1

I have changed the protocol on my website to http instead of https.

The following is my code that serves the server.

const https = require('https');

const httpsOptions = {
    key : fs.readFileSync('example.key'),
    cert : fs.readFileSync('example.crt')
};

https.createServer(httpsOptions, app).listen(port, ()=>{
    console.log('server listening at 3000')
});

But now whenever I try to enter my locally run site https://localhost:3000, it shows security warning that the website is not safe anymore.

So I went to google docs https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn to see how to remove the sign and it says 'create the entire website as https' but what I don't understand is all my sites are already https. To see all my views https must be used instead of http.

Is the above code not enough to make all the pages https? if it is, what else do I have to do so that I don't frighten my clients by showing warnings when they enter my site?

forJ
  • 4,309
  • 6
  • 34
  • 60
  • You don't have certificates that google thinks are safe. It might be that your website is safe, but google cannot check the validity. – Randy Aug 15 '17 at 12:38
  • @Randy how do I resolve that? do I use different hash algorithm? – forJ Aug 15 '17 at 12:39
  • You are missing a trusted certificate, you need to buy one or self sign one https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl – Alexandru Olaru Aug 15 '17 at 12:39
  • @AlexandruOlaru I have the certificate – forJ Aug 15 '17 at 12:40
  • Which CA did you get the certificate from? Or is it self-signed? – Joe Clay Aug 15 '17 at 12:40
  • `openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example.crt -days 3650` This is what I used @JoeClay – forJ Aug 15 '17 at 12:40

1 Answers1

4

Your certificates are probably not signed, especially if you created them yourself, you need to send them to get signed by certified SSL certificated distributers. You can check this blog post for more info on certificate issuers.

Let's Encrypt is a free certificate issuer and you can automate the process of renewing them, so you don't have to worry on that part.

Joe Clay
  • 33,401
  • 4
  • 85
  • 85
MirzaS
  • 514
  • 3
  • 16
  • oh... so I can't just create one myself? – forJ Aug 15 '17 at 12:42
  • 2
    You can create one, that's not the problem, but self created certificates are not signed, so google doesn't trust them, because you are not on google's whitelist. I'd advice you use let's encrypt since it'll automatically solve your problems – MirzaS Aug 15 '17 at 12:44
  • oh... okay. Thanks I didn't know that – forJ Aug 15 '17 at 12:46