Nov 11, 2019 8:30 AM Apr 24, 2020 2:30 PM

Adding a self-signed SSL certificate to Nginx on Debian/Ubuntu

In this article I will explain how to add a self-signed SSL certificate to the Nginx server on the Debian/Ubuntu operating system. A self-signed certificate is a certificate created and signed by the same person. This certificate is not signed by a certification authority and is used only for testing on a local server.

You can also add a trusted SSL certificate for the local environment in Nginx on Debian/Ubuntu (using root CA). If this instruction seems complicated to you, try a simpler article on how to add a trusted self-signed SSL certificate to Nginx on Debian/Ubuntu, but this solution does not always work.

This instruction was executed on operating systems: Debian 10, Debian 9, Ubuntu 20.10, Ubuntu 20.04, Ubuntu 19.10.

Creating a self-signed SSL certificate

The OpenSSL cryptographic library is often used to create SSL certificates. The openssl package should be in the distribution, but if for some reason it is not there, then let's install it.

Before any software installation, it is recommended to update the list of repository packages by running the command in the terminal:

sudo apt-get update

Install OpenSSL by running the command in the terminal:

sudo apt-get install openssl

Now let's create a self-signed SSL certificate with a private key by running the command in the terminal:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/localhost.key -out /etc/ssl/certs/localhost.crt

where

In the process of generating the certificate, several questions will be asked. You can skip them:

Creating a self-signed SSL certificate

Configuring Nginx to use SSL

Let's enable SSL in the Nginx server configuration. We will specify listening on port 443 (HTTPS) and the path to the certificate and private key files. Edit the server configuration file /etc/nginx/sites-available/default:

sudo nano /etc/nginx/sites-available/default
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	ssl_certificate /etc/ssl/certs/localhost.crt;
	ssl_certificate_key /etc/ssl/private/localhost.key;

	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		try_files $uri $uri/ =404;
	}
}

Save the changes and close the file. Check the configuration for validity by running the command in the terminal:

sudo nginx -t

Now apply the configuration changes by running the command in the terminal:

sudo service nginx reload

Encryption testing

Let's check that our Nginx server is accessible via the HTTPS protocol by entering the following address in the browser:

https://localhost

Since the certificate we created was not signed by one of the trusted certification authorities of your browser, you will most likely see a warning that your connection is not secure:

Your connection is not secure

Do not worry, this is normal. Just add an exception in the browser:

Add exception for self-signed certificate

Confirm security exception

Your connection will now be encrypted using the HTTPS protocol. However, a message will still be displayed stating that the connection is not secure — this simply means that the certificate cannot be verified by a trusted certificate authority:

Nginx welcome page with SSL

Other articles