Page not found – ShopingServer Wiki

HowTo: Create a Self-Signed SSL Certificate on Nginx For CentOS / RHEL

msrxp — Sat, 06 Jan 2018 09:17:46 +0000

operate a small web site on Cloud server powered by CentOS Linux v6.4. I would like to encrypt my site’s information and create a more secure connection. How do I create a self-signed SSL certificate on Nginx for CentOS/Fedora or Red Hat Enterprise Linux based server?

The ssl encrypts your connection. For example, a visit to https://www.cyberciti.biz/ result into the following:

All pages were encrypted before being transmitted over the Internet.

Encryption makes it very difficult to unauthorized person to view information traveling between client browser and nginx server.

A note about a self-signed certificates vs a third party issued certificates

Fig.01: Cyberciti.biz connection encrypted and verified by a third party CA called GeoTrust, Inc.

Usually, an SSL certificate issued by a third party. It provides privacy and security between two computers (client and server) on a public network by encrypting traffic. CA (Certificate Authorities) may issue you a SSL certificate that verify the organizational identity (company name), location, and server details.

A self-signed certificate encrypt traffic between client (browser) and server. However, it can not verify the organizational identity. You are not depend upon third party to verify your location and server details.

Our sample setup

Domain name: theos.in

Directory name: /etc/nginx/ssl/theos.in

SSL certificate file for theos.in: /etc/nginx/ssl/theos.in/self-ssl.crt

ssl certificate key for theos.in: /etc/nginx/ssl/theos.in/self-ssl.key

Nginx configuration file for theos.in: /etc/nginx/virtual/theos.in.conf

Step #1: Make sure SSL aware nginx installed

Simply type the following command to verify nginx version and feature:

$ /usr/sbin/nginx -V

Sample outputs

nginx version: nginx/1.4.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)

TLS SNI support enabled

configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –conf-path=/etc/nginx/nginx.conf

…

….

If nginx is not installed, type the following command to download and install nginx using yum command:

# yum install nginx

See how to install Nginx web server On CentOS Linux 6 or Red Hat Enterprise Linux 6 using yum command for more information.

Step #2: Create a directory

Type the following mkdir command to create a directory to store your ssl certificates:

# mkdir -p /etc/nginx/ssl/theos.in

Use the following cd command to change the directory:

# cd /etc/nginx/ssl/theos.in

Step #3: Create an SSL private key

To generate an SSL private key, enter:

# openssl genrsa -des3 -out self-ssl.key 1024

OR better try 2048 bit key:

# openssl genrsa -des3 -out self-ssl.key 2048

Sample outputs:

Generating RSA private key, 1024 bit long modulus

…++++++

……………++++++

e is 65537 (0x10001)

Enter pass phrase for self-ssl.key: Type-Your-PassPhrase-Here

Verifying – Enter pass phrase for self-ssl.key: Retype-Your-PassPhrase-Here

Warning: Make sure you remember passphrase. This passphrase is required to access your SSL key while generating csr or starting/stopping ssl.

Step #4: Create a certificate signing request (CSR)

To generate a CSR, enter:

# openssl req -new -key self-ssl.key -out self-ssl.csr

Sample outputs:

Enter pass phrase for self-ssl.key: Type-Your-PassPhrase-Here

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter . , the field will be left blank.

Country Name (2 letter code) [XX]:IN

State or Province Name (full name) []:Delhi

Locality Name (eg, city) [Default City]:New Delhi

Organization Name (eg, company) [Default Company Ltd]:nixCraft LTD

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server s hostname) []:theos.in

Email Address []:webmaster@nixcraft.com

Please enter the following extra attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Step #5: Remove passphrase for nginx (optional)

You can remove passphrase from self-ssl.key for nginx server, enter:

# cp -v self-ssl.{key,original}

# openssl rsa -in self-ssl.original -out self-ssl.key

# rm -v self-ssl.original

Sample outputs:

Enter pass phrase for self-ssl.original: Type-Your-PassPhrase-Here

writing RSA key

Step #6: Create certificate

Finally, generate SSL certificate i.e. sign your SSL certificate with your own .csr file for one year:

