I am having trouble getting my SSL server working with the certificate's from godaddy
Using Express: 3.1.0
Below this works with a key/crt that was generated locally / not signed by go daddy (The browser complains but if you add exception it works.
var http = require('https');
var privateKey = fs.readFileSync('/var/www/dev/ssl/server.key').toString();
var certificate = fs.readFileSync('/var/www/dev/ssl/server.crt').toString();
var credentials = {key: privateKey, cert: certificate};
var https = http.createServer(credentials, app);
With godaddy I am provided an extra file gd_bundle.crt which I believe you implement like this, however I am getting an error
var http = require('https');
var privateKey = fs.readFileSync('/var/www/prod/ssl/mysite.key').toString();
var certificate = fs.readFileSync('/var/www/prod/ssl/mysite.com.crt').toString();
var ca = fs.readFileSync('/var/www/prod/ssl/gd_bundle.crt').toString();
var credentials = {key: privateKey, cert: certificate, ca: ca};
var https = http.createServer(credentials, app);
With this configuration I get: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Truth be told I am not creating they keys/certs our devops guy does... I am not sure how I can troubleshoot if I am implementing the godaddy ones incorrectly or if there is a way to ensure he setup the key/crt files correctly....
Does anyone see anything blatantly obviously wrong?
Node requires each certificate in the CA chain to be passed separately in an array. gd_bundle.crt probably looks like this:
-----BEGIN CERTIFICATE-----
MIIE3jCCA...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCA...
-----END CERTIFICATE-----
Each certificate needs to be put in its own file (ie gd1.crt and gd2.crt) and read separately.
https.createServer({
key: fs.readFileSync('mysite.key'),
certificate: fs.readFileSync('mysite.crt'),
ca: [fs.readFileSync('gd1.crt'), fs.readFileSync('gd2.crt')]
});
Ask GoDaddy for your ssl certificate in SHA-1 signature and break the bundle file into two files, this way...
FROM your gd_bundle.crt
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VILs9RaRegAhJhldX
RQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/bvZ8
-----END CERTIFICATE-----
TO gd_bundle_01.crt
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-----END CERTIFICATE-----
AND gd_bundle_02.crt
-----BEGIN CERTIFICATE-----
56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VILs9RaRegAhJhldX
RQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/bvZ8
-----END CERTIFICATE-----
then on your server do this
var fs = require('fs'),
https = require('https');
var ssl = {
key: fs.readFileSync('./ssl/server.key', 'utf8'),
cert: fs.readFileSync('./ssl/server.crt', 'utf8'),
ca: [fs.readFileSync('./ssl/bundle_01.crt', 'utf8'),
fs.readFileSync('./ssl/bundle_02.crt', 'utf8')]
};
https.createServer(ssl, function(req, res) {
//... your code here ...
}).listen(443);
Recently I had a similar problem with Godaddy's SSL certificates on one of our node.js servers. In my case the problem was with one of our servers validating the SSL using PHP's curl functions.
It turns out I had to choose SHA-1 signature algorithm when submitting the CSR to Godaddy. I guess it is more compatible with older systems.
Simpler
Why be so specific just for GoDaddy's CA bundle when you can keep the same approach for different environments? I only need two files for dev env for example but production is using GoDaddy certs and has many so what to do?
For GoDaddy, I take their bundle and append it into a single file and name the extension as PEM as well as the key file which gives a pretty standard approach for all types of certs.
Then you end up just doing this for all environments:
server = https.createServer({
key: fs.readFileSync(config.sslKey),
cert: fs.readFileSync(config.sslCert),
},app).listen(config.sslPort);
In your GoDaddy cert.pem file you just place your certificate and your bundle files from 1 to x (top to bottom) and you're done like so:
-----BEGIN CERTIFICATE-----
site certificate goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 1 goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 2 goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA X goes here
-----END CERTIFICATE-----
Not necessarily better but I prefer it. I didn't encounter on Express 3.x that I had to do the CA array route but I could be wrong for the specific version.
Related
I am new to SSL and trying to find some method or code which can convert .pem file to .crt using Python3 and OpenSSL.
Have searced through openSSL docs there is resource for shell script but wasn't able gain much python3..
Also I tried with some shell script
import os
cmd = 'openssl x509 -outform der -in cert.pem -out cert.pem.crt'
os.system(cmd)
but when I open the newly converted .crt file
i getting some gibberish words
instead of below words or encoding
-----BEGIN CERTIFICATE-----
... (certificate in base64 PEM encoding) ...
-----END CERTIFICATE-----
If anyone can share some idea or code will be helpful. Thanks in advance
I am trying to install Chrome native client.
