selfsigned chain.pem

[falconmick]

Hi,

Cheers for making this, just wondering is there any way I can generate the chain.pem when I am doing selfsigned? Basically I have setup a host record for my.dev and self-signed that url, which has made fullchan.pem and privatekey.pem however nginx is failing to start because it's expecting chain.pem

[mjstealey]

@falconmick - The Nginx configuration is defaulted to use Let's Encrypt format which will generate four .pem files

• privkey.pem: the private key for your certificate.
• fullchain.pem: the certificate file used in most server software.
• chain.pem: used for OCSP stapling in Nginx >=1.3.7.
• cert.pem: will break many server configurations, and should not be used without reading further documentation.

The fullchain.pem was generated by concatenating the cert.pem and chain.pem files together (with cert.pem being the first entry)

Only three of the above files are then used in the config file, but the contents of cert.pem is already encapsulated by the fullchain.pem file.

...
    ssl_certificate           /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
...

If you're not using Let's Encrypt for certificates you can update the Nginx SSL configuration file to suit your particular case. OpenSSL can be used to generate self signed certificates, generally something like:

openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
      -subj "/C=US/ST=North Carolina/L=Chapel Hill/O=Local/OU=Development/CN=local.dev/[email protected]" \
      -keyout local.dev.key \
      -out local.dev.crt

The output of the above command is a local.dev.crt certificate file and a local.dev.key key file. Say these are saved in a local directory named self_signed_certs/

Would then remap the Nginx configuration to use those two new files

...
    # comment out / replace the following three lines
    #ssl_certificate           /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
    #ssl_certificate_key       /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
    #ssl_trusted_certificate   /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;

    # with these new lines, remember to volume mount your local files to /certs of the nginx container
    ssl_certificate           /certs/local.dev.crt;
    ssl_certificate_key       /certs/local.dev.key;
...

Update the nginx volume entry in the docker-compose.yml file to mount your self signed certificates.

    volumes:
      - ./nginx:/etc/nginx/conf.d
      - ./logs/nginx:/var/log/nginx
      - ./wordpress:/var/www/html
      #- ./certs:/etc/letsencrypt
      #- ./certs-data:/data/letsencrypt
      - ./self_signed_certs:/certs

At this point you should be ready to go using self signed certificates in a development environment.

More information on OpenSSL certificate generation https://jamielinux.com/docs/openssl-certificate-authority/index.html

[falconmick]

Thanks for all the info!

…

On Wed, 3 Oct 2018 at 8:17 PM, Michael J. Stealey ***@***.***> wrote: @falconmick <https://github.com/falconmick> - The Nginx configuration is defaulted to use Let's Encrypt format which will generate four .pem files - privkey.pem: the private key for your certificate. - fullchain.pem: the certificate file used in most server software. - chain.pem: used for OCSP stapling in Nginx >=1.3.7. - cert.pem: will break many server configurations, and should not be used without reading further documentation. The fullchain.pem was generated by concatenating the cert.pem and chain.pem files together (with cert.pem being the first entry) Only three of the above files are then used in the config file, but the contents of cert.pem is already encapsulated by the fullchain.pem file. ... ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem; ... If you're not using Let's Encrypt for certificates you can update the Nginx SSL configuration file to suit your particular case. OpenSSL can be used to generate self signed certificates, generally something like: openssl req -newkey rsa:4096 -days 365 -nodes -x509 \ -subj "/C=US/ST=North Carolina/L=Chapel ***@***.***" \ -keyout local.dev.key \ -out local.dev.crt The output of the above command is a local.dev.crt certificate file and a local.dev.key key file. Say these are saved in a local directory named self_signed_certs/ Would then remap the Nginx configuration to use those two new files ... # comment out / replace the following three lines #ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem; #ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem; # with these new lines, remember to volume mount your local files to /certs of the nginx container ssl_certificate /certs/local.dev.crt; ssl_certificate_key /certs/local.dev.key; ... Update the nginx volume entry in the docker-compose.yml file to mount your self signed certificates. volumes: - ./nginx:/etc/nginx/conf.d - ./logs/nginx:/var/log/nginx - ./wordpress:/var/www/html #- ./certs:/etc/letsencrypt #- ./certs-data:/data/letsencrypt - ./self_signed_certs:/certs At this point you should be ready to go using self signed certificates in a development environment. More information on OpenSSL certificate generation https://jamielinux.com/docs/openssl-certificate-authority/index.html — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#9 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAri6SknGxpYxTiP3x82v3-YbHfbal3Tks5uhKq9gaJpZM4XFiEX> .