24

I use simple example from these link:

a link[a How to create an HTTPS server in Node.js?]

a link[a How to create an https server? docs.nodejitsu.com]

but I get error like

curl: (35) Unknown SSL protocol error in connection to localhost:-9838

why?

Community
  • 1
  • 1
Yan Li
  • 1,699
  • 2
  • 16
  • 25

1 Answers1

73

I use the wrong way to create certificate.

This one is wrong:

openssl genrsa -out key.pem
openssl req -new -key key.pem -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem

This is the way to create certificate that could use:

openssl genrsa -out client-key.pem 2048
openssl req -new -key client-key.pem -out client.csr
openssl x509 -req -in client.csr -signkey client-key.pem -out client-cert.pem
Community
  • 1
  • 1
Yan Li
  • 1,699
  • 2
  • 16
  • 25
  • 1
    Superb! I was searching for this. But why that is the wrong way? It would be great if you can explain – Prabakaran Raja Jun 30 '16 at 18:09
  • 6
    I am a rookie so I do not know the answer :) – Yan Li Jul 01 '16 at 01:10
  • The important difference for me was the 2048 on the `genrsa` command - without it, the default key was a weak 512 bits. The only reference for that error code that I can find is [Apple source code](http://opensource.apple.com//source/libsecurity_ssl/libsecurity_ssl-36800/lib/SecureTransport.h) where it's a `errSSLPeerInternalError` (but only one away from a `errSSLPeerInsufficientSecurity`). – Xavier Holt Sep 22 '16 at 23:15
  • @YanLi you rock! I've spent one whole night working with the wrong way and troubleshooting my mac, chrome and god know all sorts of issues. Tried your way and it works! Thank you! – Vish Oct 10 '16 at 16:37
  • The `-days 9999` parameter works with the second method too – gabssnake Jan 11 '17 at 12:43
  • Shouldn't the extension of the `-out` file be `.crt`? – progyammer Nov 10 '19 at 13:45
  • @gabssnake On MacOS it shouldn't be longer than 825 days, see https://support.apple.com/en-us/HT210176 – Pani Jan 15 '20 at 10:18