Chrome, NodeJS and HTTPS

Question

Here is my server side:

var fs = require('fs');

var options = {
    key: fs.readFileSync('/cert.key'),
    cert: fs.readFileSync('/cert.crt')
};

var app = require('express')();
var http = require('https').Server(options, app);
var io = require('socket.io')(http);
var port = 1234;

app.get('/', function(req, res){
  res.sendFile(__dirname + '/../subdomains/labs/socketio.html');
});

io.on('connection', function(socket){
  socket.on('chat message', function(msg){
    io.emit('chat message', msg);
  });
});

http.listen(port, function(){
    console.log("\n\n--------------------------------");
    console.log('Currently Listening on port %d',port);
    console.log("--------------------------------\n\n");
});

And my client side:

<script src="https://cdn.socket.io/socket.io-1.2.0.js"></script>
<script src="https://code.jquery.com/jquery-1.11.1.js"></script>
<script>
    var socket = io('https://labs.domain.com:1234');
    $('form').submit(function(){
        socket.emit('chat message', $('#chat-message').val());
        $('#chat-message').val('');
        return false;
    });
    socket.on('chat message', function(msg){
        $('#messages').append($('<li>').text(msg));
    });
</script>

All works fine in internet explorer (agh!) But when using it in chrome it dies:

GET https://labs.domain.com:1234/socket.io/?EIO=3&transport=polling&t=1463123926844-3 net::ERR_INSECURE_RESPONSE

It works fine in both browsers if I remove the HTTPS aspect of it.

It's quite frustrating as it seems to be an issue with Chrome only, which is the browser I use the most. How can I fix this?

Read this: [Failed to load resource: net::ERR_INSECURE_RESPONSE](http://stackoverflow.com/questions/23688565/failed-to-load-resource-neterr-insecure-response). — jfriend00, May 13 '16 at 07:46
@robertklep: no, because I can't get the question when I do the new tab bit. It just says 'proceed anyway' and then I get the same page. But even so, I need to be able to use NodeJS over SSL without my users going through a bunch of nonsense. — Chud37, May 13 '16 at 07:56
@Chud37 are you using self-signed certificates? If so, perhaps you should consider upgrading to [proper certificates](https://letsencrypt.org/), because I can tell you from experience that self-signed certs combined with `socket.io` will also cause issues on mobile devices. — robertklep, May 13 '16 at 08:08
I suppose they must be. We bought the SSL certs from the same hosting provider that we host all our domains with. And I guess they signed them themselves. — Chud37, May 13 '16 at 08:49
you should use the protocol wss instead of https in your client: "var socket = io('wss://labs.domain.com:1234');" — Joakim Ericsson, May 13 '16 at 13:49
@JoakimEricsson that was interesting but still I'm getting INSECURE_RESPONSE. It's quite frustrating, I just want to learn a new thing but I can't really go any further unless I can use it over SSL. — Chud37, May 13 '16 at 16:39

score 2 · Accepted Answer · answered May 17 '16 at 14:50

I've had issues with Chrome not allowing secure websocket connections if there are any issues with the certificates. I was able to get socket.io working with our app here by using certificates obtained via LetsEncrypt. I'm not saying this is the only way to do it, but here is how our (working) configuration is setup:

1 - Both me and my team-mate have dynamic DNS setup to point to each of our development machines (e.g.: mac.example.com)

2 - We each have certificates set up for our domains (e.g. mac.example.com), obtained from LetsEncrypt; the reason for this is that Chrome is super picky about the certs you are using when it sets up WebSockets and there is no way (currently) for a developer or end user to override and accept certs that are less secure/self-signed.

3 - Our code that configures socket.io in our node.js app looks like:

const server = https.createServer(/* ssl options: cert etc. */, myExpressApp)
const io = require('socket.io')(server)

We are using socket.io v1.4.6

It sounds like the issue from your question is that the certs are setup on your server, but like Chrome still complains about them. That is probably the culprit, and it sounds like you might not have the sysadmin privileges to change it?

TL;DR Don't use self-signed certs or certs that Chrome might deem "less" secure.

Chrome, NodeJS and HTTPS

1 Answers1