npm http-server with SSL - node.js

I'm using the npm package "http-server" (https://www.npmjs.com/package/http-server) to set up a simple webserver, but I cannot get it to use SSL. My command in package.json is
http-server -p 8000 -o -S
with a cert.pem and key.pem in my root directory (for now). The "-o" option opens a browser to the default page, but the page is served using HTTP and not even accessible through HTTPS. I don't get any errors or warnings. I've also tried adding the "-C" and "-K" options without luck. Has any one had any success with this package?

First, make sure that you have key.pem and cert.pem files. You can generate them using this command:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
You will be prompted with a few questions after entering the command. Use 127.0.0.1 as value for "Common name" if you want to be able to install the certificate in your OS's root certificate store or browser so that it is trusted.
This generates a cert-key pair and it will be valid for roughly 10 years (3650 days to be exact).
Then you need to run the server with -S for enabling SSL and -C for your certificate file:
$ http-server -S -C cert.pem -o
Starting up http-server, serving ./ through https
Available on:
https:127.0.0.1:8080
https:192.168.1.101:8080
https:192.168.1.104:8080
Hit CTRL-C to stop the server

I installed mkcert:
brew install mkcert
brew install nss # if you use Firefox
mkcert -install
Then, in your project directory:
mkcert 0.0.0.0 localhost 127.0.0.1 ::1
Finally, I renamed generated files:
0.0.0.0+3-key.pem -> key.pem
0.0.0.0+3.pem -> cert.pem
And ran the following command:
http-server -S -C cert.pem -o
Then I got:
I referenced this blog: https://qiita.com/walkers/items/b90a97a99bbb27f6550f
(written in Japanese)

Just for future reference, my problem was solved by updating the package to the latest version in package.json. I copy-pasted an old example file without updating the version numbers.

EDIT: Since writing this answer there is a new tool mkcert that does this for you. See https://stackoverflow.com/a/61905546/9540493 instead. My original answer below for historical interest.
Firefox didn't accept self-signed certs, so a bit more effort was required. First create a CA:
openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout ca-key.pem -x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"
Add ca.pem (A localhost CA) to trusted certs of your OS and/or Firefox (other browsers use system CAs). Keep the ca* files in a secure location for future use, so you never have to do this again.
Then, for any site that you are running, and whenever you wish to change settings, create cert.pem and key.pem with:
openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout key.pem -subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem -CAcreateserial -out cert.pem -days 365 -extfile (echo subjectAltName=DNS:localhost|psub)
The above should work on most systems. If not, you might want to create temporary files ecparam.tmp and ext.tmp. Commands functionally equivalent to the two oneliners:
# Output Elliptic Curve parameters to a temporary file
openssl ecparam -name prime256v1 -out ecparam.tmp
# Create CA
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout ca-key.pem \
-x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"
# Create a CSR for localhost, then sign it by CA
echo subjectAltName=DNS:localhost > ext.tmp
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout key.pem \
-subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem \
-CAcreateserial -out cert.pem -days 365 -extfile ext.tmp

Related

Verification failure: CMS routines:cms_signerinfo_verify_cert:certificate verify error:..cms_smime.c:253:Verify error:self signed certificate

1: Created private key and certificate by using following command
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.key -out certificate.crt
2: Have simple text file to sign
$ cat message.txt
this is a test file.
3: Signed it with
openssl cms -sign -in message.txt -text -out OutMessage.txt -inkey private.key -signer certificate.crt
4: for verification
openssl cms -verify -in OutMessage.txt -signer user.pem -out signedtext.txt
I am not sure why I am getting following error while verification step is performed, Please some one can help me out.
$ openssl cms -verify -in OutMessage.txt -signer user.pem -out signedtext.txt
Verification failure
140539655524800:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify
error:../crypto/cms/cms_smime.c:253:Verify error:self signed certificate
You're getting an error as you're using a self signed certificate, at least that's what the error is telling you. You can either add the certificate to your trust, or disable the certificate verify check when executing the command with the -no_signer_cert_verify option.

How to create and trust certificate Using OpenSSL?

