How to configure https with nginx with a public ip without domain name

Question

I have a public IP (for eg: 123.123.123.123) and I would like to install the ssl on a nginx server (for using https). I have a folder in /etc/nginx/ssl where I store my .crt and .key. Here is my nginx.conf :

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {

    server_tokens off;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    client_max_body_size 2M;

    include /etc/nginx/conf.d/*.conf;

    server {
        #listen       443 ssl http2 default_server;
        #listen       [::]:443 ssl http2 default_server;
        listen 443 ssl;
        server_name  _;
        root         /usr/share/nginx/html;


        add_header X-Frame-Options "SAMEORIGIN";

        ssl_certificate "/etc/nginx/ssl/site_bundle.crt";
        ssl_certificate_key "/etc/nginx/ssl/site.key";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

I have the following error :

In my SSL folder I have different files but I don't know wich one to use :

 - 12ae1782cad698c6.crt
 - a61d9dc8af1i5477.crt
 - dhparam.pem
 - gd_bundle-g2-g1.crt
 - domain_bundle.crt
 - domain.key

I got this message from my browser about the certificate

how did you create the certificate? is it a self-signed one? — YakovL, Jan 14 '22 at 10:40

score 2 · Accepted Answer · answered Feb 15 '19 at 14:21

2

There are at least three obvious issues here.

The NET::ERR_CERT_COMMON_NAME_INVALID tells you that the name in the certificate doesn't match the name you've requested in your browser. That makes complete sense as the certificate has a CommonName of *.domain.com while you're requesting by IP address. They will never match. You don't give enough information in your question to allow me to suggest a resolution, but as the error message suggests, the names must match. Either you have to have a DNS name instead of IP or a certificate with an IP address instead of a name.

Note that modern browsers don't actually use the CommonName in the certificate (even though the error message implies that they do). Instead they use the SubjectAlternativeName extension, which you can see if you click on the Details tab and scroll down.

Additionally, your certificate is only valid between 15th August 2017 and 15th August 2018. As I write this, it's the 15th February 2019, which doesn't fit between those two dates. That is, your certificate has also expired.

Your browser returns a 403 - Forbidden. Check the file permissions on the web root (/usr/share/nginx/html) to make sure they're readable by the user/group running nginx. Maybe www-data, depending on your distro.

answered Feb 15 '19 at 14:21

garethTheRed

4,539
14
22

Thank you for the answer. I checked in the detail tab and I get the following `CN = *.domain.com OU = Domain Control Validated`. Does it mean I can access for exemple `sub.domain.com` ? – executable Feb 15 '19 at 14:31
1) You probably need to look at the Subject Alternative Name, not the Common Name, unless you're using a really old browser. 2) You need to use `sub.domain.com` instead of the IP address, which means you need to resolve that name into the IP address - either with DNS or with a `/etc/hosts` file. 3) You still need to fix the date. You can do that by changing the clock on the machine with the browser maybe? – garethTheRed Feb 15 '19 at 14:37
I can connect with `sub.domain.com` but I have a new issue which is pretty obvious now `SEC_ERROR_EXPIRED_CERTIFICATE`. In `nginx.conf` I have `server_name sub.domain.com;`. I don't understand what you mean with clock, sorry. – executable Feb 15 '19 at 14:45
The certificate expired last August. To get rid of `SEC_ERROR_EXPIRED_CERTIFIATE` you can do one of two things - get a new certificate, or change the clock on the machine where your browser is running so that the date reads (for example) July 2018. The latter is only a temporary measure to allow you to test the rest of your configuration - you really need a new certificate. – garethTheRed Feb 15 '19 at 15:36
Thank you for the answer. I will ask to get a new certificate – executable Feb 15 '19 at 15:37

How to configure https with nginx with a public ip without domain name

1 Answers1