I went to this https://developer.chrome.com/native-client/sdk/download page to download and install the sdk. I followed the instructions in this page however when I tried to execute the naclsdk list command or any naclsdk command I got an error:
third_party.fancy_urllib.InvalidCertificateException: Host storage.googleapis.com returned an invalid certificate ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)):
To learn more, see http://code.google.com/appengine/kb/general.html#rpcssl
Usage: sdk_update_main.py <command> [options]
What is the problem here? Is there a problem with a certificate?
just comment two lines of sdk_tools/download.py
# ca_certs = os.path.join(SCRIPT_DIR, 'cacerts.txt')
# request.set_ssl_info(ca_certs=ca_certs)
When I tried applying the accepted answer, download.py was overwritten with the old version before it was executed.
Instead, I updated the certificates by replacing the contents of cacerts.txt with the certificate chain storage.googleapis.com is using today:
-----BEGIN CERTIFICATE-----
MIIGcjCCBVqgAwIBAgIQBdcOj75NzEPW3Y45nh0r+zANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDMwMTA5
MzY0NVoXDTE5MDUyNDA5MjUwMFowcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds
ZSBMTEMxITAfBgNVBAMMGCouc3RvcmFnZS5nb29nbGVhcGlzLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhmw+ZB0GgoEEHQR+g75gfFMoqoBHvc
NADV8RJ5iCIiIQh2slRYv9Wai9/ZeYrxaJowLyEpi5n3ZjeIBBGitSnTd+sUOnT5
n/D/d5FCRKBcNkAJkdMtqnHJNPRt5xlheKlPYPzb+qR/BdoedfMbcgJ8Qgfg5mAb
xVpLOUGIKDNfC+z+wthXJJtqp2WU3MCKfFQy9tXodq043Mvdl0hEF4P3I3SSZioO
WK44JonwPbbvy7qk9ohrchfLa0VfPVN9rlpV0eoNTWISlNrK+fmBgj5lr7YNtfUK
lyi26L119hWPAlVpnHohf15iRPUudK70GY+xPbol6tD92pXY3pxPwD8CAwEAAaOC
AyAwggMcMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIIB9QYDVR0RBIIB7DCCAeiCGCou
c3RvcmFnZS5nb29nbGVhcGlzLmNvbYIkKi5hcHBzcG90LmNvbS5zdG9yYWdlLmdv
b2dsZWFwaXMuY29tgiIqLmNvbW1vbmRhdGFzdG9yYWdlLmdvb2dsZWFwaXMuY29t
gikqLmNvbnRlbnQtc3RvcmFnZS1kb3dubG9hZC5nb29nbGVhcGlzLmNvbYInKi5j
b250ZW50LXN0b3JhZ2UtdXBsb2FkLmdvb2dsZWFwaXMuY29tgiAqLmNvbnRlbnQt
c3RvcmFnZS5nb29nbGVhcGlzLmNvbYIQKi5nb29nbGVhcGlzLmNvbYIhKi5zdG9y
YWdlLWRvd25sb2FkLmdvb2dsZWFwaXMuY29tgh8qLnN0b3JhZ2UtdXBsb2FkLmdv
b2dsZWFwaXMuY29tgh8qLnN0b3JhZ2Uuc2VsZWN0Lmdvb2dsZWFwaXMuY29tgiBj
b21tb25kYXRhc3RvcmFnZS5nb29nbGVhcGlzLmNvbYIrc3RhdGljLnBhbm9yYW1p
by5jb20uc3RvcmFnZS5nb29nbGVhcGlzLmNvbYIWc3RvcmFnZS5nb29nbGVhcGlz
LmNvbYIdc3RvcmFnZS5zZWxlY3QuZ29vZ2xlYXBpcy5jb22CD3VuZmlsdGVyZWQu
bmV3czBoBggrBgEFBQcBAQRcMFowLQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29v
Zy9nc3IyL0dUU0dJQUczLmNydDApBggrBgEFBQcwAYYdaHR0cDovL29jc3AucGtp
Lmdvb2cvR1RTR0lBRzMwHQYDVR0OBBYEFIDYGi+iqBDS6hhcK63FsCcyzki1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUd8K4UJpndnaxLcKG0IOgfqZ+ukswIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUDMAgGBmeBDAECAjAxBgNVHR8EKjAoMCagJKAi
hiBodHRwOi8vY3JsLnBraS5nb29nL0dUU0dJQUczLmNybDANBgkqhkiG9w0BAQsF
AAOCAQEAsNHEdUG4mXtpq1/QwqkL4ljH0HTCi586YHsijMpt6yaVXHxwlofBmB5r
7q/zlPIrIYvwEhl6Hx61mUEvUgnaeSFxYacI6UzRVyD1SA4VACpWCvBSgmNGz4TG
PvN10UvhQr8oje4VTON+UHI1sqLbSMQU6R3hlYQryu8dfl7Rc9evEjErNljATkgU
63DPq2bs/twkmRV/ORwgqzjoIxYK+58mpgV5CJGkdkqhiQAJ2Pu7ZeNdwWuQqjGC
H8kutx7Vvlm84BM4syzRoTWK4pOGmZVbrXHu2yiuHuJyfeT1ZQuNm0yuXW2A4PZh
z+TIiPW8jDr4cXccAslL+BuIpURPWg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW
XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK
71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9
RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z
ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT
kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz
AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa
Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu
MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv
b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz
cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA
HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e
ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq
wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu
FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy
7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV
c7o835DLAFshEWfC7TIe3g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----
The problem is with an outdated sdk_tools/cacerts.txt file; Google has changed the CA they use, but the code tries to verify against a specific CA trust anchor.
