2

I have created an ExpressJS-server that provides a route for a get request.

I am using a self-signed certificate to allow https calls. It works perfectly when I perform the request via the major browsers (chrome, safari and firefox). However, when it comes to the real usage case, namely do a get-request via another nodeJs-script, the server fails to pass the request and I get this error message:

  Error: unable to verify the first certificate
    at TLSSocket.<anonymous> (_tls_wrap.js:1105:38)
    at emitNone (events.js:106:13)
    at TLSSocket.emit (events.js:208:7)
    at TLSSocket._finishInit (_tls_wrap.js:639:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)

My Express app-configuration:

app.use([
    express.urlencoded({ extended: true }),
    express.json(),
    function (req, res, next) {
        res.header("Access-Control-Allow-Origin", "*");
        res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
        res.header("Access-Control-Allow-Methods", "GET");
        next();
    },
]);

The sever is created using the node https package:

const credentials = {
    key: fs.readFileSync(credits.sslPrivateKey, "utf8"),
    cert: fs.readFileSync(credits.sslCertificate, "utf8")
};
let httpsServer = https.createServer(credentials, app);

The corresponding packges:

express: "^4.16.3",
node: v8.10.0,
npm: 5.8.0
Taktech
  • 455
  • 1
  • 8
  • 18
  • Do I understand this correctly that you are using a self-signed certificate, have explicitly accepted this certificate as trusted in the browser (or added appropriate exception) but did nothing like this for your nodejs script? If you are expecting your nodejs script to somehow check with the browser what exceptions were added there and use these too then your expectation is wrong. – Steffen Ullrich May 08 '18 at 06:23
  • possible duplicate of https://stackoverflow.com/q/20433287/3461055 – Arif Khan May 08 '18 at 06:25

1 Answers1

1

Your nodejs script calls your server, it is going to carry out the full TLS check process (as you would hope). This will check the certificates for validity etc. Self signed certificates are not going to pass this process, just as they won't in your browser. In your browser you need to intervene and explicitly say "Proceed anyway", you will need to do this with your calling code as well. Checkout the documentation of your chosen library for how to do this.

Note: Make sure you do not leave this option on in production. Use some sort of environment variable to configure it, or host your first service and don't disable TLS checks at all.

Elliot Blackburn
  • 3,759
  • 1
  • 23
  • 42