# openssl x509 -req -days 365 -in self-ssl.csr -signkey self-ssl.key -out self-ssl.crt

Sample outputs:

Signature ok

subject=/C=IN/ST=Delhi/L=New Delhi/O=nixCraft LTD/OU=IT/CN=theos.in/emailAddress=webmaster@nixcraft.com

Getting Private key

Step #7: Configure the Certificate for nginx

Edit /etc/nginx/virtual/theos.in.conf, enter:

# vi /etc/nginx/virtual/theos.in.conf

The general syntax is as follows for nginx SSL configuration:

server {

#for ipv4

listen 443 ssl http2;

#for ipv6

#listen [::]:443 ssl http2;

ssl_certificate /path/to/self-ssl.crt;

ssl_certificate_key /path/to/self-ssl.key;

server_name theos.in;

location / {

….

…

….

}

Here is my sample config for theos.in:

server {

###########################[Note]##############################

## Note: Replace IP and server name as per your actual setup ##

###############################################################

## IP:Port and server name

listen 75.126.153.211:443 ssl http2;

server_name theos.in;

## SSL settings

ssl_certificate /etc/nginx/ssl/theos.in/self-ssl.crt;

ssl_certificate_key /etc/nginx/ssl/theos.in/self-ssl.key;

## SSL caching/optimization

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ;

ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:50m;

ssl_session_timeout 1d;

ssl_session_tickets off;

## SSL log files

access_log /var/log/nginx/theos.in/ssl_theos.in_access.log;

error_log /var/log/nginx/theos.in/ssl_theos.in_error.log;

## Rest of server config goes here

location / {

proxy_set_header Accept-Encoding ;

proxy_set_header Host $http_host;

proxy_set_header X-Forwarded-By $server_addr:$server_port;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Real-IP $remote_addr;

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

## Hey, ADD YOUR location / specific CONFIG HERE ##

## STOP: YOUR location / specific CONFIG HERE ##

}

Step #8: Restart/reload nginx

Type the following command

# /usr/sbin/nginx -t

Sample outputs:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

To gracefully restart/reload nginx server, type the following command:

# /etc/init.d/nginx reload

# /usr/sbin/nginx -s reload

# service nginx reload

Step #9: Open TCP HTTPS port # 443

Type the following command to open port # 443 for everyone:

# /sbin/iptables -A INPUT -m state –state NEW -p tcp –dport 443 -j ACCEPT

Save new firewall settings:

# service iptables save

See how to setup firewall for a web server for more information.

Step 10: Test it

Fire a browser and type the following url:

https://theos.in/

Sample outputs:

Fig.02: SSL connection is not verified due to self-signed certificate. Click the “Add Exception” button to continue.

Step 11: Verify SSL certificats

You can verify SSL Certificate using the following command:

# openssl verify pem-file

# openssl verify self-ssl.crt

How To Patch and Protect OpenSSL Vulnerability # CVE-2015-0291 CVE-2015-0204 [ 19/March/2015 ]

omid — Fri, 05 Jan 2018 15:36:54 +0000

n 19th March 2015, multiple high and moderate severity level vulnerabilities released in OpenSSL, a Secure Sockets Layer toolkit used in a Linux and Unix-like systems. How can I fix these vulnerabilities on a CentOS/RHEL/Ubuntu and Debian Linux based server for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf.? How do I verify that my Linux server has been fixed against the OpenSSL vulnerability?

A serious security problem has been found and patched in the OpenSSL Library. Multiple vulnerabilities have been discovered in OpenSSL on 19/March/2015. The Common Vulnerabilities and exposures project identifies the following issues:

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) – Severity: High

Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) – Severity: High

Multiblock corrupted pointer (CVE-2015-0290) – Severity: Moderate

Segmentation fault in DTLSv1_listen (CVE-2015-0207) – Severity: Moderate

Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) – Severity: Moderate

Segmentation fault for invalid PSS parameters (CVE-2015-0208) – Severity: Moderate

ASN.1 structure reuse memory corruption (CVE-2015-0287) – Severity: Moderate

PKCS7 NULL pointer dereferences (CVE-2015-0289) – Severity: Moderate

Base64 decode (CVE-2015-0292) – Severity: Moderate

DoS via reachable assert in SSLv2 servers (CVE-2015-0293) – Severity: Moderate

Empty CKE with client auth and DHE (CVE-2015-1787) – Severity: Moderate

Handshake with unseeded PRNG (CVE-2015-0285) – Severity: Low

Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) Severity: Low

X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) Severity: Low

How bad will this actually be?

