Apply all necessary steps from R Consulting Appliances Installation, Initial configuration and respective role checklists first.

nginx HTTPS configuration checklist

1. Create a PEM certificate nginx can use. Having a certificate file (usually .crt), certificate authority bundle (usually .pem or .ca.pem) and a password-unprotected private key (usually .key file), concatenate them with the following command:

   $ cat cert.crt ca-bundle.pem private.key > host.domain.tld.pem

2. Copy certificate to /usr/local/etc/nginx.

3. Create /usr/local/etc/nginx/local.conf.ssl.conf with the following contents:

       ssl_certificate     host.domain.tld.pem;
       ssl_certificate_key host.domain.tld.pem;

4. Create /usr/local/etc/nginx/rcons.public.ssl.conf with the following contents:

           listen       443 ssl;
           server_name  host.domain.tld;

5. Test configuration with nginx -t and fix any issues found. Use nginx -tT | less to display post-processed, albeit not in-order, configuration.

6. Apply new configuration with service nginx restart.

Extracting certificate and private key from a .pfx file

Keep password close then run

openssl pkcs12 -in file.pfx -clcerts -nokeys -out host.domain.tld.crt
openssl pkcs12 -in file.pfx -nocerts -nodes  -out host.domain.tld.key

Creating a .pfx file

openssl pkcs12 -export -out file.pfx -inkey fqdn.key -in fqdn.crt -certfile ca-bundle.pem

Querying certificate name & expiry

openssl x509 -noout -text -in file.pem | grep 'Subject:\|Not Before:\|Not After :'

for certificate chains:

sh -c 'while openssl x509 -noout -text; do :; done' < file.pem | grep 'Subject:\|Not Before:\|Not After :'

Configuration testing

curl -vv --resolve 'acme.com:443:127.0.0.1' https://acme.com/

or

openssl s_client -connect 127.0.0.1:443 -name acme.com

Can also be used to test servers handling requests forwarded via hidden routing.

Resources

• R Consulting, support@rconsulting.bg,
• R Consulting Appliances Installation