Skip to content

selfsigned chain.pem #9

@falconmick

Description

@falconmick

Hi,

Cheers for making this, just wondering is there any way I can generate the chain.pem when I am doing selfsigned? Basically I have setup a host record for my.dev and self-signed that url, which has made fullchan.pem and privatekey.pem however nginx is failing to start because it's expecting chain.pem

Activity

mjstealey

mjstealey commented on Oct 3, 2018

@mjstealey
Owner

@falconmick - The Nginx configuration is defaulted to use Let's Encrypt format which will generate four .pem files

  • privkey.pem: the private key for your certificate.
  • fullchain.pem: the certificate file used in most server software.
  • chain.pem: used for OCSP stapling in Nginx >=1.3.7.
  • cert.pem: will break many server configurations, and should not be used without reading further documentation.

The fullchain.pem was generated by concatenating the cert.pem and chain.pem files together (with cert.pem being the first entry)

Only three of the above files are then used in the config file, but the contents of cert.pem is already encapsulated by the fullchain.pem file.

...
    ssl_certificate           /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
...

If you're not using Let's Encrypt for certificates you can update the Nginx SSL configuration file to suit your particular case. OpenSSL can be used to generate self signed certificates, generally something like:

openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
      -subj "/C=US/ST=North Carolina/L=Chapel Hill/O=Local/OU=Development/CN=local.dev/emailAddress=email@local.dev" \
      -keyout local.dev.key \
      -out local.dev.crt

The output of the above command is a local.dev.crt certificate file and a local.dev.key key file. Say these are saved in a local directory named self_signed_certs/

Would then remap the Nginx configuration to use those two new files

...
    # comment out / replace the following three lines
    #ssl_certificate           /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
    #ssl_certificate_key       /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
    #ssl_trusted_certificate   /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;

    # with these new lines, remember to volume mount your local files to /certs of the nginx container
    ssl_certificate           /certs/local.dev.crt;
    ssl_certificate_key       /certs/local.dev.key;
...

Update the nginx volume entry in the docker-compose.yml file to mount your self signed certificates.

    volumes:
      - ./nginx:/etc/nginx/conf.d
      - ./logs/nginx:/var/log/nginx
      - ./wordpress:/var/www/html
      #- ./certs:/etc/letsencrypt
      #- ./certs-data:/data/letsencrypt
      - ./self_signed_certs:/certs

At this point you should be ready to go using self signed certificates in a development environment.

More information on OpenSSL certificate generation https://jamielinux.com/docs/openssl-certificate-authority/index.html

falconmick

falconmick commented on Oct 3, 2018

@falconmick
Author
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    reference informationContains useful reference informationresolvedIssue has been resolved

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @falconmick@mjstealey

        Issue actions

          selfsigned chain.pem · Issue #9 · mjstealey/wordpress-nginx-docker