How to create a certificate for a nodejs server listening on another port


#1

Hi,

My goal: set up a secure wordpress site where one page has an iframe pointing to a nodejs server listening on port (http) 1880. On DigitalOcean Ubuntu 16.04.

I have had a (previous, working) setup where the (http) website was on another host - nodejs listening on (http) port 1880.

I have already successfully created a certificate for the website - ie. port 80/443.

The following nginx config file allows access (via port 1888) to the nodejs app listening on http port 1880:

server {
        listen 1888 ;
        server_name sandbox.ritc.io;
        location / {
            proxy_pass http://PRIVATE_IP_ADDRESS:1880;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }
}

You can test that the nodejs app is accessible - at http://sandbox.ritc.io:1888

The iframe reference in the website is:
[iframe src=“http://sandbox.ritc.io:1888/?env=website#” width=“100%” height=“600”][/iframe]

The problem is: Chrome +other browsers do not allow ‘mixed content’.

So in order to be able to have the iframe refer to:
[iframe src=“https://sandbox.ritc.io:1888/?env=website#” width=“100%” height=“600”][/iframe]

It seems that one solution would be that I could configure the nginx server block to accept ssl. ie. I (think I ) would need to create an ssl certificate allowing access to port 1888. In this scenario, nginx will accept https requests, while forwarding the request on the nodejs (still) listening via http - on port 1880. (via proxy_pass http://PRIVATE_IP_ADDRESS:1880;)

Is it possible to create a certificate to do this? If so, how do I do this?

Thanks

Colin Goldberg

My domain is:
sandbox.ritc.io

My web server is (include version):
nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

Hi,

In this case, you can use two ways to grab a certificate:

You could use http validation, which needs to open port 80 and use Certbot certonly (or webroot) (So you won’t need to edit nginx and create a http vhost listening @80 )

Another way is to use DNS validation, however, it’s a little complicated.

(I Have no clue how to enable https for nodejs server, just know how to grab a certificate)

Thank you


#3

Thanks for your quick response. Does the first option not clash with my having a server block for the wordpress site - ie. re port 80. Can anyone point me to how to do this if it works this way?


#4

Hi,

If you have any site on Nginx with port 80.
You can still use certainly option since there will be minimum impact on Nginx (if certonly I believe, since it’s standalone)
certbot --nginx will edit your Nginx conf for verification.

Thank you


#5

If you’re going to proxy through nginx anyway, I’d suggest using a virtual host like nodeservice.sandbox.ritc.io instead of a separate port, so you can just use certbot the way you do with other domains.

That being said, certificates don’t include port numbers. As long as the domain name is the same you can use the same certificate.

If the domain name is different or you really want to use a second certificate even though you don’t have to, use certbot certonly --nginx as suggested upthread. Domain verification always takes place on port 80 for security reasons, so you need to do the verification with whatever server is running on that port, even if you plan to use the certificate with a different one. But certonly stops certbot from installing the certificate on port 80 so you can use it with a different port.


#6

I modified the server block to the following, but it now says “not
secure” (for https://vre.sandbox.ritc.io) - I did add the DNS A record for vre.sandbox.ritc.io before doing this.

server {
listen 443 ssl;
server_name vre.sandbox.ritc.io;
location / {
proxy_pass http://PRIVATE_IP_ADDRESS:1880;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl on;
ssl_certificate
/etc/letsencrypt/live/sandbox.ritc.io/fullchain.pem; # managed by Certbot
ssl_certificate_key
/etc/letsencrypt/live/sandbox.ritc.io/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

The ssl_certificate… references are the same as in the server block
that caters to the main site.

What am I missing?

Colin Goldberg


#7

If you use a different hostname you do still need to add it to your existing certificate or issue a new one.

To expand your existing certificate:

sudo certbot --nginx --expand -d sandbox.ritc.io,vre.sandbox.ritc.io

To get a seperate one:

sudo certbot --nginx -d vre.sandbox.ritc.io

#8

Thank you! That worked. Your quick responses and help were much appreciated.

Colin Goldberg


#9

I just wanted to add:

  1. You absolutely want nginx to terminate the SSL connection and just have node handle http

  2. Since you’re using nginx and familiar with proxypass, you can create another proxypass for the “./well-known” directory on all your nginx port 80 domains, and then run certbot on an alternate port for validation. You’ll still need to do a (graceful) restart of nginx to activate the new cert, but that will let you run the renewal automatically without downtime.

I posted the full commands and setup in this comment last month: Ideas about how to automate initial configuration of certificates


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.