I am trying to get my intermediate cert to be recognized by node.js.
I am on a windows server 2008R2 and IIS 7 for the main application
However I have an application on port 4443 that is node.js and needs to be served via https. I have the pfx file that I am pointing to in the ssloptions and passing that into the createserver along with the passphrase.
The intermediate cert has been installed into the windows certificate store .
I am using this middleware https://github.com/coolaj86/node-ssl-root-cas
He
Here is my code:
var myssl = require('ssl-root-cas/latest').inject()
.addFile('path-to-app/ssl/gd-g2_iis_intermediates.pem');
…
var ssloptions = {
pfx: fs.readFileSync('path-to-app/ssl/my.pfx'),
passphrase: "thecorrectpassword"
};
app.listen = function(){
//var server = http.createServer(this);
var server = https.createServer(ssloptions,this);
return server.listen.apply(server, arguments);
};
When I test the url https://example.com/ at the SSL checker it reports the chain as complete. when I check this url https://example.com:4443/ I get the message
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
The GoDaddy docs are no help.
Any and all help very much appreciated.
Thanks
Mark
Related
We purchased a domain name and SSL certificate on godaddy, but our server is not on GoDaddy. WE run Lampp and NodeJS in our server, and we are trying to set up SSL with both. There is no problem with Lampp. the private key and certificate from godaddy is working. but when i try the same files with NodeJS. it fails.
This is my js script:
ssl = {
key: fs.readFileSync("./key.pem",'utf8'),
cert: fs.readFileSync("./cert.crt",'utf8'),
ca: [fs.readFileSync('./g1.crt','utf8'),
fs.readFileSync('./g2.crt','utf8'), fs.readFileSync('./g3.crt','utf8')]
};
server = require('https').createServer(ssl, app);
This is the Error
_tls_common.js:104
c.context.setKey(options.key, options.passphrase);
^
Error: error:0909006C:PEM routines:get_name:no start line
After some googling, i have tried several solution: adding "utf8", spliting gd bundle, using nodepad++ to fix code. None of them helped.
However, nodejs can use my self-signed key and certificate files. So i would like to ask. Did i generate my key incorrectly? Should I manually generate private key/CSR locally and request a new certificate on GoDaddy? or there is something wrong in my code?
This error message would mean that those files are wrong, corrupt or was requested for other OS Enviroments. So we have some options.
Resolution about the code (importing file system library and use full path).
let yourKey = fs.readFileSync('./folderOne/folderTwo/initial.key').toString();
let yourCertificate = fs.readFileSync('./folderOne/folderTwo/certificate.crt').toString();
var credentials = { key: yourKey, cert: yourCertificate };
Resolution requesting per OS compatibility:
Request for new certificates with a note about the OS (Linux, Windows, etc) sending the initial key for the provider that was sent to you.
Important.: You only need the .crt file and the private key.
My current setup with the company i've joined is IIS is being used as our main web server, using a CA signed certificate. I've got access to the certificate.pdx aswell as the private key.
I've setup a https node API server to handle some real time stuff / act as a simple additional middle layer, but my website is being served through IIS. The flow of the application is something like this.
1) Visit web page where IIS will then serve it
2) Click on a button, which then makes a GET request to my node server
IIS NODE
E.g 100.10.10.10:3000/mypage > Click Button > 100.10.10.10:4000/myGetRequest
At the minute i'm just using self signed in my development environment, and manually accepting the certificates.
My question is can I just use the same certificate that IIS is using on my node HTTPS server, or do I need a different one?
It would be best if the IIS could proxy the requests to your Node app. That way your Node app wouldn't even need a certificate (if it's on localhost). See this answer for more details:
Configuring HTTPS for Express and Nginx
It uses the example of nginx but you should be able to proxy the requests with IIS as well. See this tutorial:
Setup IIS with URL Rewrite as a reverse proxy for real world apps
Whenever I deploy my Hapi.js web application to azure, it starts the server using the socket protocol (see output below).
socket:\\.\pipe\b5c0af85-9393-4dcb-bd9a-3ba9b41ed6fb
GET /
GET /{param*}
GET /api/employees
POST /api/employees
GET /api/employees/{id}
PUT /api/employees/{id}
DELETE /api/employees/{id}
POST /api/worklog
GET /login
POST /login
Hapi server started # socket:\\.\pipe\b5c0af85-9393-4dcb-bd9a-3ba9b41ed6fb
150914/214730.270, [response], socket:\\.\pipe\b5c0af85-9393-4dcb-bd9a-3ba9b41ed6fb: [1;32mget[0m / {} [32m200[0m (316ms)
However, whenever I am running this locally, it starts using http... I have not run into this issue using express or loopback, only Hapi. Is there some sort of configuration that I am missing? This is the server.connection function:
var server = new Hapi.Server();
var host = process.env.host || '0.0.0.0';
var port = process.env.port || 3000;
server.connection({host: host, port: port});
The reason this is a big deal is because I cannot pass socket://*<mydoamin>* to google as a callback URI for OAuth.
