en:server:services:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:server:services:ssl [2023/01/01 00:56] – [Installing your root certificate on all the devices] changed to dokuwiki syntax danen:server:services:ssl [2024/05/11 22:05] (current) – [Arch Linux] deleted sudo to be consistent with other tutorials dan
Line 5: Line 5:
 This tutorial is based on the domain ''nextcloud.home''. So change the domain to your specific domain. This tutorial is based on the domain ''nextcloud.home''. So change the domain to your specific domain.
  
-It is also important that the domain address gets redirected from your router. This can also be set in the ''/etc/hosts'' file of your computer, but to reach the domain on every device, it is easier to change this directly in the router:+It is also important that the domain address gets redirected from your router or use [[/en/server/services/adguardhome#dns_rewrites|AdGuardHome]]. This can also be set in the ''/etc/hosts'' file of your computer, but to reach the domain on every device, it is easier to change this directly in the router or [[/en/server/services/adguardhome#dns_rewrites|AdGuardHome]]:
  
 <code> <code>
Line 12: Line 12:
  
  
-===== Generating the private key and root certificate =====+===== mkcert =====
  
-<code> +[[https://github.com/FiloSottile/mkcert|mkcert]] is a simple tool for making locally-trusted development certificates. It requires no configuration.
-openssl genrsa -des3 -out myCA.key 2048 +
-</code>+
  
-<code> 
-openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem 
-</code> 
  
-Change the following information as you wish. It appears when you view the certificate through your browser.+==== Packages ==== 
 <code> <code>
-Country Name (2 letter code) [AU]: +pacman -S nss mkcert
-State or Province Name (full name) [Some-State]: +
-Locality Name (eg, city) []: +
-Organization Name (eg, company) [Internet Widgits Pty Ltd]: +
-Organizational Unit Name (eg, section) []: +
-Common Name (e.g. server FQDN or YOUR name) []: +
-Email Address []:+
 </code> </code>
  
  
-===== Installing your root certificate on all the devices =====+==== Create root certificate ====
  
-You'll need to create a ''myCA.pem'' file on every device and copy the content of cat ''myCA.pem'' file wherever you created it in section [[#generating-the-private-key-and-root-certificate]].+<code> 
 +mkcert -install 
 +</code>
  
  
-==== Arch Linux ====+==== Create certificates for your domains ====
  
 <code> <code>
-sudo trust anchor --store myCA.pem+mkcert nextcloud.home
 </code> </code>
  
  
-==== Android ====+===== Manually =====
  
-''Settings'' - ''Security'' - ''Encryption and credentials'' - ''Install a certificate'' 
  
-Check under:+==== Generating the private key and root certificate ====
  
-''Settings'' ''Security'' ''Trusted credentials'' - ''User''+<code> 
 +openssl genrsa -des3 -out rootCA.key 2048 
 +</code>
  
 +<code>
 +openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem
 +</code>
  
-===== Creating CA-Signed certificates for your domains =====+Change the following information as you wish. It appears when you view the certificate through your browser. 
 +<code> 
 +Country Name (2 letter code) [AU]: 
 +State or Province Name (full name) [Some-State]: 
 +Locality Name (eg, city) []: 
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]: 
 +Organizational Unit Name (eg, section) []: 
 +Common Name (e.g. server FQDN or YOUR name) []: 
 +Email Address []: 
 +</code> 
 + 
 + 
 +==== Creating CA-Signed certificates for your domains ====
  
 <code> <code>
-openssl genrsa -out domain.home.key 2048+openssl genrsa -out nextcloud.home-key.pem 2048
 </code> </code>
  
 <code> <code>
-openssl req -new -key DOMAIN.home.key -out DOMAIN.home.csr+openssl req -new -key nextcloud.home-key.pem -out nextcloud.home.pem
 </code> </code>
  
 <code> <code>
-nano DOMAIN.home.ext+nano nextcloud.home.ext
 </code> </code>
  
Line 76: Line 84:
  
 [alt_names] [alt_names]
-DNS.1 = DOMAIN.home+DNS.1 = nextcloud.home
 </code> </code>
  
  
-==== Script ====+=== Script ===
  
 Create the file in ''nano /etc/nginx/ssl/ssl.sh''. Create the file in ''nano /etc/nginx/ssl/ssl.sh''.
Line 95: Line 103:
 DOMAIN=$1 DOMAIN=$1
  