As an aside, this highlights the difficulties with key pinning.
The minimum change you can do is to update the CA cert it expects by downloading a newer version. This still verifies that you're connected to a Google-controlled server.
The solution by sevenyearslater of ripping this custom check out works too, but makes it possible to spoof the download site in some scenarios.
Using a new utility kyrtool, I've been trying to create keyring and import the particular domain certificate into it.
Certificate has been issued by RapidSSL. It's an SHA2 certificate issued for "*.domain.tld".
First of all I've created a new keyring file:
kyrtool create -k C:\path\keyring.kyr -p password
Then I've converted my pfx certificate to pem in opnessl:
openssl pkcs12 -in certificate.pfx -out certificate.pem
Then I've tried to import my PEM into the new keyring:
kyrtool import all -i certificate.pem -k C:\path\keyring.kyr -v
And an error occured:
Using keyring path 'C:\path\keyring.kyr'
No private key found in the input file
ReadPEMPrivateKey returned error 0x0495
Invalid arguments
My PEM certificate contains both -----BEGIN RSA PRIVATE KEY----- and -----BEGIN CERTIFICATE----- blocks.
Any idea?
Thanks, JiKra
Ok, problem was with the wrong order in certificate chain in PEM file. There was a global CA (GeoTrust CA) certificate before the issuer certificate (RapidSSL 256 - G3).
We've resolved the problem by dividing the whole certificate into four separate PEM files and importing them in the proper order.
kyrtool import keys
kyrtool import certs
kyrtool import roots ...global
kyrtool import roots ...intemediate
JiKra
EDIT 1:
As we realized, the main problem could be with the intermediate certificate of RapidSSL 256 G3 where there were no paddings at the end. This certificate ends exactly with 7bit content:
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYT
AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz
dCBHbG9iYWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBH
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UE
AxMXUmFwaWRTU0wgU0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCvVJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBd
mJyNkA+8EGVf2prWRHzAn7XpSowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9E
X9zHFLYDn4ZLDqP/oIACg8PTH2lS1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4K
jxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQDAP8m/0Ip4yM26eO8R5j3LMBL3+v
V8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AMQriYrRmIV9cE7Ie/fodOoyH5
U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkpYEj4/5G8V1jlNS67abZZ
AgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrM
TjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYDVR0TAQH/BAgw
BgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCigJoYkaHR0
cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUFBwEB
BCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdl
b3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCj
WB7GQzKsrC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/C
J8cW8fuTgZCpfO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5Uz
CHuTcSJCs6nZb0+BkvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5h
o452nFnPjJSxhJf3GrkHuLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq
7A6rvz17OQV79PP7GqHQyH5OZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWm
My66S6VdU5oNMOGNX2Esr8zvsJmhgP8L8mJMcCaY
-----END CERTIFICATE-----
I'm working to setup a SSL via GoDaddy to use with my node.js server on AWS EC2. I've been unable to get it to work.
Here's what I've tried:
Intended for the domain: files.mysite.com
On the server I run:
$ openssl req -new -newkey rsa:2048 -nodes -keyout files.mysite.key -out files.mysite.csr
Common Name: files.mysite.com
password: left empty
I then get the CSR: vim files.mysite.csr
I copy and paste from:
-----BEGIN CERTIFICATE-----
......... lots of stuff
-----END CERTIFICATE-----
There is an extra empty line at the end, which I leave and paste into the GoDaddy interface using rekey.
I then download the godaddy key which provides:
gd_bundle.crt
files.mysite.com.crt
Then in node I insert:
key: fs.readFileSync('server.key').toString(),
cert: fs.readFileSync('server.crt').toString()
I'm not sure what server.key is or server.crt given that GoDaddy provides two crt files?
Can you help?
GoDaddy uses an intermidiate certificate to sign your certificate. This has several advantages to both you and GoDaddy. But it takes a bit more work to get it to work (just a bit, mostly googling around).
