TLS/SSL Certificate Placement in Nginx
Reference: [https://serverfault.com/questions/681336/why-do-apache-ssl-certificate-and-key-need-to-be-in-etc-pki-tls-private>
II. Steps Summary
- Connect via SSH to the App server and switch to root user.
- Install Nginx. Start, enable, and verify status.
- Move the SSL certificate and key to the appropriate location.
- Modify
nginx.conffor TLS configuration and verify syntax. - Restart Nginx to apply changes.
- Verify document root and create
index.html. - From jump host, verify HTTPS connection using
curl.
III. Commands Used
1. SSH into App Server and switch to root
sshpass -p '******' ssh -o StrictHostKeyChecking=no tony@172.16.238.10
sudo su -
2. Install and start Nginx
sudo yum install epel-release -y
sudo yum install -y nginx
systemctl enable nginx
systemctl start nginx
systemctl status nginx
3. Move SSL certificate and key
ls -l /etc/pki/tls/certs/
ls -l /tmp
mv /tmp/nautilus.crt /etc/pki/tls/certs/
mv /tmp/nautilus.key /etc/pki/tls/certs/
ls -l /etc/pki/tls/certs/
ls -l /tmp
4. Modify Nginx configuration for TLS
Check configuration:
cat /etc/nginx/nginx.conf
Edit file:
cd /etc/nginx/
vi nginx.conf
Validate configuration:
nginx -t
Expected output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
5. Restart Nginx
systemctl enable nginx
systemctl restart nginx
systemctl status nginx
6. Verify document root and create index page
Check root:
grep root /etc/nginx/nginx.conf
Navigate to document root:
cd /usr/share/nginx/html/
ls -l
Remove default index (if symlink exists):
rm -f index.html
Create new index file:
vi index.html
Content:
Welcome!
Verify:
cat index.html
7. Verify HTTPS from jump host
Check headers:
curl -Ik https://172.16.238.10
Check content (insecure due to self-signed cert):
curl --insecure https://172.16.238.10
Expected output:
Welcome!