CREATE SSL CERTIFICATE FOR NGINX ON CENTOS 7 WITH SELF SIGN

CREATE CERTIFICATE

first install openssl

$ sudo yum install openssl
$ sudo yum install openssl-devel pcre-devel

allow ssl port 443

$ sudo firewall-cmd –permanent –add-port=443/tcp
$ sudo firewall-cmd —reload
$ sudo iptables -L

go to the custom ssl folder

$ sudo mkdir /etc/nginx/ssl
$ cd /etc/nginx/ssl/

generate the key, we’ll delete the pass phrase later

$ sudo openssl genrsa -des3 -out ssl.key 2048
Enter pass phrase for ssl.key: 3480
Verifying – Enter pass phrase for ssl.key: 3480

create certificate signing request

$ sudo openssl req -new -key ssl.key -out ssl.csr
Enter pass phrase for ssl.key: 3480

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:TEXAS
Locality Name (eg, city) [Default City]:HOUSTON
Organization Name (eg, company) [Default Company Ltd]:NORTH AMERICAN UNIVERSITY
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:moodledev.na.edu
Email Address []:person@blabla.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

remove passphrase from ssl.key, you will be prompted for the last time to enter passphrase

$ sudo cp ssl.key ssl.key.orig
$ sudo openssl rsa -in ssl.key.orig -out ssl.key
Enter pass phrase for ssl.key.orig: 3480

verify csr key

$ openssl req -text -noout -verify -in ssl.csr

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=TEXAS, L=HOUSTON, O=NORTH AMERICAN UNIVERSITY, OU=IT, CN=moodledev.na.edu/emailAddress=msen@na.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:e7:78:c6:bd:a2:e6:2f:18:8d:a1:8a:79:3a:
                    75:6b:b1:b7:f3:24:4e:cb:30:af:76:45:36:86:94:
                    10:1c:99:61:4e:e9:45:c0:4f:b4:6a:77:dd:40:e5:
                    6e:b6:78:c7:71:e5:5f:93:00:43:b5:b2:19:7d:0a:
                    69:2a:d2:1b:13:f8:12:f3:a9:e6:54:c0:76:44:2c:
                    7d:f5:04:71:33:a0:4b:d4:80:21:ed:52:11:0a:21:
                    c6:5a:bd:8b:a0:7e:75:96:42:32:e4:75:1d:31:e5:
                    dd:56:f7:4d:8e:71:44:12:f4:93:fb:1f:d4:96:6e:
                    32:23:e6:c5:2e:67:d4:29:34:cf:20:e7:5e:bb:36:
                    74:42:cb:a2:b9:04:1c:2b:4c:76:ca:92:0d:4c:ed:
                    35:58:a4:c0:4d:7b:40:62:46:54:22:1e:28:71:a2:
                    7d:30:12:fd:23:db:51:1b:ff:e1:73:e7:9f:5d:30:
                    40:b4:f4:38:9b:f8:b5:28:74:0e:34:9c:e9:eb:7d:
                    6d:b5:ca:ea:07:2d:96:00:88:f5:d9:66:ca:53:3f:
                    64:4b:95:f7:96:d8:ac:44:50:43:17:41:9f:72:43:
                    80:e6:d3:5e:c0:b6:ae:9b:95:59:b8:bc:45:5d:3c:
                    42:5e:7b:b7:49:bc:46:a4:c5:22:f9:b8:f0:38:33:
                    b2:fb
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         5b:ba:67:1c:4e:a7:54:f5:45:a6:f3:12:b7:43:84:33:5d:9e:
         28:01:2e:c1:a5:ef:bc:17:72:b6:6b:bd:b1:21:7a:d7:46:be:
         4f:bc:85:24:eb:a7:22:12:4e:a4:2a:a4:27:20:ea:a7:fd:4f:
         ec:d0:8f:81:5c:e1:e7:14:d6:d7:57:b4:a1:0a:a1:5a:0d:aa:
         be:5c:bc:5d:f9:b7:14:cc:ec:09:56:22:65:2b:02:75:11:30:
         87:64:09:3b:0d:eb:df:8f:47:6b:71:a9:4f:55:7d:e1:e9:74:
         b0:83:21:12:8b:4f:ee:ca:70:8a:a2:cc:10:ab:70:57:91:b5:
         56:0d:dc:4a:be:75:d1:67:d8:b4:b0:2c:a7:87:93:3c:8d:76:
         c9:29:8e:a1:b2:9a:f7:86:29:a6:af:ff:82:5c:d8:2c:fe:71:
         2e:f9:ab:ff:df:8f:a9:b4:d4:ce:56:6b:5c:6d:40:0e:7d:47:
         29:9b:9c:6f:e7:22:d7:bb:98:83:01:19:ed:f9:2e:2f:5d:f5:
         0e:34:36:fd:7d:f5:4d:03:79:e1:ee:c0:c0:fa:ae:79:f7:0e:
         37:58:b4:64:71:5a:0f:57:e1:b2:1a:e6:eb:5b:57:e5:54:85:
         a2:20:41:01:d6:49:8d:60:b0:b4:9c:73:cf:a3:28:6b:7c:96:
         8a:12:66:e2

self sign the ssl certificate

$ sudo openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt

CONFIGURE NGINX FOR SSL

We have a moodle site with different config setting but need to reconfigure nginx moodle conf.

$ sudo vi /etc/nginx/conf.d/moodle.conf

rewrite will forward http to https

server {
        listen  80;
        server_name moodledev.site.com;
        rewrite ^ https://$host$request_uri? permanent;
}

server {

        listen 443 ssl;
        server_name moodledev.site.com;
        root /usr/share/nginx/html/moodle;
        index index.php index.html index.htm;
        autoindex off;
        autoindex_exact_size off;

        ssl                             on;
        ssl_certificate                 /etc/nginx/ssl/ssl.crt;
        ssl_certificate_key             /etc/nginx/ssl/ssl.key;
        ssl_session_timeout             5m;
        ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
                try_files $uri $uri/ =404;
                index index.php;
        }

        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location /50x.html {
                root /usr/share/nginx/html/moodle;
        }

        location ~ [^/]\.php(/|$) {
                fastcgi_split_path_info  ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param   HTTPS on;
                fastcgi_param   PATH_INFO       $fastcgi_path_info;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }

        location /dataroot/ {
                internal;
                alias /var/moodledata/; # ensure the path ends with /
        }

        location /cachedir/ {
                internal;
                alias /var/moodledata/cache/; # ensure the path ends with /
        }

        location /localcachedir/ {
                internal;
                alias /var/moodledata/localcache/; # ensure the path ends with /
        }

        location /tempdir/ {
                internal;
                alias /var/moodledata/temp/; # ensure the path ends with /
        }

        location /filedir/ {
                internal;
                alias /var/moodledata/filedir/; # ensure the path ends with /
        }

        location /filterdir/ {
                internal;
                alias /var/moodledata/filter/; # ensure the path ends with /
        }
}

do not forget to enable ssl proxy for app i.e. moodle

$ sudo vi /usr/share/nginx/html/moodle/config.php
$CFG->sslproxy = true;
$CFG->wwwroot = https://moodledev.site.com;

give proper rights to the files and folders

$ sudo chmod -R 755 /usr/share/nginx/html/moodle/*
$ sudo chown -R nginx:nginx /usr/share/nginx/html/moodle/*

restart nginx

$ sudo systemctl restart nginx

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s