npm http-server with SSL

Question

I'm using the npm package "http-server" (https://www.npmjs.com/package/http-server) to set up a simple webserver, but I cannot get it to use SSL. My command in package.json is

http-server -p 8000 -o -S

with a cert.pem and key.pem in my root directory (for now). The "-o" option opens a browser to the default page, but the page is served using HTTP and not even accessible through HTTPS. I don't get any errors or warnings. I've also tried adding the "-C" and "-K" options without luck. Has any one had any success with this package?

@RabbiShukiGur sorry I don't own the resource. But thanks to https://web.archive.org [It's still available](https://web.archive.org/web/20190114150423/https://docs.nodejitsu.com/articles/HTTP/servers/how-to-create-a-HTTPS-server/) — Abhijeet, May 02 '19 at 07:24

score 221 · Answer 1 · edited Aug 02 '19 at 14:15

221

First, make sure that you have key.pem and cert.pem files. You can generate them using this command:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

You will be prompted with a few questions after entering the command. Use 127.0.0.1 as value for "Common name" if you want to be able to install the certificate in your OS's root certificate store or browser so that it is trusted.

This generates a cert-key pair and it will be valid for roughly 10 years (3650 days to be exact).

Then you need to run the server with -S for enabling SSL and -C for your certificate file:

$ http-server -S -C cert.pem -o
Starting up http-server, serving ./ through https
Available on:
  https:127.0.0.1:8080
  https:192.168.1.101:8080
  https:192.168.1.104:8080
Hit CTRL-C to stop the server

edited Aug 02 '19 at 14:15

delucasvb

5,393
4
25
35

answered Feb 05 '16 at 18:37

slomek

4,873
3
17
16

1

It appears my package just needed an update. After trying everything, I saw I was running an old version... – delucasvb Feb 08 '16 at 07:33
1

How can I get this to use the same key and pem files from my local machine regardless of which app or sample code I'm running? – Costa Michailidis Jan 25 '17 at 23:04
3

BTW if you ever need a certificate from a CA I recommend using https://letsencrypt.org/. It solved our issues here. Cheers! – pinkfloyd Aug 23 '17 at 21:02
Suggesting for anyone who cannot get a recent version of Chrome on OSX to work....... version 65 works with this answer: https://stackoverflow.com/a/44058453/3997521 – petrosmm Apr 21 '18 at 22:58
3

With Chrome 66 I have to enable Allow invalid certificates for resources loaded from localhost in chrome://flags as it says its untrusted – Neil Apr 30 '18 at 19:25
Solution is great thanks! @slomek do you know if there is an option to serve SPA? It doesn't work for me. – Adam Orłowski Nov 07 '20 at 17:26
`-new` can also be omitted if `-newkey` is used. – zmeeagain Dec 18 '20 at 09:14
1

When trying to run http-server I get: Error: Could not find private key key.pem however the key.pem is sitting in the same folder as the cert.pem – K-Dawg Sep 17 '21 at 12:40
What if I want to use my keys file? – VityaSchel Oct 23 '21 at 14:41
2

@K-Dawg - you will need to pass another option -K certs/key.pem – Roshan Khandelwal Jan 28 '22 at 14:37
Is it not a problem that the private key is now hosted on the server and can be downloaded by anyone? – cyclingLinguist May 11 '22 at 00:03

score 53 · Answer 2 · edited May 20 '20 at 05:37

53

I installed mkcert:

brew install mkcert
brew install nss # if you use Firefox

mkcert -install

Then, in your project directory:

mkcert 0.0.0.0 localhost 127.0.0.1 ::1

Finally, I renamed generated files:

0.0.0.0+3-key.pem -> key.pem
0.0.0.0+3.pem -> cert.pem

And ran the following command:

http-server -S -C cert.pem -o

Then I got:

enter image description here

I referenced this blog: https://qiita.com/walkers/items/b90a97a99bbb27f6550f (written in Japanese)

edited May 20 '20 at 05:37

Jeremy Caney

7,102
69
48
77

answered May 20 '20 at 05:09

yummy_raspberry

681
5
6

2

I was having trouble with the top voted solution but this worked great! – chipit24 Dec 22 '20 at 20:46
1

renaming the file to key.pem and cert.pem fixed my issue – NIKHIL C M Feb 02 '21 at 11:51

score 2 · Accepted Answer · answered Feb 08 '16 at 07:34

2

Just for future reference, my problem was solved by updating the package to the latest version in package.json. I copy-pasted an old example file without updating the version numbers.

answered Feb 08 '16 at 07:34

delucasvb

5,393
4
25
35

Tronic · Answer 4 · 2021-12-26T19:23:48.897

EDIT: Since writing this answer there is a new tool mkcert that does this for you. See https://stackoverflow.com/a/61905546/9540493 instead. My original answer below for historical interest.

Firefox didn't accept self-signed certs, so a bit more effort was required. First create a CA:

openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout ca-key.pem -x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"

Add ca.pem (A localhost CA) to trusted certs of your OS and/or Firefox (other browsers use system CAs). Keep the ca* files in a secure location for future use, so you never have to do this again.

Then, for any site that you are running, and whenever you wish to change settings, create cert.pem and key.pem with:

openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout key.pem -subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem -CAcreateserial -out cert.pem -days 365 -extfile (echo subjectAltName=DNS:localhost|psub)

The above should work on most systems. If not, you might want to create temporary files ecparam.tmp and ext.tmp. Commands functionally equivalent to the two oneliners:

# Output Elliptic Curve parameters to a temporary file
openssl ecparam -name prime256v1 -out ecparam.tmp

# Create CA
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout ca-key.pem \
  -x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"

# Create a CSR for localhost, then sign it by CA
echo subjectAltName=DNS:localhost > ext.tmp
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout key.pem \
  -subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem \
  -CAcreateserial -out cert.pem -days 365 -extfile ext.tmp

When I run the first command I get an error. `openssl req -batch -new -newkey ec:<(openssl ecparam -name prime256v1) -nodes -keyout ca-key.pem -x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"` `req: Unrecognized flag ---BEGIN EC PARAMETERS----- req: Use -help for summary. ` — Kelly, Jan 13 '20 at 22:30
Code updated with psub which should be better compatible with various shells. — Tronic, Mar 23 '20 at 14:20
`NET::ERR_CERT_COMMON_NAME_INVALID` chrome 81 not accepting this cert — Tushar Kolhe, Jul 18 '20 at 14:47
Are you accessing by "localhost", rather than by IP address? For IP or other addresses to work, you'll need to add more lines to ext.tmp, like `subjectAltName=IP:127.0.0.1`. The use of extfile can be entirely avoided with latest OpenSSL versions by using the `-addext` argument https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line — Tronic, Jul 19 '20 at 15:49

npm http-server with SSL

4 Answers4

Linked