-
-
Save jessedearing/2351836 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
echo "Generating an SSL private key to sign your certificate..." | |
openssl genrsa -des3 -out myssl.key 1024 | |
echo "Generating a Certificate Signing Request..." | |
openssl req -new -key myssl.key -out myssl.csr | |
echo "Removing passphrase from key (for nginx)..." | |
cp myssl.key myssl.key.org | |
openssl rsa -in myssl.key.org -out myssl.key | |
rm myssl.key.org | |
echo "Generating certificate..." | |
openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt | |
echo "Copying certificate (myssl.crt) to /etc/ssl/certs/" | |
mkdir -p /etc/ssl/certs | |
cp myssl.crt /etc/ssl/certs/ | |
echo "Copying key (myssl.key) to /etc/ssl/private/" | |
mkdir -p /etc/ssl/private | |
cp myssl.key /etc/ssl/private/ |
On Ubuntu there is no permissions into /etc/ssl/private, However I make it works in /etc/nginx/ssl.
Also based on your script a made my own witch output the nginx configuration at the end. https://gist.github.com/adrianorsouza/2bbfe5e197ce1c0b97c8
One step (if use Ubunut 16.04 /etc/ssl exists. If not use you feel free to add create dir)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
hi.. It is a very good gist... I am using nginx on AWS and followed these instructions. But unable to access https://<>. Any suggestions pls.
Note: i have enabled my AWS security group to listen to 443 as well.
I love this article. The self-signing process worked perfectly immediately.
@slava-vishnyakov provided a wonderfully useful snippet for the nginx configuration file. BUT...
I don't know if things have changed in the years since he or she wrote it but, it has one tiny imperfection that resulted in an error (ssl_error_rx_record_too_long) in the browser.
Use this instead..
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;
server_name SERVER_NAME.com;
location / {
}
}
Just add the "ssl" to the listen parameters.
With that, this article becomes one of the most instantly useful I've ever seen.
Thanks to all of you.
As to the Nginx configuration, I got a warning
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/etc/nginx/sites-enabled/local.mysite.com:8
I just removed the ssl on;
part and the warning is gone.
In other words, it should be something like this:
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;
server_name SERVER_NAME.com;
location / {
}
}
Good morning, is it necessary to have a domain to apply this method of generating ssl self-signed certificate?
Because in my company it is handled is url type https://10.164.7.203:37006/PruebaHTTPS
If someone got the next error:
# nginx -t
nginx: [emerg] SSL_CTX_use_certificate("/etc/ssl/certs/myssl.crt") failed (SSL: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small)
nginx: configuration file /etc/nginx/nginx.conf test failed
You have to change the length of your certificate from rsa:1024
to rsa:2048
@tvlooy - works for me, though on centos it seems the private directory is not there by default. presumably some distros may not have either so i put a small tweak of..
mkdir -p /etc/ssl/private && mkdir -p /etc/ssl/certs && openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/site_name.key -out /etc/ssl/certs/site_name.crt
OR
mkdir -p /etc/ssl/private &&
mkdir -p /etc/ssl/certs &&
openssl req -x509 -nodes -days 365 -newkey rsa:4096
-keyout /etc/ssl/private/site_name.key
-out /etc/ssl/certs/site_name.crt <<EOF
US
TX
Private
SiteName Admin Portal
Development
portal.sitename.com
EOF