Task: Setup SSL for Nginx

swaroopcs88 · April 19, 2020, 8:46am

Dear friends
@Tej-Singh-Rana
@andrzej
@andybubune
@Lalit
@Inderpreet
@vijin.palazhi
@kodekloud-support3
I am stuck with this task, need your help or suggestions completing the task.
task

Install and configure nginx on App Server 2.
followed the steps from this article
How to Install Nginx on CentOS 7
for configure nginx:
CentOS 7 : Nginx : Configure SSL : Server World

image742×167 3.44 KB
On App Server 2 there is a self signed SSL certificate and key present at location /tmp/nautilus.crt and /tmp/nautilus.key . Move them to some appropriate location and deploy the same in Nginx.
Create an index.html file with content Welcome! under Nginx document root.

followed the steps from this article

unable to verify or validate the correctness of this task

Please check and advise. thank you
Swaroop

Tej-Singh-Rana · April 19, 2020, 9:05am

where we have to check?

swaroopcs88 · April 19, 2020, 11:15am

in this thread I posted my steps
@Tej-Singh-Rana
Please check and advise

Inderpreet · April 21, 2020, 10:55am

@swaroopcs88 the server_name should not include the http etc. It should be just hostname or IP. Further make sure the certificate path you mention in the conf is correct.

ghori83 · April 22, 2020, 1:16am

hello all firends
i have a problem in ssh for nginx i have to perform some actions in this which i have performed well but i stuck on an aciton in which i have to create an index.html file in document root of nginx there is already a index.html file on that folder which was usr/share/nginx/html but i couldn’t open that file it is written in red color its a symbolic file i think so now what i should do remove it or create my index.html file or i have to do some other thing kindly advice snap of this is attached
thanks
tariq

swaroopcs88 · May 2, 2020, 1:13pm

I copied SSL certificate and key to steve/cert folder.
will this work?

Just updating above settings will it deploy on nginx?
3. Create an index.html file with content Welcome! under Nginx document root.
Not getting an idea to perform this task. any suggestions or link that can help me?
Thanks
Swaroop

swaroopcs88 · May 2, 2020, 1:15pm

Hi Tej, @Tej-Singh-Rana
Please check and advise.

Tej-Singh-Rana · May 2, 2020, 4:10pm

you have create a index.html file in nginx document root path → /usr/share/nginx/html .
move this cert and key to appropriate location sometimes permission issues may be occur.
This link will be help you to understand more.
https://serverfault.com/questions/259302/best-location-for-ssl-certificate-and-private-keys-on-ubuntu

thanks,

Tej-Singh-Rana · May 2, 2020, 4:11pm

make sure write correct content in index.html → Welcome!

swaroopcs88 · May 3, 2020, 7:42am

Hi Tej,

task 2:
On App Server 1 there is a self signed SSL certificate and key present at location /tmp/nautilus.crt and /tmp/nautilus.key . Move them to some appropriate location and deploy the same in Nginx.

task 3:
Create an index.html file with content Welcome! under Nginx document root.

should i make changes here?

Tej-Singh-Rana · May 3, 2020, 11:46am

yeah change that content of index.html and put ssl cert & key /etc/ssl/ .

devops503 · June 29, 2020, 1:00am

Create the directory and file on the linked location instead:
mkdir /usr/share/doc/HTML
vi /usr/share/doc/HTML/index.html

NVKrishna · August 22, 2020, 11:34pm

Below Steps worked

install nginx
create home/banner/data/index.html [light text welcome!]
set permissions for banner at home level and modify ownership
move certificate and key to /etc/nginx/ssl
install firewalld . open ports 80 and 443 . enable https service.restart firewalld
Edit server section of nginx.conf server - put IP add line listen 443 ssl …comment out the line root . under location add line → root /home/banner/data;
7.restart nginx
Everything should be ok. else based on response from curl -Ik https://IP …check and fix for relevant messages on /var/log/nginx/error.log

shawon10 · August 24, 2020, 9:23pm

Solution for beginners: Setup SSL for Nginx Kodekloud

biken · September 16, 2020, 2:49am

Folks for [Setup SSL for Nginx]

follow below steps:

sudo yum install epel-release
2.sudo yum install nginx
3.sudo systemctl start nginx
4.systemctl status nginx
If you have firewall running follow this if not skip.
- sudo firewall-cmd --add-service=http

sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

- sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT

sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

- sudo mkdir /etc/ssl/certs and sudo mkdir /etc/ssl/private

sudo chmod 700 /etc/ssl/certs
sudo chmod 700 /etc/ssl/private

edit the /etc/nginx/nginx.conf file replace above directory in ssl_certificates and copy the file that is given to you in the task question
cp /tmp/nautilus.crt /etc/ssl/certs
cp /tmp/nautilus.key /etc/ssl/private
and edit the nginx.conf file by replacing the default directories there with your above created directories

/etc/ssl/certs/nautilus.crt
/etc/ssl/private/nautilus.key

create a index.html file in /usr/share/nginx/html
if you see index.html already present in html delete that index.html as you may not able to edit that file.

rm index.html ---- to delete the file
vi index.html ---- Welcome! and save the file :wq

after this curl ip/host address.

curl 172.16.238.10

thanks

arjitn · September 17, 2020, 12:10am

How about listening on port 443 setting in nginx.conf file?

arjitn · September 17, 2020, 4:19am

For some reason I am getting 403 Forbidden Message. Not Welcome!

Any clue what I might be missing?

arjitn · September 17, 2020, 6:11am

Nevermind folks, completed the task successfully.

Turns out at /usr/share/nginx/html there exist a file index.html (in red color). At first deletion of this file wasn’t working and the edits made to this file wouldn’t save (gives error E166 can’t open linked file for writing). Therefore, I created index.html elsewhere - in /home/tony/data) and changed the nginx.conf file for root to point to the new location ( root /home/tony/data; ) where index.html was created. — STILL I was getting 403 Forbidden.