-openssl genrsa -out $DOMAIN.key 2048 +openssl genrsa -out $DOMAIN-key.pem 2048 
-openssl req -new -key $DOMAIN.key -out $DOMAIN.csr+openssl req -new -key $DOMAIN-key.pem -out $DOMAIN.pem
  
 cat > $DOMAIN.ext << EOF cat > $DOMAIN.ext << EOF
Line 107: Line 115:
 EOF EOF
  
-openssl x509 -req -in $DOMAIN.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \+openssl x509 -req -in $DOMAIN.pem -CA rootCA.pem -CAkey rootCA.key -CAcreateserial \
 -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext
 </code> </code>
Line 113: Line 121:
 <code> <code>
 chmod +x ssl.sh chmod +x ssl.sh
-./ssl.sh domain.home+./ssl.sh nextcloud.home
 </code> </code>
 +
 +
 +===== Installing your root certificate on all the devices =====
 +
 +You'll need to create a ''rootCA.pem'' file on every device and copy the content of ''cat rootCA.pem'' file wherever you created it in section [[#generating_the_private_key_and_root_certificate]] (manually). 
 +
 +If you used [[#mkcert]] just run this command ''cat $(mkcert -CAROOT)/rootCA.pem''.
 +
 +
 +==== Arch Linux ====
 +
 +<code>
 +trust anchor --store rootCA.pem
 +</code>
 +
 +
 +==== Android ====
 +
 +=== User trusted credentials ===
 +
 +''Settings'' - ''Security'' - ''Encryption and credentials'' - ''Install a certificate''
 +
 +Check under:
 +
 +''Settings'' - ''Security'' - ''Trusted credentials'' - ''User''
 +
 +
 +=== System trusted credentials ===
 +
 +If "User trusted credentials" is not enough and you need the certificate in the system, follow the next lines. However, this requires a rooted device: 
 +
 +<code>
 +hashed_name=`openssl x509 -inform PEM -subject_hash_old -in rootCA.pem | head -1` && cp rootCA.pem $hashed_name.0
 +ls $hashed_name.0
 +</code>
 +
 +<code>
 +adb root
 +adb shell mount -o rw,remount /
 +adb push $hashed_name.0 /system/etc/security/cacerts/
 +adb shell chmod 644 /system/etc/security/cacerts/$hashed_name.0
 +adb shell chown root:root /system/etc/security/cacerts/$hashed_name.0
 +adb shell reboot
 +</code>
 +
 +You can also use the Magisk module [[https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases|MagiskTrustUserCerts]] (Android 13) or [[https://github.com/nccgroup/ConscryptTrustUserCerts|ConscryptTrustUserCerts]] (Android 14) which does the same as above.
 +
 +
 +=== Use third party CA certificates for firefox ===
 +
 +You might want to ''Use third party CA certificates'' for Firefox browser:
 +
 +  - Open your browser and scroll to the bottom and click About firefox/iceraven/mull ...
 +  - Click several times on the logo and go back 
 +  - Click on secret settings and enable ''Use third party CA certificates''
  
  
Line 126: Line 189:
 <code> <code>
 nano /etc/nginx/conf.d/ssl-params.conf nano /etc/nginx/conf.d/ssl-params.conf
 +</code>
 +
 +<code>
 +ssl_protocols TLSv1.3;
 +ssl_prefer_server_ciphers on;
 +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 +ssl_ecdh_curve secp384r1;
 +ssl_session_cache shared:SSL:10m;
 </code> </code>
  
Line 146: Line 217:
         server_name nextcloud.home;         server_name nextcloud.home;
  
-        ssl_certificate /etc/nginx/ssl/nextcloud.home.crt+        ssl_certificate /etc/nginx/ssl/nextcloud.home.pem
-        ssl_certificate_key /etc/nginx/ssl/nextcloud.home.key;+        ssl_certificate_key /etc/nginx/ssl/nextcloud.home-key.pem;
         include conf.d/ssl-params.conf;         include conf.d/ssl-params.conf;
          
  • en/server/services/ssl.1672534579.txt.gz
  • Last modified: 2023/01/01 00:56
  • by dan