https on local nginx

Posted 5 months ago - updated 5 months ago nginx

  1. Generate a Self-Signed SSL Certificate Create a directory for your SSL certificates:

    sudo mkdir -p /etc/nginx/ssl

Generate the private key and self-signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/self-signed.key \
-out /etc/nginx/ssl/self-signed.crt

When prompted, fill in the required fields (or leave them blank for defaults). For Common Name, use your local server's hostname or IP.

  1. Update firewall rules

    sudo firewall-cmd --add-service=https --permanent sudo firewall-cmd --reload

  2. edit nginx conf

    /etc/nginx/conf.d/https.conf

server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /etc/nginx/ssl/self-signed.crt;
    ssl_certificate_key /etc/nginx/ssl/self-signed.key;

    location / {
        root /usr/share/nginx/html;
        index index.html;
    }
}

server {
    listen 80;
    server_name localhost;

    return 301 https://$host$request_uri;
}

This configuration sets up Nginx to:

  • Serve HTTPS on port 443 using the self-signed certificate.
  • Redirect all HTTP traffic to HTTPS.

  1. Test and reload nginx

    nginx -t sudo systemctl reload nginx

Adding cert to ios (so you can add as a home screen app)

How to Stop Safari on iOS from Complaining About a Self-Signed Certificate

To stop Safari on iOS from complaining about a self-signed certificate, you need to manually trust the certificate on your iPhone or iPad. Here's how to do it:

1. Transfer the Certificate to Your iOS Device

  • Export your .crt file (e.g., self-signed.crt) from your server or computer.
  • Transfer the file to your iOS device using one of the following methods:
    • Email: Email the .crt file to yourself.
    • Cloud Storage: Use a cloud service like iCloud Drive, Google Drive, or Dropbox.
    • AirDrop: AirDrop the file directly to your iOS device from a Mac.

2. Install the Certificate

  1. Open the .crt file on your iOS device:

    • Tap the file from your email, AirDrop notification, or cloud storage app.

  2. Install the profile:

    • A screen will appear saying "Profile Downloaded" or "Install Profile."
    • Tap Install.
  3. Enter your device passcode if prompted.

3. Manually Trust the Certificate

By default, iOS will not fully trust the certificate. To mark it as trusted:

  1. Open the Settings app.

  2. Navigate to: General > About > Certificate Trust Settings

  3. Under the "Enable Full Trust for Root Certificates" section:

    • Find your self-signed certificate in the list.
    • Toggle the switch next to it to enable trust.
  4. Confirm the trust action when prompted.

4. Test in Safari

  1. Open Safari and visit the HTTPS site using the self-signed certificate.

  2. Safari should now trust the certificate, and you should not see any warnings.

Additional Notes

  • Hostname vs. IP Address: If the certificate was created for a hostname (e.g., myserver.local) and you’re accessing the server via an IP address, the certificate won’t match. To fix this:

    • Update your /etc/hosts file on the server to use the hostname.
    • Use the hostname to access the site on your iOS device.
  • Profile Removal: If you no longer want to trust the certificate, go to: Settings > General > VPN & Device Management, find the profile, and remove it.