In node.js you can install them like this:
require('https').createServer({
key: fs.readFileSync('files.mysite.com.key'),
cert: fs.readFileSync('files.mysite.com.crt'),
ca: [fs.readFileSync('gd_bundle.crt')] // <----- note this part
}, app).listen(443);
You should use .crt and .key files at the creation of your http server instance. The following snippet will give you the idea :
require('https').createServer({
key: fs.readFileSync('/path/to/something.key'),
cert: fs.readFileSync('/path/to/something.crt'),
}, app).listen(443);
If you have a passphrase for your key, you can pass it though as follows :
require('https').createServer({
key: fs.readFileSync('/path/to/something.key'),
cert: fs.readFileSync('/path/to/something.crt'),
passphrase: 'your_secret_passpahrase'
}, app).listen(443);
I'm using the Express framework in Node.js to create a web server. I want to use ssl for the web server's connection.
The code to create the https web server is as below.
var app = express.createServer({
key: fs.readFileSync('./conf/key.pem'),
cert: fs.readFileSync('./conf/cert.pem')
});
module.exports = app;
Question: How to create the key.pem and cert.pem required by express?
The two files you need are a PEM encoded SSL certificate and private key. PEM encoded certs and keys are Base64 encoded text with start/end delimiters that look like -----BEGIN RSA PRIVATE KEY----- or similar.
To create an SSL certificate you first need to generate a private key and a certificate signing request, or CSR (which also contains your public key).You can do this in a variety of ways, but here's how in OpenSSL.
openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
This will cause you to enter an interactive prompt to generate a 2048-bit RSA private key and a CSR that has all the information you choose to enter at the prompts. (Common Name is a legacy location where domain names used to go, but modern browsers require an extension called SubjectAlternativeName now. However, when submitting to a CA they will put CN values in SAN) Once you've done this you would normally submit this CSR to a trusted certificate authority and once they've validated your request you would receive a certificate.
If you don't care about your certificate being trusted (usually the case for development purposes) you can just create a self-signed certificate. To do this, we can use almost the same line, but we'll pass some extra parameters. The interactive prompt doesn't support Subject Alternative Name (SAN), which is required in most modern clients, so we pass it on the CLI via the -addext flag. You'll need to change mydnsname.com to the right name for your uses. Be sure to keep DNS: though!
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem -addext "subjectAltName = DNS:mydnsname.com"
This will give you a cert (valid for 10 years) and key pair that you can use in the code snippet you posted.
Just follow this procedure :
create the folder where you want to store your key & certificate :
mkdir conf
go to that directory :
cd conf
grab this ca.cnf file to use as a configuration shortcut :
wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/ca.cnf
create a new certificate authority using this configuration :
openssl req -new -x509 -days 9999 -config ca.cnf -keyout ca-key.pem -out ca-cert.pem
now that we have our certificate authority in ca-key.pem and ca-cert.pem, let's generate a private key for the server :
openssl genrsa -out key.pem 4096
grab this server.cnf file to use as a configuration shortcut :
wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/server.cnf
generate the certificate signing request using this configuration :
openssl req -new -config server.cnf -key key.pem -out csr.pem
sign the request :
openssl x509 -req -extfile server.cnf -days 999 -passin "pass:password" -in csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem
I found this procedure here, along with more information on how to use these certificates.
An alternative is to generate the certificates with the pem library using the createCertificate method of the class.
The process would be as follows:
Install openssl in your system if not there already, for instance for windows 10 the a compiled version of the sources (seems like the most open one) can be found here: https://curl.se/windows/ the explanations of how it is compiled and safeguarded are here: https://wiki.openssl.org/index.php/Binaries. For the source https://www.openssl.org/community/binaries.html
For windows, you may want to add the diretory of the openssl.bin file to the system environment path variable (https://www.architectryan.com/2018/08/31/how-to-change-environment-variables-on-windows-10/) or pass the location of the file to the PEM library.
Instal pem using (documentation here: https://github.com/Dexus/pem
npm i pem
at the command line at the root of the server.
From the documentation you can see that a simple https server with the keys can be created simply by:
const https = require('https')
const pem = require('pem')
pem.createCertificate({ days: 1, selfSigned: true }, (err, keys) => {
if (err) {
throw err
}
https.createServer({ key: keys.clientKey, cert: keys.certificate }, (req, res) => {
res.end('o hai!')
}).listen(443)
})
or using express
npm i express
at the command line at the root of the server):
const https = require('https')
const pem = require('pem')
const express = require('express')
pem.createCertificate({ days: 1, selfSigned: true }, (err, keys) => {
if (err) {
throw err
}
const app = express()
app.get('/', (req, res) => {
res.send('o hai!')
})
https.createServer({ key: keys.clientKey, cert: keys.certificate }, app).listen(443)
})
Just changed the var for const as appropiate, and functions for arrow functions