SSL/TLS: Wildcard Certificate Generation 
Tested and working on 11/15/2023 !

# Create root CA
[acool@localhost tls]$openssl req --x509 --nodes --days 3650 --newkey rsa:2048 --keyout ENT-CA.key --out ENT-CA.crt

# Crate new key and signing request (Tip: remove --aes256 to remove passphrase requirement... I think)
Passphrase: mypassphrase
[acool@localhost tls]$openssl genrsa --out star-dev-localhost.key --aes256 2048
[acool@localhost tls]$openssl req --new --key star-dev-localhost.key --out star-dev-localhost.csr

# Sign request
[acool@localhost tls]$openssl x509 --req --in star-dev-localhost.csr --CA ENT-CA.crt --CAkey ENT-CA.key --CAcreateserial --days 3650 --sha256 --extfile star-dev-localhost.cnf --out star-dev-localhost.crt

# remove passphrase
[acool@localhost tls]$openssl rsa --in star-dev-localhost.key --out star-dev-localhost-nopassphrase.key

[acool@localhost tls]$ cat star-dev-localhost.cnf
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.dev.localhost
[acool@localhost tls]$
[acool@localhost tls]


# finally, import ENT-CA.crt certificate in Chrome
# chrome://settings/certificates


Configure Nginx:
...
listen 443 ssl;
ssl_certificate /etc/ssl/certs/star-dev-localhost.crt;
ssl_certificate_key /etc/ssl/certs/star-dev-localhost-nopassphrase.key;
...


[ view entry ] ( 317 views )   |  print article
Generate wildcard TLS certificate with Let's Encrypt and Acme.sh 
// EXPORT DNS PROVIDER API KEYS
export GD_Key="XXXXXXXXX"
export GD_Secret="YYYYYYYY"

 # install acme.sh
[root@cia ~]#curl https://get.acme.sh | sh
...
[root@cia ~] # generate certificate
[root@cia ~] acme.sh --issue -d angelcool.net -d '*.angelcool.net' --dns dns_gd
[root@cia ~]
[root@cia ~] # install certificate where it can be read by nginx/apache server.
[root@cia ~] acme.sh --install-cert -d angelcool.net --key-file /etc/pki/tls/certs/wildcard-angelcool.net.key --fullchain-file /etc/pki/tls/certs/wildcard-angelcool.net.cert --reloadcmd "service nginx force-reload"
[root@cia ~]
[root@cia ~] # configure acme.sh auto upgrade
[root@cia ~] acme.sh --upgrade --auto-upgrade

Docs:
https://github.com/acmesh-official/acme.sh

The script also adds an entry to crontab for auto renewal.

Good luck!

[ view entry ] ( 755 views )   |  print article
Nginx: Setting Up HTTP authentication 
Prompting users for a password before accessing a page.

Place the following two entries in nginx configuration file:

auth_basic "Restricted";                                
auth_basic_user_file /var/www/mywebsite.com/.htpasswd;

Eg:
  location / {
root /var/www/mywebsite.com;
index index.html index.htm;
auth_basic "Restricted"; #For Basic Auth
auth_basic_user_file /var/www/mywebsite.com/.htpasswd; #For Basic Auth
}


The .htpasswd must contain:
username:password

Generate the password with this command:
[root@IBM ~]#printf "USERNAME:$(openssl passwd -crypt PASSWORD)\n" >> htpasswd


[ view entry ] ( 1467 views )   |  print article

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |


2025 By Angel Cool