Problem using lets encrypt certificate with node

zedodo · July 27, 2018, 11:31am

I’m trying to setup a test box on my domain: frametest.eu, Unbuntu 18, Apache2

frametest.eu has no ssl certificate, even no html pages…

main.frametest.eu goes to another physical server, installed with apache using lets encrypt.
Https working perfectly, and pass ssl validations.

I tried to start a node process on this box, and use the lets encrypt certificate in my code.
const options = {
cert: fs.readFileSync("…/certifs/fl_certif_" + fl.s.myMainSrvName.toLowerCase() + “.chain.pem”),
key: fs.readFileSync("…/certifs/fl_certif_" + fl.s.myMainSrvName.toLowerCase() + “.key”),
rejectUnauthorized: false,
requestCert: true,
};
var srv = https.createServer(options, app)
app.listen(3000, () => {
console.log (“server ok”);
});

The certificate is not authorized by node, ie req.client.authorized returns always false.
you can check by calling https://main.frametest.eu:3000/login/getAppList, a client
certificate is requested…
What is wrong with my configuration ?
Thanks
Nicolas

_az · July 27, 2018, 11:38am

What is your end goal? Do you want all visitors to have to offer a client certificate? If so, it doesn’t look like you’ve provided a CA cert for Node to verify offered client certificates against.

zedodo · July 27, 2018, 11:41am

I want to use https as a secure protocol between javascript code running in a browser, hosted on html pages (same on https server)
I use the lets encrypt certificate in node, this is why I do not see why the certificate is not validated by node…

_az · July 27, 2018, 11:44am

I’m still not sure what you mean, but it doesn’t sound like you want client certificates.

In normal HTTPS, only the server authenticates to the client.

Clients certificates are for mutual authentication - where client (browser) additionally authenticates to the server, using its own certificate.

So, all of these things:

are related to client authentication. It doesn’t sound like you want that, so you can safely get rid of them.

zedodo · July 27, 2018, 11:52am

Yes that is the point, I do not want client certificate, because the server certificate delivered by lets encrypt should be valid.

I removed the rejectUnauthorized and the requestCert in the option on the server side (node apps), and I got the same problem (a request to use a client certificate)
How to not have this request to give a client certificate ?
Nicolas

_az · July 27, 2018, 11:58am

Removing requestCert and restarting your Node process should be sufficient. If not, then something else is going on, but the sample of code you’ve posted is missing it.

zedodo · July 27, 2018, 12:03pm

Thanks it works as expected…
Sorry for this basic question…
Regards

_az · July 27, 2018, 12:05pm

Great!

Make sure you are passing the full certificate chain to Node, not just the leaf certificate. Otherwise some non-browser clients like curl may fail to validate the certificate.

Your server is currently not sending the CA bundle (full chain), just the leaf.

The minimum successful usage is usually like this:

const https = require('https')
const fs = require('fs')

const server = https.createServer({
  cert: fs.readFileSync('/etc/letsencrypt/live/example.org/fullchain.pem'),
  key: fs.readFileSync('/etc/letsencrypt/live/example.org/privkey.pem')
})

server.listen(3131, () => {
  console.log('Started')
})

zedodo · July 27, 2018, 12:06pm

Thanks, my xxx.chain.pem file is a link to the full certificate chain
Thanks again
Nicolas

system · August 26, 2018, 10:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.