Post

Day 15 of 100 Days of Devops

Setup SSL for Nginx

Posted
By Win Htaik Aung@ميرزا البركل
3 min read
Day 15 of 100 Days of Devops

The system admins team of xFusionCorp Industries needs to deploy a new application on App Server 1 in Stratos Datacenter. They have some pre-requites to get ready that server for application deployment. Prepare the server as per requirements shared below:

  1. Install and configure nginx on App Server 1.

  2. On App Server 1 there is a self signed SSL certificate and key present at location /tmp/nautilus.crt and /tmp/nautilus.key. Move them to some appropriate location and deploy the same in Nginx.

  3. Create an index.html file with content Welcome! under Nginx document root.

  4. For final testing try to access the App Server 1 link (either hostname or IP) from jump host using curl command. For example curl -Ik https:///.

Installation and setting up the nginx

For more information please proceed to nginx official documentation.

1
2
3
4
5
6
7
8
9
10

sudo yum install -y nginx 

systemctl start nginx.service # starting nginx service

sudo mkdir -p /etc/nginx/ssl  # creating ssl folder

mv /tmp/nautilus.* /etc/nginx/ssl/ #moving nautilus

echo "Welcome!" | sudo tee /usr/share/nginx/html/index.html # Write content to nginx html root path (DEFAULT path for RHEL)

Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

sudo vi /etc/nginx/conf.d/ssl.conf # Our ssl Config will be stored here

server {
    listen 443 ssl;
    server_name localhost; # Or the specific server hostname like stapp03

    ssl_certificate /etc/nginx/ssl/nautilus.crt;
    ssl_certificate_key /etc/nginx/ssl/nautilus.key;

    root /usr/share/nginx/html;
    index index.html;

    # Optional: Log format setup as per lab requirements
    access_log /var/log/nginx/ssl_access.log main;
    error_log /var/log/nginx/ssl_error.log warn;
}

Restarting and Verification

1
2

sudo systemctl restart nginx
sudo systemctl status nginx

Verification of the solution.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

thor@jumphost ~$ curl -Ikv https://172.16.238.10
*   Trying 172.16.238.10:443...
* Connected to 172.16.238.10 (172.16.238.10) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=SP; ST=SINGAPORE; L=SINGAPORE; O=KODEKLOUD; CN=stlb01.stratos.xfusioncorp.com; emailAddress=mmumshad@kodekloud.com
*  start date: Jan 20 14:29:58 2020 GMT
*  expire date: Jan 17 14:29:58 2030 GMT
*  issuer: C=SP; ST=SINGAPORE; L=SINGAPORE; O=KODEKLOUD; CN=stlb01.stratos.xfusioncorp.com; emailAddress=mmumshad@kodekloud.com
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* TLSv1.2 (OUT), TLS header, Unknown (23):
> HEAD / HTTP/1.1
> Host: 172.16.238.10
> User-Agent: curl/7.76.1
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.20.1
Server: nginx/1.20.1
< Date: Mon, 08 Dec 2025 23:44:56 GMT
Date: Mon, 08 Dec 2025 23:44:56 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 9
Content-Length: 9
< Last-Modified: Mon, 08 Dec 2025 23:41:12 GMT
Last-Modified: Mon, 08 Dec 2025 23:41:12 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "69376218-9"
ETag: "69376218-9"
< Accept-Ranges: bytes
Accept-Ranges: bytes

Thats all for today , Thx Bye !

CS
DevOps Linux Nginx SSL
This post is licensed under CC BY 4.0 by the author.