2023-01-01 01:35:24 +01:00
====== SSL ======
Be your own SSL Certificate Authority.
This tutorial is based on the domain ''nextcloud.home''. So change the domain to your specific domain.
2023-01-24 21:50:42 +01:00
It is also important that the domain address gets redirected from your router or use [[/en/server/services/adguardhome#dns_rewrites|AdGuardHome]]. This can also be set in the ''/etc/hosts'' file of your computer, but to reach the domain on every device, it is easier to change this directly in the router or [[/en/server/services/adguardhome#dns_rewrites|AdGuardHome]]:
2023-01-01 01:35:24 +01:00
<code>
nextcloud.domain SERVER-IP
</code>
2023-01-07 21:08:49 +01:00
===== mkcert =====
2023-01-01 01:35:24 +01:00
2023-01-07 21:08:49 +01:00
[[https://github.com/FiloSottile/mkcert|mkcert]] is a simple tool for making locally-trusted development certificates. It requires no configuration.
2023-01-01 01:35:24 +01:00
2023-01-07 21:08:49 +01:00
==== Packages ====
2023-01-01 01:35:24 +01:00
<code>
2023-01-07 21:08:49 +01:00
pacman -S nss mkcert
2023-01-01 01:35:24 +01:00
</code>
2023-01-07 21:08:49 +01:00
==== Create root certificate ====
2023-01-01 01:35:24 +01:00
2023-01-07 21:08:49 +01:00
<code>
mkcert -install
</code>
2023-01-01 01:35:24 +01:00
2023-01-07 21:08:49 +01:00
==== Create certificates for your domains ====
2023-01-01 01:35:24 +01:00
<code>
2023-01-07 21:08:49 +01:00
mkcert nextcloud.home
2023-01-01 01:35:24 +01:00
</code>
2023-01-07 21:08:49 +01:00
===== Manually =====
2023-01-01 01:35:24 +01:00
2023-01-07 21:08:49 +01:00
==== Generating the private key and root certificate ====
2023-01-01 01:35:24 +01:00
2023-01-07 21:08:49 +01:00
<code>
openssl genrsa -des3 -out rootCA.key 2048
</code>
<code>
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem
</code>
Change the following information as you wish. It appears when you view the certificate through your browser.
<code>
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
</code>
2023-01-01 01:35:24 +01:00
2023-01-07 21:08:49 +01:00
==== Creating CA-Signed certificates for your domains ====
2023-01-01 01:35:24 +01:00
<code>
2023-01-07 21:08:49 +01:00
openssl genrsa -out nextcloud.home-key.pem 2048
2023-01-01 01:35:24 +01:00
</code>
<code>
2023-01-07 21:08:49 +01:00
openssl req -new -key nextcloud.home-key.pem -out nextcloud.home.pem
2023-01-01 01:35:24 +01:00
</code>
<code>
2023-01-07 21:08:49 +01:00
nano nextcloud.home.ext
2023-01-01 01:35:24 +01:00
</code>
<code>
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
2023-01-07 21:08:49 +01:00
DNS.1 = nextcloud.home
2023-01-01 01:35:24 +01:00
</code>
2023-01-07 21:08:49 +01:00
=== Script ===
2023-01-01 01:35:24 +01:00
Create the file in ''nano /etc/nginx/ssl/ssl.sh''.
<code>
#!/bin/sh
if [ "$#" -ne 1 ]
then
echo "Usage: Must supply a domain"
exit 1
fi
DOMAIN=$1
2023-01-07 21:08:49 +01:00
openssl genrsa -out $DOMAIN-key.pem 2048
openssl req -new -key $DOMAIN-key.pem -out $DOMAIN.pem
2023-01-01 01:35:24 +01:00
cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF
2023-01-07 21:08:49 +01:00
openssl x509 -req -in $DOMAIN.pem -CA rootCA.pem -CAkey rootCA.key -CAcreateserial \
2023-01-01 01:35:24 +01:00
-out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext
</code>
<code>
chmod +x ssl.sh
2023-01-07 21:08:49 +01:00
./ssl.sh nextcloud.home
</code>
===== Installing your root certificate on all the devices =====
You'll need to create a ''rootCA.pem'' file on every device and copy the content of ''cat rootCA.pem'' file wherever you created it in section [[#generating_the_private_key_and_root_certificate]] (manually).
If you used [[#mkcert]] just run this command ''cat $(mkcert -CAROOT)/rootCA.pem''.
==== Arch Linux ====
<code>
sudo trust anchor --store rootCA.pem
2023-01-01 01:49:13 +01:00
</code>
2023-01-07 21:08:49 +01:00
==== Android ====
2023-01-26 08:00:30 +01:00
=== User trusted credentials ===
2023-01-07 21:08:49 +01:00
''Settings'' - ''Security'' - ''Encryption and credentials'' - ''Install a certificate''
Check under:
''Settings'' - ''Security'' - ''Trusted credentials'' - ''User''
2023-01-26 08:00:30 +01:00
=== System trusted credentials ===
2023-01-26 08:01:55 +01:00
If "User trusted credentials" is not enough and you need the certificate in the system, follow the next lines. However, this requires a rooted device:
2023-01-26 08:00:30 +01:00
<code>
hashed_name=`openssl x509 -inform PEM -subject_hash_old -in rootCA.pem | head -1` && cp rootCA.pem $hashed_name.0
ls $hashed_name.0
</code>
<code>
adb root
adb shell mount -o rw,remount /
adb push hashed_name.0 /system/etc/security/cacerts/hashed_name.0
adb shell chmod 644 /system/etc/security/cacerts/hashed_name.0
adb shell chown root:root /system/etc/security/cacerts/hashed_name.0
adb shell reboot
</code>
You can also use the Magisk module "[[https://github.com/NVISOsecurity/MagiskTrustUserCerts|Magisk Trust User Certs]]" which does the same as above.
2023-01-07 21:08:49 +01:00
2023-01-01 01:49:13 +01:00
===== Nginx =====
Check also [[/en/server/services/nginx]]
==== ssl-params.conf ====
<code>
nano /etc/nginx/conf.d/ssl-params.conf
</code>
2023-01-07 08:28:35 +01:00
<code>
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
</code>
2023-01-07 21:08:49 +01:00
2023-01-01 01:49:13 +01:00
==== example ====
<code>
server {
listen 80;
listen [::]:80;
server_name nextcloud.home;
# enforce https
return 301 https://$server_name:443$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nextcloud.home;
2023-01-07 21:08:49 +01:00
ssl_certificate /etc/nginx/ssl/nextcloud.home.pem;
ssl_certificate_key /etc/nginx/ssl/nextcloud.home-key.pem;
2023-01-01 01:49:13 +01:00
include conf.d/ssl-params.conf;
access_log /var/log/nginx/nextcloud.home_access_log;
error_log /var/log/nginx/nextcloud.home-error_log;
location / {
your things;
}
}
2023-01-01 01:35:24 +01:00
</code>