Self Signed SSL Certificate, nginx, and RightScale

Here’s my go-to article on creating self-signed SSL certificates, using them in NginX, and enabling secure access to a RightScale VM. You’ll need OpenSSL to follow this very brief tutorial.

Step

Ensure /etc/ssl/ exists. It may already be present; if not create it. And create a local working directory ~/ssl_fun and cd into it.

mkdir /etc/ssl/
mkdir ~/ssl_fun
cd ~/ssl_fun

Create a Private Key

You’ll need to enter a pass phrase. Pick something. We’ll remove it later for nginx.

openssl genrsa -des3 -out secure_cert.key 1024

Create a CSR (Certificate Signing Request)

You’ll be asked a series of questions. Enter what you want. However, for the common name you should enter the domain (or subdomain.domain) that you want to use this certificate for. You can use this certificate with _any_ domain, however you will see a few more errors if the Common Name does not match the domain you’re using.

openssl req -new -key secure_cert.key -out secure_csr.csr

Remove Pass Phrase for Nginx

I lied. This isn’t for Nginx. But it allows Nginx to work with this certificate without needing the password for such cases like server reboots. Enter the pass phrase you picked in an earlier step.

openssl rsa -in secure_cert.key -out secure_cert_nginx.key

Get the CRT

Last step for the generation process is here. Let’s create the CRT and then we can move our files around to work with Nginx.

openssl x509 -req -days 365 -in secure_csr.csr -signkey secure_cert_nginx.key -out secure_cert_nginx.crt

Copy & Go

The CRT file goes to /etc/ssl/certs and the Key file goes to /etc/ssl/private…

sudo cp secure_cert_nginx.crt /etc/ssl/certs/
sudo cp secure_cert_nginx.key /etc/ssl/private/

If the folders don’t exist then create them!

Cleanup & Update Nginx

You can now remove ~/ssl_fun safely. Next, fix up your nginx.conf file. I made the server block for port 80 forward to port 443 and then moved my port 80 settings to the new port 443 server block:

    server {
        listen 80;
        server_name findbyimage.com www.findbyimage.com;
	rewrite ^(.*) https://$server_name$1 permanent;   
    }
    server {
        listen 443;
        server_name findbyimage.com www.findbyimage.com;
        client_max_body_size 50M;
        error_log /home/logs/okc_browser_errors.log;
        root /home/rails/okc_browser/web/public;
        passenger_enabled on;
        location ~* \.(ico|css|js|gif|jp?g|png)(\?[0-9]+)?$ {
            expires max;
            access_log off;
            break;
        }
	ssl on;
	ssl_certificate /etc/ssl/certs/secure_cert_nginx.crt;
	ssl_certificate_key /etc/ssl/private/secure_cert_nginx.key;    
   }

A quick reload of the nginx binary and we were good to go (this step may vary depending on how you install Nginx):

/usr/local/nginx/sbin/nginx -s reload

RightScale specific step

I did not have port 443 in my security group so I had to add it. Check out Add IP Address Based Permissions on the RightScale Support Site.

NJOI