Testing Your Web Certificate

Technical Background

After creating a wildcard web certificate in 22 Creating A Web Certificate, this exercise focuses on installing and testing it on a web server (Nginx) with HTTPS enabled.
The goal is to ensure: - The certificate is correctly installed on the web server. - All relevant DNS names (apex and subdomains) resolve to the server. - HTTPS connections work without certificate errors (except for the expected staging certificate warning during testing).

Info

The Nginx default configuration already includes a self-signed snakeoil certificate.
In production, you must replace it with a trusted certificate, such as one generated from Let's Encrypt.

Solution

Prerequisits

Create the same files and folder structure as done before in exercise 22 Creating A Web Certificate.

Creating a Record

  1. Add DNS secret and new server alias to config.auto.tfvars:
dns_zone       = "g03.sdi.hdm-stuttgart.cloud."
server_names   = ["www", "mail", "cloud"]
server_ip      = "1.2.3.4"
server_count   = 1
server_base_name = "work"
dns_secret = "g11.key:"
  1. Generate the certificate:
terraform init
terraform apply

Configuring Nginx on the Server

  1. Copy the certificates to the server:
scp gen/certificate.pem gen/private.pem root@<your_server_ip>:/tmp/
  1. login into the server:
ssh root@<your-server-address>
  1. Move to files to the correct location:
sudo mkdir -p /etc/nginx/ssl
sudo mv /tmp/certificate.pem /etc/nginx/ssl/
sudo mv /tmp/private.pem /etc/nginx/ssl/
sudo chmod 600 /etc/nginx/ssl/*
  1. Modify /etc/nginx/sites-available/default to enable SSL:
sudo nano /etc/nginx/sites-available/default
  1. Add content to default page:
server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate /etc/nginx/ssl/certificate.pem;
    ssl_certificate_key /etc/nginx/ssl/private.pem;

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
}
  1. Test the config:
sudo nginx -t

Success

bash nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

  1. Restart the webserver to save config:
systemctl restart nginx
  1. Verify HTTPS access by opening these addresses in your browser:
https://g11.sdi.hdm-stuttgart.cloud
https://www.g11.sdi.hdm-stuttgart.cloud
https://mail.g11.sdi.hdm-stuttgart.cloud

Note

Inspect the certificate to ensure it includes g03.sdi.hdm-stuttgart.cloud and *.g011.sdi.hdm-stuttgart.cloud.

  1. Switch to production:

Update the ACME provider URL to https://acme-v02.api.letsencrypt.org/directory and regenerate the certificate. Copy the new certificate to the server and verify HTTPS access again.

DNS

Understanding Web Certificates

DNS Provider

rfc2135

Terraform Provider Configuration

ACME Cert

Terraform local_file

acme 2.23.2