0

I need to run local Express server on https protocol. I used instructions from this site and the similar. But when I tried to open the page in browser, I get Your connection is not private error. When I opened Security tab from Developer tools, I saw This site is missing a valid, trusted certificate (net::ERR_CERT_INVALID) error. When I tried to send request via Postman, my server didn't response, and the curl request returns:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Here is server code:

const app = require('express')();
const fs = require('fs');
const https = require('https');

const options = {
  key: fs.readFileSync('./key.pem'),
  cert: fs.readFileSync('./cert.pem')
};

app.get('/', (req, res) => {
  res.send('hello world');
});

https
  .createServer(options, app)
  .listen(3000, '127.0.0.1', () => {
    console.log('Run on: https://127.0.0.1:3000');
  });

I've created certificates with the next command:

$ openssl req -nodes -sha256 -new -x509 -keyout key.pem -out cert.pem -days 365 -config req.cnf

where req.cnf file has the following content:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 127.0.0.1:3000
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = IP:127.0.0.1:3000

I tried to use 443 port as well, but, unfortunately, I've got the same errors. Also, I tried to open page https://127.0.0.1:3000 with Incognito mode - nothing happened - errors are the same.

My questions are:

  1. Where am I wrong with creating certificates?
  2. Why I can't send a request to my server via Postman/curl?
Vitalii
  • 33
  • 10

1 Answers1

0

What you created is a self-signed certificate, by default no networking application will accept them as they cannot verify them, so they assume the worse (MITM attack).

If you only need this for local checking then you can follow this Getting Chrome to accept self-signed localhost certificate

Postman error is probably the equivalent error for chrome apps.

Shachar
  • 359
  • 2
  • 6
  • As I understood, I need to add a line `subjectAltName = DNS:*.example.com` under `[ v3_ca ]` (from the link from your answer)? But I did this. Just I used IP and port instead of DNS. Unfortunately, it didn't help me. – Vitalii Apr 07 '19 at 09:22
  • @vitalii just see that the link points to one of the answers in the post by mistake (fixed), I was referring to the first (highest voted) answer (changing the chrome `#allow-insecure-localhost` flag), I had success with it in the past with local tests – Shachar Apr 07 '19 at 11:09
  • Thank you. But if I do this recommendation, I will fix my issue only for browser. What about Postmen/curl (curl very important!)? I mean, if I will not have browser and any UI (in my case on Debian server), how can I resolve the problem? Is it possible? – Vitalii Apr 07 '19 at 13:17
  • @vitalii postman runs in chrome and should respect the same setting, curl has its own setting `-k` for allowing self-signed certificates, there's nothing you can do to the actual certificate (short of buying a real one) that will allow its usage as-is – Shachar Apr 07 '19 at 15:11
  • I think I understood this point, and at the moment all is clear. Thanks again for your answers! – Vitalii Apr 08 '19 at 17:25