It is not bad as the heartbleed openssl bug disclosed in April 2014 in the OpenSSL cryptography library. But, new bug can cause “Denial of Service” and crash your services. It is good security practice, to quickly apply the patched version on your system and restart the affected services.

How to find openssl version on a Linux?

The syntax is as follows:

Find openssl version on a CentOS/RHEL/SL/Fedora Linux

openssl version

or ##

sudo yum list installed openssl

Sample outputs:

Fig.01: How to RHEL/CentOS/Fedora Linux Find OpenSSL Version Command

Find openssl version on a Debian/Ubuntu Linux

openssl version

or ##

sudo dpkg -l | egrep ^ii.*openssl

Sample outputs:

Fig.02: How to Debian/Ubuntu Linux Find OpenSSL Version Command

A list of affected Linux distros

I recommend that you upgrade your openssl packages ASAP to avoid any security issues on both client and server systems powered by Linux based distro.

RHEL version 6.x

RHEL version 7.x

CentoS Linux version 6.x

CentoS Linux version 7.x

Debian Linux stable (wheezy) 7.x

Ubuntu Linux 14.10

Ubuntu Linux 14.04 LTS

Ubuntu Linux 12.04 LTS

Ubuntu Linux 10.04 LTS

How to patch on a Linux?

Type the following commands as per your distro version/type:

how do I find out my distro version? ##

lsb_release -a

or use ##

cat /etc/*-release

Sample outputs:

Gif 01: HowTo: Find Out My Linux Distribution Name and Version

CentOS/RHEL/Fedora Linux

Type the following yum command to patch openssl as root user to patch openssl:

sudo yum clean all

To install the updates, use the yum command as follows:

sudo yum update

To only update the OpenSSL package and its dependencies, use the following yum command:

sudo yum update openssl

Sample outputs:

Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin, security

This system is receiving updates from RHN Classic or RHN Satellite.

Setting up Update Process

epel-debuginfo/metalink | 13 kB 00:00

rhel-x86_64-server-6 | 1.5 kB 00:00

rhel-x86_64-server-6/primary | 21 MB 00:05

rhel-x86_64-server-6 14680/14680

rhel-x86_64-server-6-debuginfo | 1.3 kB 00:00

rhel-x86_64-server-6-debuginfo/primary | 1.1 MB 00:00

rhel-x86_64-server-6-debuginfo 5939/5939

rhel-x86_64-server-optional-6 | 1.5 kB 00:00

rhel-x86_64-server-optional-6/primary | 2.0 MB 00:00

rhel-x86_64-server-optional-6 8239/8239

rhel-x86_64-server-optional-6-debuginfo | 1.3 kB 00:00

rhel-x86_64-server-optional-6-debuginfo/primary | 681 kB 00:00

rhel-x86_64-server-optional-6-debuginfo 3571/3571

0 packages excluded due to repository protections

Resolving Dependencies

–> Running transaction check

—> Package openssl.x86_64 0:1.0.1e-30.el6_6.5 will be updated

–> Processing Dependency: openssl = 1.0.1e-30.el6_6.5 for package: openssl-devel-1.0.1e-30.el6_6.5.x86_64

—> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update

–> Running transaction check

—> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.5 will be updated

—> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.7 will be an update

–> Finished Dependency Resolution

Dependencies Resolved

================================================================================

Package Arch Version Repository Size

================================================================================

Updating:

openssl x86_64 1.0.1e-30.el6_6.7 rhel-x86_64-server-6 1.5 M

Updating for dependencies:

openssl-devel x86_64 1.0.1e-30.el6_6.7 rhel-x86_64-server-6 1.2 M

Transaction Summary

================================================================================

Upgrade 2 Package(s)

Total download size: 2.7 M

Is this ok [y/N]: n

Exiting on user Command

[root@txvip1 ~]#

[root@txvip1 ~]# yum update openssl

Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin, security

This system is receiving updates from RHN Classic or RHN Satellite.