You shouldn't need to pass socket://<domain> to google, you'd pass the normal https://yourDomain.com or even the https://yourSiteName.azurewebsites.net to Google for OAuth callback and it should work as you would expect.
The fact that the node application is listening on a pipe rather than a normal tcp socket is just an implementation detail of iisnode. Basically the problem is that node has it's own webserver so you can't use it with other webservers like IIS, Apache, nginx, etc. iisnode bridges the gap between IIS and node in that it allows IIS to listen to the HTTP port on the machine 80 and when IIS gets a request on that port, it just forwards it to the node process that's listening on a named pipe. This allows you to manage your sites in IIS as you normally would on a Windows Server machine, while actually writing your app in node.
You can think of it as 2 webservers running on the box, one (IIS) is acting as a proxy for the other (node) where all the work is actually happening. The fact that the iisnode developer chose to use a named pipe instead of a normal tcp socket is odd (though kind of understandable since you can't easily reserve a port per se as you can a pipe), but it's the way it is.
I have an Owin self-host C# app that provides Web API services over 127.0.0.1:5555 (it only listens on localhost, no external connections).
These Web API services are called using Ajax from an AngularJS app. As an aside: the reason for the Owin app is that certain interaction with the hardware is needed, which is not possible from within a browser. Also, the AngularJS app is for internal use, so I have control over the browsers used.
The above works very well over HTTP, but the Angular JS app needs to use SSL, which does not work unless the Owin app also uses SSL (otherwise you get "Mixed content" errors).
I have bought an official cert for the AngularJS app, and I am using self-signed certs for the Owin localhost stuff.
The problem is that I get "NET::ERR_CERT_AUTHORITY_INVALID" (when testin from Chrome) and "net::ERR_INSECURE_RESPONSE" from the AngularJS app when talking to the Owin Web API.
Here is what I have done, in broad strokes:
I used a CentOS box to generate the cert for localhost and exported it to pkcs12 / pfx format. I also generated a CA cert and exported it the same way.
Using MMC I imported the localhost cert on the Windows 7 machine running the Angular & Owin app into Certificates (Local Computer) > Personal > Certificates.
I also imported the CA cert on the Windows 7 machine into Certificates (Local Computer) > Trusted Root Certification Auhorities > Certificates
Looking at the localhost cert, it says "Issued to: localhost", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
The CA cert says "Issued to: ca.acme.com", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
netsh http show sslcert
IP:port : 127.0.0.1:5555
Certificate Hash : 1234555555555555555555511155555555555555
Application ID : {1234a123-1234-1234-1234-123412341234}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
What am I missing? How can I make Chrome, etc. trust the SSL cert for localhost?
I got this working (sufficiently for my current needs, at least).
I copied the localhost cert from "Certificates (Local Computer) > Personal > Certificates" to "Certificates (Current User) > Personal > Certificates". This got rid of the red cross-out of https in Chrome (and the "NET::ERR_CERT_AUTHORITY_INVALID" message) as well as the "net::ERR_INSECURE_RESPONSE" error in AngularJS.
Note that in my case, the localhost cert had to be in both the Local Computer store and in the Current User Store, otherwise the netsh command for binding it to port 5555 (for the Owin app) would fail:
netsh http add sslcert ipport=127.0.0.1:5555 certhash=1234555555555555555555511155555555555555 appid={1234a123-1234-1234-1234-123412341234}
SSL Certificate add failed, Error: 1312, A specified logon session does not exist. It may already have been terminated.
There is still no nice green padlock in Chrome (it now has a yellow little triangle on the pad lock, "The identity of this website has been verified by ca.acme.com but does not have public audit records"), but this does not seem to interfere with the Web API communication, so it should be fine.
If anybody knows of an easy way to make it all green and nice with no warnings, I am still interested, but it is not critical.
On Linux I had to apt-gt install libnss3-tools
With libnss3-tools you get certutil
Now the key-command:
certutil -d sql:$HOME/.pki/nssdb -A -t "CP,CP," -n <your alias> -i <your crt-file to import>
This solve all my problems with Chrome on Raspberry / Linux
I have a WorkerRole configured to start node.exe via the Runtime/EntryPoint/ProgramEntryPoint element in the csdef and have a HttpsIn EndPoint configured for https on port 443 w/ a valid certificate. I'm also setting the PORT environment variable in Runtime/Environment which is used by node to listen on for incoming requests.
When I start the service (either in local dev fabric or in Azure) and try to hit the service I get the following error:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I have verified that node.exe is indeed started when the service starts, and if I look up the local port in the Compute Emulator, usually something like:
http://localhost:444
I am able to successfully hit node directly with that using my browser. I am also able to hit node through Azure when SSL is not configured.
What am I missing? Thanks!
The issue was that I was using the http module instead of the https module when starting the web server in Node. Works once I started the https server using the ssl certificate.
I was following a guide for SSL w/ Node in a WebRole, which requires a different set up than SSL w/ Node in WorkerRole.