How to create valid certificate using OpenSSL for using HTTPS binding in IIS ??
It must work in Firefox and all other browsers as well
I am using IIS 10 server. And Firefox v70, Firefox Dev edition v72b5, Chrome v79, Edge v44. I want the HTTPS binding to work in all of these browsers.
Ok. I think, I found out the answer,
A certification authourity have to be created to use HTTPS binding and hereby all our certificates will be signed from it. For that download a suitable version of OpenSSL from here: Win32/Win64 OpenSSL Installer for Windows And Install it. Then, for fast and easier working a few script file can be made,
In the folder (in which the script is running) add a folder named #. All the certicate files will be stored there.
for making Root Certificate's create RootCA.bat,
openssl genrsa -des3 -out #/RootCA.key 4096
openssl req -x509 -new -nodes -sha256 -days 730 -key #/RootCA.key -out #/RootCA.crt -config rootca.csr
openssl pkcs12 -export -out #/RootCA.p12 -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pem -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pfx -inkey #/RootCA.key -in #/RootCA.crt
And, For RootCA's details create RootCa.csr,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=CodeSigner
CN=*.codesigning.in
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = *.codesigning.in
When you Run RootCA.bat it will create a certificate using RootCa.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a RootCA.csr and 'RootCA.key' is also created).
Now, for servers certificate create server.bat,
openssl req -new -sha256 -nodes -out #/server.csr -newkey rsa:2048 -keyout #/server.key -config server.csr
openssl x509 -req -in #/server.csr -CA #/RootCA.crt -CAkey #/RootCA.key -CAcreateserial -out #/server.crt -days 365 -sha256 -extfile v3.ext
openssl pkcs12 -export -out #/server.p12 -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pem -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pfx -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
And, Of course for details create a server.csr file,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=Test & Learn
CN=*.localhost.in
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = *.localhost.in
And, Another file named v3.ext (I don't quite know about it),
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = *.localhost.in
Again When you Run server.bat it will create a certificate using server.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a server.csr and server.key is also created).
Note: You will have to modify the server.csr for your custom domains (default by, its gonna create for dev.localhost.in domain).
!!! Warning: You Have to remember the passwords you enter. And You might modify the RootCA.csr and RootCA.bat as your need. (to increase expiration, modify deatails etc.)
Adding to Windows,
As i use windows i only know about importing to windows. To add in windows simply click on the RootCA.p12 file and import it. Remember, you have to trust the RootCA in Trusted Root Certification Authourity And in Intermediate Certification Authourity.
All the browsers Except for firefox will trust the site. WORK Done (Partially)!!
You can check it using mmc in the run. And then snap-in certificates using Ctrl + M.
Adding to FireFox,
Because FireFox uses it own Certificate Managers and doesn't pay any heed to systems certificates. So, You will have to manually have to import the RootCA.crt for trust And all the inheriting certificates will be trusted. As Follows,
NOW, Import the certificate and simply add HTTPS binding with the certificate And Host the website using any server (even IIS etc).
when a created the certificate it's ok..but when add to windows, this error occur..This certificate has an invalid digital signature.

cannot get an pem file from authorized certificate ssl in heroku

I have a node.js application heberged in heroku, as you know heroku generate free certificate SSL automatically, but when I generate the pem file (I use openssl for this) from this certificate to include it in a terminal to let him communicate with server, the error 403 forbidden goes, and know I have 401 which is Unauthorized, can anyone help me how to access to the server from my terminal?
Here are the command that I use to generate file.key, file.crt and file.pem.
openssl genrsa -des3 -out server.pass.key 2048
openssl rsa -in server.pass.key -out server.key
openssl req -nodes -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
bash -c 'cat server.key server.crt server.pem

Security key and cert for mosca MQTT broker

I am trying to set up Mosca MQTT broker which is based on node.js
From the documentation below,
https://github.com/mcollina/mosca/wiki/TLS-SSL-Configuration
var mosca = require('mosca')
var SECURE_KEY = __dirname + '/../../test/secure/tls-key.pem';
var SECURE_CERT = __dirname + '/../../test/secure/tls-cert.pem';
Where do I get tls-key.pem and tls-cert.pem?
From the link https://github.com/mcollina/mosca/wiki/TLS-SSL-Configuration in your question, you are directed to another link https://nodejs.org/api/tls.html#tls_tls_ssl
Now, follow the instructions in this link.
$ openssl genrsa -out tls-key.pem 2048
$ openssl req -new -sha256 -key tls-key.pem -out ryans-csr.pem
$ openssl x509 -req -in ryans-csr.pem -signkey tls-key.pem -out tls-cert.pem
There you go. You should have your pem files.
It all depends on what you want to use the broker for.
If it's for simple private playing then you can create your own self signed certificate with openssl (details here)
openssl genrsa -des3 -out tls-key.pem 1024
openssl req -new -key tlk-key.pem -out server.csr
cp tlk-key.pem tls-key.pem.org
openssl rsa -in tls-key.pem.org -out tls-key.pem
openssl x509 -req -days 365 -in server.csr -signkey tls-key.pem -out tls-cert.pem
or if you are planning to do client authentication using certificates as well then can create your own Certificate CA and create a certificate signed by this. This is a longer process, details can be found here
Or finally if you want to make a service available publicly then you probably should really get a certificate signed by a real CA. Normally these would cost money, but the Let's Encrypt group will issue certificates with 90days of life for free and have an API which lets you renew the certificate before it expires. Details here

ZnSecureServer on Pharo3.0 on Ubuntu

I'm trying to start a https server using this code in Pharo3.0 on ubuntu 14.04 32bit (but I've also tried on 64bit):
(ZnSecureServer on: 8343 )
certificate: '/home/monty/monty-cert.pem';
logToTranscript;
start;
yourself.
I get this error:
SSL Exception: accept failed [code:-5]
Has anyone gotten this to work on Pharo3.0 on linux? If so, how?
Thanks in advance for any suggestions!
It works on my 3.0
(ZnSecureServer on: 1235)
certificate: '/home/philippeback/.ssh/server.pem';
logToTranscript;
start;
yourself.
Certificate created with:
openssl genrsa -out privkey.pem 1024
openssl req -new -key privkey.pem -out certreq.csr
# makes certreq.csr privkey.pem
openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
# should say Signature ok / Getting Private key
( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
Some screenshots

Resources