Setting up Update Process

0 packages excluded due to repository protections

Resolving Dependencies

–> Running transaction check

—> Package openssl.x86_64 0:1.0.1e-30.el6_6.5 will be updated

–> Processing Dependency: openssl = 1.0.1e-30.el6_6.5 for package: openssl-devel-1.0.1e-30.el6_6.5.x86_64

—> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update

–> Running transaction check

—> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.5 will be updated

—> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.7 will be an update

–> Finished Dependency Resolution

Dependencies Resolved

============================================================================================

Package Arch Version Repository Size

============================================================================================

Updating:

openssl x86_64 1.0.1e-30.el6_6.7 rhel-x86_64-server-6 1.5 M

Updating for dependencies:

openssl-devel x86_64 1.0.1e-30.el6_6.7 rhel-x86_64-server-6 1.2 M

Transaction Summary

============================================================================================

Upgrade 2 Package(s)

Total download size: 2.7 M

Is this ok [y/N]: y

Downloading Packages:

(1/2): openssl-1.0.1e-30.el6_6.7.x86_64.rpm | 1.5 MB 00:00

(2/2): openssl-devel-1.0.1e-30.el6_6.7.x86_64.rpm | 1.2 MB 00:00

Total 6.4 MB/s | 2.7 MB 00:00

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Updating : openssl-1.0.1e-30.el6_6.7.x86_64 1/4

Updating : openssl-devel-1.0.1e-30.el6_6.7.x86_64 2/4

Cleanup : openssl-devel-1.0.1e-30.el6_6.5.x86_64 3/4

Cleanup : openssl-1.0.1e-30.el6_6.5.x86_64 4/4

Verifying : openssl-1.0.1e-30.el6_6.7.x86_64 1/4

Verifying : openssl-devel-1.0.1e-30.el6_6.7.x86_64 2/4

Verifying : openssl-1.0.1e-30.el6_6.5.x86_64 3/4

Verifying : openssl-devel-1.0.1e-30.el6_6.5.x86_64 4/4

Updated:

openssl.x86_64 0:1.0.1e-30.el6_6.7

Dependency Updated:

openssl-devel.x86_64 0:1.0.1e-30.el6_6.7

Complete!

Debian/Ubuntu Linux

Type the following apt-get commands to patch openssl as root user to patch openssl:

sudo apt-get update

sudo apt-get upgrade

Sample outputs:

Fig.04: OpenSSL patched on a Ubuntu Linux

Do I need to reboot my server/laptop/computer powered by Linux?

Short answer – yes, you need to reboot your computer/server to make all the necessary changes. Sysadmin should plan on updating as soon as possible or use maintenance reboot window:

sudo reboot

Long answer – It depends. You can avoid reboot by restarting required services. Fist, find all services that depend on the OpenSSL libraries, and restart them one-by-one using the service command:

Debian/Ubuntu find out if service needed reboot ##

checkrestart -v

Generic method ##

lsof | grep libssl | awk {print $1} | sort | uniq

Sample outputs:

hhvm

mysqld

nginx

php5-fpm

Restart the above services one-by-one, run:

sudo service restart hhvm restart

sudo service restart mysqld restart

sudo service restart nginx restart

sudo service restart php5-fpm restart

References

OpenSSL Security Advisory [19 Mar 2015]

DSA-3197-1 openssl — security update

USN-2537-1: OpenSSL vulnerabilities

OpenSSL Updates of 19 March 2015

LibreSSL addresses a number of security issues in coordination with the OpenSSL project released on 19 March 2015

How To Patch and Protect OpenSSL Vulnerability # CVE-2015-0291 CVE-2015-0204 [ 19/March/2015 ]

omid — Fri, 05 Jan 2018 15:32:17 +0000