R Consulting Appliance Configuration, HTTPS

R Consulting support@rconsulting.bg

Apply all necessary steps from R Consulting Appliances Installation, Initial configuration and respective role checklists first.

nginx HTTPS configuration checklist

Create a PEM certificate nginx can use. Having a certificate file (usually .crt), certificate authority bundle (usually .pem or .ca.pem) and a password-unprotected private key (usually .key file), concatenate them with the following command:
```
$ cat cert.crt ca-bundle.pem private.key > host.domain.tld.pem
```
Copy certificate to /usr/local/etc/nginx.

Create /usr/local/etc/nginx/local.conf.ssl.conf with the following contents:

    ssl_certificate     host.domain.tld.pem;
    ssl_certificate_key host.domain.tld.pem;

Create /usr/local/etc/nginx/rcons.public.ssl.conf with the following contents:
```
        listen       443 ssl;
        server_name  host.domain.tld;
```
Test configuration with nginx -t and fix any issues found. Use nginx -tT | less to display post-processed, albeit not in-order, configuration.
Apply new configuration with service nginx restart.

Extracting certificate and private key from a `.pfx` file

Keep password close then run

openssl pkcs12 -in file.pfx -clcerts -nokeys -out host.domain.tld.crt
openssl pkcs12 -in file.pfx -nocerts -nodes  -out host.domain.tld.key

Creating a `.pfx` file

openssl pkcs12 -export -out file.pfx -inkey fqdn.key -in fqdn.crt -certfile ca-bundle.pem

Querying certificate name & expiry

openssl x509 -noout -text -in file.pem | grep 'Subject:\|Not Before:\|Not After :'

for certificate chains:

sh -c 'while openssl x509 -noout -text; do :; done' < file.pem | grep 'Subject:\|Not Before:\|Not After :'

Configuration testing

curl -vv --resolve 'acme.com:443:127.0.0.1' https://acme.com/

openssl s_client -connect 127.0.0.1:443 -name acme.com

Can also be used to test servers handling requests forwarded via hidden routing.

Multiple domains

Create local.conf.ssl.conf:

# https://garlicspace.com/2025/01/06/nginx-configuration-for-multiple-certificates/
map $ssl_server_name $cert_file {
    hostnames;
    *.acme.com star.acme.com.pem;
    *.example.net star.example.net.pem;
}

and rcons.public.ssl.conf:

listen 443 ssl;
server_name *.acme.com *.example.net;
# mapping of host name to certificate is in local.conf.ssl.conf
# however it seems like this does not work with TH100
ssl_certificate     $cert_file;
ssl_certificate_key $cert_file;

Notice that such configuration does NOT work on all devices, i.e. TH100.

Resources

R Consulting, support@rconsulting.bg,
R Consulting Appliances Installation