I've created SSL sertificate using Let's Encrypt
and now trying to setup it with NginX. The NginX consumes my config, restarts and handles HTTP well, but refuses HTTPS connection.
Also, my server has no firewall. I checked the port 443 with netstat -peanut | grep ":443 "
netstat -peanut | grep ":443 "
and NMap, there is no problem with it.
I have the following SSL files:
ca bundle.crt
, 27 lines, begins with -----BEGIN CERTIFICATE-----
ca.crt
, 35 lines, begins with -----BEGIN CERTIFICATE-----
private_rsa.key
, 27 lines, begins with -----BEGIN RSA PRIVATE KEY-----
private.key
, 28 lines, begins with -----BEGIN PRIVATE KEY-----
I don't know which ones are important, so I tried all the combinations, but nothing works. Here is my NginX config:
server {
listen 80;
listen 443 ssl;
server_name domain.ru www.domain.ru;
ssl_certificate /var/www/SSL/ca.crt;
ssl_certificate_key /var/www/SSL/private.key;
access_log /var/www/Ret/Returner/logs/nginx.access.log;
error_log /var/www/Ret/Returner/logs/nginx.error.log;
proxy_read_timeout 950s;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /var/www/Ret/Returner/;
}
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
How to fix the problem?
My OS is Ubuntu 16.04. NginX version: 1.10.3 built with OpenSSL 1.0.2g, TLS SNI support enabled.
Update.
To generate certificates I used 2 different approaches:
Using www.sslforfree.com with DNS ownership approval.
Using the following OpenSSL commands:
openssl genrsa 4096 > /var/www/Ret/account.key
openssl rsa -in /var/www/Ret/account.key -pubout
Unfortunately, both certificate file sets didn't work.
I personally don't like having 80 and 443 in the same server
section. I am also not sure if that's an issue. But could you try something like this?
# Redirect all http to https
server {
listen 80 default_server;
rewrite ^ https://$host$request_uri? permanent;
}
# Handle https
server {
server_name domain.ru www.domain.ru;
listen 443 ssl http2;
# Certificates
ssl_certificate /var/www/SSL/ca.crt;
ssl_certificate_key /var/www/SSL/private.key;
# Logs
access_log /var/www/Ret/Returner/logs/nginx.access.log;
error_log /var/www/Ret/Returner/logs/nginx.error.log;
proxy_read_timeout 950s;
# Static Content
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /var/www/Ret/Returner/;
}
# Reverse Proxy
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
I've found the solution. It was about creation of ca_chain.crt
which should contain data of your certificate and CA bundle. It's structure is simple, as follows:
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgISA1jUznaa6AUn/4wyOV49e1QBMA0GCSqGSIb3DQEBCwUA
// content of the ca.crt //
2PxVU6WNy9wOVgGdO5TaxRQgO2p04AYJpovREYCuOctz
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
// content of the ca_bundle.crt //
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Then, in the NginX config:
ssl_certificate /aivanf/ssl/ca_chain.crt;
ssl_certificate_key /aivanf/ssl/ca.key;
The ca.key
is the same as what I previously called private.key
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.