1

I'm setting up a Web API based on NodeJS and want to support HTTPS. Where can I get a valid SSL certificate?

I have a Windows VM running on a given IP address that is hosting a NodeJS API on a specific port. Everything works fine via HTTP but when I change it to HTTPS I get this error: ERR_CERT_COMMON_NAME_INVALID

https://i.ibb.co/cxvmZBf/Capture.png (Sorry, not enough reputation points)

I've tried many approaches including using a valid certificate associated with a sub-domain and redirecting it to the VM's address. Also, I've created a DNS Type A, and configured the given IP address. Then, with Let's Encrypt Certbot I've tried to generate a valid non-signed certificate but I've reached inconclusive errors due to incompatible IP settings.

Is it possible to buy a certificate to the given IP? If so, where? What other approaches can I try?

Bruno Guedes
  • 9
  • 1
  • 2

2 Answers2

0

As we can see in the browser error, currently your application does not have any server certificate configured in it.

To get a certificate you can generate a CSR using a tool like openssl cli or an online tool, send it to a well known CA and use the signed certificate as you server certificate for the NodeJS API.

It's described in the NodeJS documentation how to configure the server certificates (.pem files):

// curl -k https://localhost:8000/
const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'),
  cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem')
};

https.createServer(options, (req, res) => {
  res.writeHead(200);
  res.end('hello world\n');
}).listen(8000);
Filipe dos Santos
  • 287
  • 1
  • 5
  • 13
  • Thanks for the response. If you look to the image, you can see that I'm already using HTTPS with an untrusted certificate. The problem is that I'm not able to generate or buy the certificate for this kind of application for the IP address nor the DNS type A. – Bruno Guedes Dec 21 '18 at 13:29
  • Even though it's not common, you can provide the IP in the SAN attribute of the certificate. It should work. You can provide URIs, DNS, IP addresses and others in the SAN attribute. – Filipe dos Santos Dec 21 '18 at 13:31
  • Not me but someone else did. I've requested one to DigiCert today. – Bruno Guedes Dec 21 '18 at 23:07
0

You may use this tool to generate a self signed certificate and include in your Application. Or else you can copy the command and generate certificates on your own using openssl cli.

A sample command to generate your own certificate with X.509 standard is: 

openssl req -new -newkey rsa:2048 -x509 -nodes -keyout key.pem -out certificate.pem -sha256 -days 750 -subj "/C=IN/ST=/L=/O=TCS/OU=CTO/CN=YOURDOMAIN" -config <(
cat <<-EOF
[req]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ALTERNATEDNS1
DNS.2 = ALTERNATEDNS2
EOF
)

You may also go for verified certificate issued by different Certificate Authorities (CA), For more info click here

Harsh Vishwakarma
  • 120
  • 8
  • This is the error I get after using a certificate generated by the suggested tool: https://i.ibb.co/fCfQGqq/Capture.png – Bruno Guedes Dec 21 '18 at 14:05
  • Check this answer, thit may be cause you are using windows https://stackoverflow.com/a/20837236/4049649. But i'll still suggest to use openssl cli instead of web tool, you may refer the command generated by https://certificatetools.com/ – Harsh Vishwakarma Dec 24 '18 at 08:22