Skip to main content

tls upgrade

Prerequisites

  • Ubuntu server with sudo, network
  • Tools: Nginx, OpenSSL
  • IP: 192.168.64.9
  • Firewall: Allow port 443

Setup TLS 1.0

Update packages

sudo apt update && sudo apt upgrade -y

Install, enable, and start Nginx

sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx

Configure firewall

sudo ufw allow 'Nginx Full'
sudo ufw status

Create SSL directory

sudo mkdir -p /etc/nginx/ssl

Generate cert and key

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/nginx-selfsigned.key \
  -out /etc/nginx/ssl/nginx-selfsigned.crt \
  -subj "/C=US/ST=California/L=SanFrancisco/O=MyCompany/OU=IT/CN=192.168.64.9"

Generate Diffie-Hellman parameters

sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Config /etc/nginx/sites-available/default

sudo rm -f /etc/nginx/sites-enabled/default
sudo vim /etc/nginx/sites-available/default

Content

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name _;
  root /var/www/html;
  index index.html index.htm index.nginx-debian.html;
  location / { try_files $uri $uri/ =404; }
}

server {
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  server_name 192.168.64.9;
  ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  root /var/www/html;
  index index.html index.htm index.nginx-debian.html;
  location / { try_files $uri $uri/ =404; }
}

Link

sudo ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/

Test

sudo nginx -t

Modify OpenSSL (/etc/ssl/openssl.cnf)

  • Add at top
openssl_conf = default_conf
  • At bottom
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

Restart

sudo systemctl restart nginx

Verify

openssl s_client -connect 192.168.64.9:443 -tls1

Backup

Create a timestamped backup directory

TIMESTAMP=$(date +%Y%m%d%H%M%S)
BACKUP_DIR="/home/ubuntu/config_backups/tls1_setup_$TIMESTAMP"
mkdir -p "$BACKUP_DIR/nginx" "$BACKUP_DIR/ssl_configs" "$BACKUP_DIR/nginx_certs"
  • Backup
sudo cp /etc/nginx/sites-available/default "$BACKUP_DIR/nginx/"
sudo cp /etc/ssl/openssl.cnf "$BACKUP_DIR/ssl_configs/"
sudo cp -a /etc/nginx/ssl/* "$BACKUP_DIR/nginx_certs/"

Disable TLS 1.0 and Enable TLS 1.2

OpenSSL (/etc/ssl/openssl.cnf)

MinProtocol = TLSv1.2

Nginx config

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

Test

sudo nginx -t

Restart

sudo systemctl restart nginx

Verify

openssl s_client -connect 192.168.64.9:443 -tls1    # Fails
openssl s_client -connect 192.168.64.9:443 -tls1_2  # Works

Rollback TLS

Set directory

export BACKUP_DIR_PATH="/home/ubuntu/config_backups/tls1_setup_20250415223857"

Stop Nginx service

sudo systemctl stop nginx

Restore configurations from backup

  • Restore
sudo cp "$BACKUP_DIR_PATH/nginx/default" /etc/nginx/sites-available/default
sudo cp "$BACKUP_DIR_PATH/ssl_configs/openssl.cnf" /etc/ssl/openssl.cnf

Test

sudo nginx -t

Restart

sudo systemctl restart nginx

Verify

openssl s_client -connect 192.168.64.9:443 -tls1    # Works
openssl s_client -connect 192.168.64.9:443 -tls1_2  # Works
Last updated on