2

I am massively confused about how to configure SSL on my node server!

What I have done do far is:

-Create a self signed key and certificate on my local machine for testing locally

-Added this code to my express set up

var privateKey = fs.readFileSync('privatekey.pem', 'utf8');
var certificate = fs.readFileSync('certificate.pem', 'utf8');
https.createServer({
    key: privateKey,
    cert: certificate
}, app).listen(port);

This is fine locally (I get browser errors but I understand that's because I self signed and I'm not a trusted authority).

Now I want to deploy with a real certificate so I bought one from RapidSSL. They sent me two keys, in plaintext in the email, both in the format 

-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----

One is labelled Web server CERTIFICATE, the other INTERMEDIATE CA.

I copied the content of Web server CERTIFICATE to a new file named (for the sake of this question) prodPrivatekey.pem and I moved INTERMEDIATE CA to prodCertificate.pem. Then I replaced the paths in the code above.

First off, could someone please tell me if this course of action is correct? Assume I know almost nothing about the inner workings of SSL certs!

Secondly, if it is, the error I am getting with this setup is Error: error:0906D06C:PEM routines:PEM_read_bio:no start line. The only help I can find is this question Node.js https pem error: routines:PEM_read_bio:no start line but the help here seems to relate to self signed certificates.

Thank you for any help!

Community
  • 1
  • 1
Jonathon Blok
  • 749
  • 4
  • 14

1 Answers1

3
var privateKey = fs.readFileSync('privatekey.pem', 'utf8');

privateKey should be your private key. You would not have given this to or received this from RapidSSL.

var certificate = fs.readFileSync('certificate.pem', 'utf8');

certificate should be one RapidSSL has labeled Web server CERTIFICATE

That leaves INTERMEDIATE CA. This is an intermediate certificate (between your and RapidSSL's root certificate). You would need to include it in your app otherwise certain browsers such as those on Android will see an error indicating "untrusted certificate" or something of that nature.

To include it in your config, you would do something like this:

var intermediateCertificate = fs.readFileSync('intermediate.pem', 'utf8');
https.createServer({
    key: privateKey,
    cert: certificate,
    ca: [ intermediateCertificate ]
}, app).listen(port);

Once this works and if your site is public, test your site's SSL configuration using an online scanner such as SSL Labs Server Test to see if your SSL config is secure (score A or A+). Depending on the version of node you're running, the defaults may not be secure enough.

Anand Bhat
  • 5,591
  • 26
  • 30
  • 1
    Thanks so much for your help!! You got me out of a sticky hole - and now I understand SSL a bit better! For those in the same situation, I also had to get RapidSSL to reissue the certificate (see here - https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO5757) and supply them with my CSR (created by running this command `openssl req -newkey rsa:2048 -nodes -keyout ssl/prod/domain.key -out ssl/prod/domain.csr`). Then in my express config I used the private key created in that last command (`domain.key`) and the reissued certificate – Jonathon Blok Sep 21 '16 at 12:23