I’m trying to setup a test box on my domain: frametest.eu, Unbuntu 18, Apache2
frametest.eu has no ssl certificate, even no html pages…
main.frametest.eu goes to another physical server, installed with apache using lets encrypt.
Https working perfectly, and pass ssl validations.
I tried to start a node process on this box, and use the lets encrypt certificate in my code.
const options = {
cert: fs.readFileSync("…/certifs/fl_certif_" + fl.s.myMainSrvName.toLowerCase() + “.chain.pem”),
key: fs.readFileSync("…/certifs/fl_certif_" + fl.s.myMainSrvName.toLowerCase() + “.key”),
rejectUnauthorized: false,
requestCert: true,
};
var srv = https.createServer(options, app)
app.listen(3000, () => {
console.log (“server ok”);
});
The certificate is not authorized by node, ie req.client.authorized returns always false.
you can check by calling https://main.frametest.eu:3000/login/getAppList, a client
certificate is requested…
What is wrong with my configuration ?
Thanks
Nicolas
What is your end goal? Do you want all visitors to have to offer a client certificate? If so, it doesn’t look like you’ve provided a CA cert for Node to verify offered client certificates against.
I want to use https as a secure protocol between javascript code running in a browser, hosted on html pages (same on https server)
I use the lets encrypt certificate in node, this is why I do not see why the certificate is not validated by node…
Yes that is the point, I do not want client certificate, because the server certificate delivered by lets encrypt should be valid.
I removed the rejectUnauthorized and the requestCert in the option on the server side (node apps), and I got the same problem (a request to use a client certificate)
How to not have this request to give a client certificate ?
Nicolas
Removing requestCert and restarting your Node process should be sufficient. If not, then something else is going on, but the sample of code you’ve posted is missing it.
Make sure you are passing the full certificate chain to Node, not just the leaf certificate. Otherwise some non-browser clients like curl may fail to validate the certificate.
Your server is currently not sending the CA bundle (full chain), just the leaf.
The minimum successful usage is usually like this: