Node.js/Express.js Chain Certificate Not working

javascript node.js ssl express ssl-certificate

31,094

Solution 1

Does your intermediate certificate file contains multiple certificate blocks?

If that's the case you should split them into different files and read them one by one. You can pass them as an array to the ca parameter.

I've got it working with the code below:

var https = require('https'),
    read = require('fs').readFileSync,
    httpsOptions = {
        key: read('ssl/mycertificate.key', 'utf8'),
        cert: read('ssl/mycertificate.crt', 'utf8'),
        ca: [
            read('ssl/rapidssl_1.pem', 'utf8'),
            read('ssl/rapidssl_2.pem', 'utf8')
        ]
    };

https.createServer(httpsOptions, function (req, res) {
    // ...
});

Solution 2

Handy little snippet if you actually can't modify any SSL-related files on the server - you can split the "ssl chain" file yourself. Spent a little while when tried to get Node and socket.io to work with SSL (was getting net::ERR_INSECURE_RESPONSE error on the client) so thought will share it:

var read = require('fs').readFileSync;
var privateKey = read(MY_KEY_LOCATION, 'utf8');
var certificate = read(MY_CERT_LOCATION, 'utf8');
var chainLines = read(MY_CHAIN_LOCATION, 'utf8').split("\n");
var cert = [];
var ca = [];
chainLines.forEach(function(line) {
  cert.push(line);
  if (line.match(/-END CERTIFICATE-/)) {
    ca.push(cert.join("\n"));
    cert = [];
  }
});
var credentials = {
  "key": privateKey,
  "cert": certificate,
  "ca": ca
};
var httpsServer = https.createServer(credentials, app);
var io = require('socket.io').listen(httpsServer);

31,094

Author by

darksky

C, C++, Linux, x86, Python Low latency systems Also: iOS (Objective-C, Cocoa Touch), Ruby, Ruby on Rails, Django, Flask, JavaScript, Java, Bash.

Updated on September 28, 2021

Comments

darksky over 2 years
I have an SSL server in Express, which is not working on all browsers (unless the user manually trusts the website) since some browsers require the chain certificate (we have our own intermediate certificate). I've put our intermediate and chain certificate in one .crt file. The chain + intermediate certificate is in the INT_CERT_FILE variable. It does not seem to work. I am using http://www.digicert.com/help, as well as running openssl s_client -connect tasker.adnxs.net:443 -showcerts | grep "^ " to check, but it does not seem to be returning the intermediate + chain certificate.

Here's how I'm setting it up:
```
var fs = require("fs");
var https = require("https");
var express = require("express");

var KEY_FILE = fs.readFileSync("path/to/key/file.key");
var CERT_FILE = fs.readFileSync("path/to/crt/file.crt");
var INT_CERT_FILE = fs.readFileSync("path/to/intermediate and chain crt.crt");

var _app_https = express();
var _server_https = null;

_server_https = https.createServer({
    key: KEY_FILE,
    cert: CERT_FILE,
    ca: INT_CERT_FILE
}, _app_https).listen(443);
```
When visiting it on Firefox, Firefox does not recognise its identity and requires it to be manually trusted. How can I fix this issue?

Thanks,