Then I followed this article - HTTP 403 Error Forbidden | What is status code 403 & how do I fix it? - IONOS (Safe to open).

Ensured User nginx is owner of all directories in /usr/share/nginx
#sudo chown -R nginx:nginx *
Ensured all directories (my case /html and /modules only) have permissions set to 755
#sudo chmod 755 /html
#sudo chmod 755 /modules
Tried to make sure all files in document root directory (/html) have permission set to 644
#sudo chmod 644 *
Setting 644 yielded error:
chmod: cannot operate on dangling symlink ‘index.html’ – The red file.

But at this stage (after setting directory owner and directory permissions) - using sudo rm index.html I was able to delete the red index.html file I was having trouble deleting initially.

Next I created new index.html with message Welcome! at location /usr/share/nginx/html/index.html using sudo vi /usr/share/nginx/html/index.html. This time it saved successfully.

Also ensured that in the nginx.conf file location for root was updated to original setting - ( root /usr/share/nginx/html; )

Amazing troubleshooting / reviewing article / finding solution / learning experience.

I am new to linux without any formal training or work related experience on linux. Took me 3 hours to solve, but enjoyed it.

Thanks Team KKE @mmumshad for this platform and to all the contributors in the community.

Tej-Singh-Rana · September 17, 2020, 7:29am

Good work @arjitn. Appreciated

sarhipov · September 13, 2023, 7:39pm

Hi,
I am unable to complete Linux Level 3 Tasks 10: Setup SSL for Nginx. I used the same configuration as suggested in the above discussion, but the task always failed with the following error. Please suggest steps to complete the task correctly.

- ‘ssl’ is not setup correctly on App Server 3
FAILED test_nginx_ssl.py::test_nginx_ssl - AssertionError: - ‘ssl’ is not set…

Below are the steps I do to configure and verify

Configuration

Step1: login to target server and become a root

ssh stapp03 
sudo su -

Step 2: Install packages

yum install -y epel-release nginx net-tools

Step 3: Configure nginx (stapp03 example)

sed -i '/^# server {/,/^# }/{s/^#//}' /etc/nginx/nginx.conf
sed -i 's/server_name\s*_;/server_name 172.16.238.12;/' /etc/nginx/nginx.conf
sed -i 's#ssl_certificate "/etc/pki/nginx/server.crt";#ssl_certificate "/etc/ssl/certs/nautilus.crt";#' /etc/nginx/nginx.conf
sed -i 's#ssl_certificate_key "/etc/pki/nginx/private/server.key";#ssl_certificate_key "/etc/ssl/private/nautilus.key";#' /etc/nginx/nginx.conf

Step 3: configure webpage

echo "Welcome!" > /usr/share/nginx/html/index.html
chown -R nginx:nginx /usr/share/nginx/
chmod 755 /usr/share/nginx/modules
chmod 755 /usr/share/nginx/html/

Step 4: perpare certificates

mkdir /etc/ssl/certs
mkdir /etc/ssl/private
chmod 700 /etc/ssl/certs
chmod 700 /etc/ssl/private
cp /tmp/nautilus.crt /etc/ssl/certs
cp /tmp/nautilus.key /etc/ssl/private
chmod 644 /etc/ssl/certs/nautilus.crt
chmod 640 /etc/ssl/private/nautilus.key
chown root:nginx /etc/ssl/private/nautilus.key

Step 5: start nginx

systemctl enable --now nginx

Verification steps

Check nginx is running

systemctl status nginx -l

Output

● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-09-13 19:54:05 UTC; 7min ago
  Process: 1721 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 1708 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 1707 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 1734 (nginx)
    Tasks: 37 (limit: 1340692)
   Memory: 54.7M
   CGroup: /docker/58529b1210ec5809b911b63f6fcb2306529820adf382a12b918f995be06af5e9/system.slice/nginx.service

Check that nginx listening on the 80 and 443 ports

netstat -tulpen | grep nginx

Output

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          131663385  1766/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          131663383  1766/nginx: master  
tcp6       0      0 :::443                  :::*                    LISTEN      0          131663386  1766/nginx: master  
tcp6       0      0 :::80                   :::*                    LISTEN      0          131663384  1766/nginx: master

Run curl commands

locally

curl http://localhost
Welcome!

curl -Ik https://localhost
HTTP/2 200
server: nginx/1.14.1
date: Wed, 13 Sep 2023 19:21:02 GMT
content-type: text/html
content-length: 9
last-modified: Wed, 13 Sep 2023 19:20:14 GMT
etag: “65020b6e-9”
accept-ranges: bytes

from jumphost

curl https://stapp03
Welcome!

curl -Ik http://stapp03
HTTP/2 200
server: nginx/1.14.1
date: Wed, 13 Sep 2023 19:22:08 GMT
content-type: text/html
content-length: 9
last-modified: Wed, 13 Sep 2023 19:20:14 GMT
etag: “65020b6e-9”
accept-ranges: bytes

Check configss

cat /etc/nginx/nginix.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name 172.16.238.12;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name 172.16.238.12;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/ssl/certs/nautilus.crt";
        ssl_certificate_key "/etc/ssl/private/nautilus.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

cat /usr/share/nginx/html/index.html
Welcome!

ls -lart /etc/ssl/certs/nautilus.crt
-rw-r–r-- 1 root root 2170 Sep 13 19:48 /etc/ssl/certs/nautilus.crt
ls -lart /etc/ssl/private/nautilus.key
-rw-r----- 1 root root 3267 Sep 13 19:48 /etc/ssl/private/nautilus.key

cc: @Tej-Singh-Rana