nginx with SSL\/TLS certificates on CentOS 8\" class=\"wp-image-4587\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/11\/nginx-https.png?v=1573305930 1240w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/11\/nginx-https-768x230.png?v=1573305930 768w\" sizes=\"(max-width: 1240px) 100vw, 1240px\" \/><\/a><\/figure>\n\n\n\n<p>That is all. You\u2019ve successfully installed your SSL certificate and your site is now configured to use SSL\/TLS certificates.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-guacamole-ssl-tls-with-nginx-reverse-proxy\/\" target=\"_blank\">Configure Guacamole SSL\/TLS with Nginx Reverse Proxy<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-haproxy-with-ssl-on-ubuntu-18-04-debian-10-9\/\" target=\"_blank\">Configure HAProxy Load Balancer with SSL on Ubuntu 18.04\/Debian 10\/9<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-create-self-signed-ssl-certificate-with-mkcert-on-ubuntu-18-04\/\" target=\"_blank\">How to Create Locally Trusted SSL Certificates with mkcert on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-ssl-tls-certificates-expiry-with-nagios\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Monitor SSL\/TLS Certificates Expiry with Nagios<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, we are going to learn how to configure Nginx with SSL\/TLS certificates on CentOS 8. The use of SSL\/TLS certificates ensures secured<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,304,34,1187,253],"tags":[1142,229,1188,1166],"class_list":["post-4585","post","type-post","status-publish","format-standard","hentry","category-howtos","category-nginx","category-security","category-ssl-tls","category-web-servers","tag-centos-8","tag-nginx","tag-nginx-with-ssl-centos-8","tag-ssl-tls-certificates","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4585"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4585"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4585\/revisions"}],"predecessor-version":[{"id":21215,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4585\/revisions\/21215"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}