Problem sing certbot cert and key file from node.js (self-signed)

I am trying to use a certbot cert and key file in a node.js application. I can get the application running and accepting POST REST calls from Postman if I turn off “SSL Certificate Verification.” It stops working when I turn it on. I receive " Self-signed SSL certificates are being blocked: Fix this by turning off ‘SSL certificate verification’ in *Settings > General."Is this the expected behavior? I thought that the cert would not be considered to be self-signed. My code looks like this:

https.createServer({
key: fs.readFileSync(’…/privkey.pem’),
cert: fs.readFileSync(’…/fullchain.pem’)
}, app)
.listen(URL_PORT, function () {
console.log(‘Example app listening’)
})

Hi @ajprokop

if you have that error message, you don’t use a Letsencrypt certificate. Such certificates aren’t self signed.

I am using the certificate and key files that were created by certbot. I moved them from /etc/letsencrypt/live/MyDomain/, but they are the same files.

Is the domain available to the Internet?

If you would use these files, you wouldn’t see that error message.

So something is wrong.

I am running my code on a GoDaddy server (ip-72-xxx-xxx-xxx.ip.secureserver.net) that I can ping from my PC.

Try:
openssl s_client -connect IP:port -servername {actual.server.name}

Yes, something is wrong. I can use the cert and key files for an https connection on Postman as long as I don’t turn on SSL Verification. That tells me that they are working when Postman doesn’t care about how the certificate was signed.

Email systems rarely care about certs - any cert will do.

I am trying to connect Google Dialogflow to my web service. No email system is involved.

When I run openssl s_client -connect IP:port -servername {actual.server.name} I receive this:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = ip-72-167-227-239.ip.secureserver.net
verify return:1

Certificate chain
0 s:/CN=ip-72-167-227-239.ip.secureserver.net
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFgzCCBGugAwIBAgISA7VvKAiugcWV7ZdVpkrXTqayMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MTExMjM1NTZaFw0y
MDA4MDkxMjM1NTZaMDAxLjAsBgNVBAMTJWlwLTcyLTE2Ny0yMjctMjM5LmlwLnNl
Y3VyZXNlcnZlci5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP
FFyYTb/VqDtncRpR7uSWJ5KWyRcNMUB7Q2P4R1V/dMPbytBL1HLYZE1oF0TOLuur
K+LUHKJj/TofzRFh8R/AYiWD2AsY3HNReBIem6x+kHmTtPxou3yCJRTt94RJB6qv
U3YBt+Kvgix/oYEodXP2aBz5xH5EctJGVM3ez3QvZbWwX/k44yA5OTC4FoHwIi4r
ugalcu6BYKTSxrn5AzbXNnodlxMDTRkrx7y8uKnO0UUby/D7/2exdPPwGpOdDsdo
3nPx31QYSFAs4pWLEZgWvN6VGuWc48wU2foRDQwznDbf3jpX3f5frSl04q8VuiUr
25kYJ1NnBdiXUOCB+rzFAgMBAAGjggJ7MIICdzAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFGwec8yP/VXp3jjyKJH2IhVAKfFhMB8GA1UdIwQYMBaAFKhKamMEfd265tE5
t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j
c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl
cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wMAYDVR0RBCkwJ4IlaXAtNzItMTY3
LTIyNy0yMzkuaXAuc2VjdXJlc2VydmVyLm5ldDBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3APCVpFnyANGCQBAt
L5OIjq1L/h1H45nh0DSmsKiqjrJzAAABcgPy/vEAAAQDAEgwRgIhAKEbEkFa65eC
Cx5WYyNnSXRbJMf6B72jM19ZSxvmtpo6AiEApRryJYrCfcuGa1qEJKWjjHNJtcA4
pEEtJOHoO2CfgdsAdgAHt1wb5X1o//Gwxh0jFce65ld8V5S3au68YToaadOiHAAA
AXID8v8iAAAEAwBHMEUCIHHlJwXvpHk7XAMGAgKwV3W1m8dliEUPFJ4pskafac3p
AiEA2U13Nof0objLXhtISRxkf6VQvUutPQcLIO5SEJQ1Cr8wDQYJKoZIhvcNAQEL
BQADggEBAJIMV6wJOM5OT3NeXZbaDuBlzAII+IIw9viVcQAggZWz2M2Q0rbRUCsx
FFlQCd/9Nhn9ToyiAFV8CSKD0qRABo7nf7ghXee46L0KTWEHuzjnKI642WW/yun4
yxuz0kD1M+iYGbdgcikajpR0CyrA+QyaRXQArnpoDgXCPdqqE5qZY5b6lWX2ETEX
MhiIjf1nPnbQK+0cfz0JEKH8iouNLJkP2LqMB956OSuCzG47aJE14J4mUDAt7DBE
lhMdHuEPEjjSJebGaVShwRCwIX4uC6tijsYDV+dKy3ykJxLYv7aIRGphU1/T3dc6
a2KIdUW42v4OESJc1FRX67Fk/LMyDm0=
-----END CERTIFICATE-----
subject=/CN=ip-72-167-227-239.ip.secureserver.net
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3278 bytes and written 477 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D7541588780D0EB1BC488AA3503912C3B670F9126E873E9FA54A301875BBBE96
Session-ID-ctx:
Master-Key: CAEA4625FD42E81CA0FFD8A8A9075637E7F80A38A5E477333937A5F64D6FDC8F931EA1D512A5CF3908E5926A04520C30
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f3 40 0b d6 b0 91 4c ba-2b 7e ba f9 55 35 4d 77 .@…L.+~…U5Mw
0010 - ce a9 f3 cb bc e9 3a 4e-36 56 b3 b1 25 25 e6 18 …:N6V…%%…
0020 - 3a f9 e0 55 06 86 0d 7e-4c 3d 3d d0 89 e8 e7 38 :…U…~L==…8
0030 - 3b e6 bb 81 be 8b c0 de-fd a8 7b 37 7c 09 e4 85 ;…{7|…
0040 - 02 e4 19 7b bc 26 b0 77-30 29 76 f0 02 87 a0 40 …{.&.w0)v…@
0050 - 9e 7f 67 4a eb e2 b4 29-cd b5 35 ee 81 3f 3d 18 …gJ…)…5…?=.
0060 - d6 7d 10 19 b5 e0 ed 0b-d5 d8 d9 90 00 94 fb ce .}…
0070 - 82 9f 6f d1 ac 4e ab e9-e7 b1 48 dc d3 b0 d3 16 …o…N…H…
0080 - 59 ae 00 52 78 5e 6f 72-58 72 17 7b 71 87 ce 51 Y…Rx^orXr.{q…Q
0090 - 54 b0 5e 0e c1 de 7d cd-86 50 b0 6c cb 73 89 c7 T.^…}…P.l.s…
00a0 - b2 f1 f6 34 cf 0e 0f aa-f9 92 5d b7 73 13 5e 95 …4…].s.^.
00b0 - c8 b3 d1 59 3d 0d 75 3b-d8 54 03 b3 20 8c 12 0e …Y=.u;.T… …

Start Time: 1589209130
Timeout   : 300 (sec)
Verify return code: 0 (ok)

That all looks correct.
Although I can’t connect to that system to confirm.

Can you run this: openssl s_client -connect IP:3070 -servername ip-72-167-227-239.ip.secureserver.net

There is a valid Letsencrypt certificate. And the chain is correct, the intermediate certificate is sent.

So that’s not the problem.

I got it to work. My problem was that Dialogflow was accessing the site with an IP address and not the FQDN. The cert is only valid for an FQDN. Once I resolved that, the problem went away. Thanks for all the eyes on this.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.