Thursday 27 August 2015

Create a self-signed SSL certificate

Secure web access to services hosted on a Raspberry Pi home server.

What's up: I am running Tiny Tiny RSS (ttrss) and Nginx on a Debian-powered Pi and want to divert HTTP traffic from port 80 to HTTPS login and access news feeds on port 443. Rather than obtain an SSL certificate from a certificate authority (CA) its a simple matter to create one for personal use.

Install openssl and generate a certificate for Nginx:

$ sudo apt-get install openssl
$ sudo mkdir /etc/nginx/ssl
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt

Create a new server block in /etc/nginx/sites-available:

server {
    listen 80; ## listen for ipv4; this line is default and implied
    server_name rss.myraspberrypi.ca;
    return 301 https://$host$request_uri;  ## redirect all non-https traffic to https
}

server {
    listen 443 ssl;
    server_name rss.myraspberrypi.ca;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    [...]

Activate the block by creating a symlink in /etc/nginx/sites-enabled and restart server:

$ sudo systemctl restart nginx

Configure port forwarding on the router and (optional) setup a subdomain with a hosting/domain provider.

Note the first time navigating to the new HTTPS address the (Firefox) browser warns "This Connection is Untrusted" (which is to be expected since its a self-signed certificate vs CA verification).

Happy hacking!

Sources: Create an SSL certificate on Nginx for Ubuntu; Rewrite HTTP requests to HTTPS; Nginx server_names