WebSocket TLS certificate setup fun

Question

I'm trying to setup a WebSocket over TLS.

For that end I'm going by the directions on page 81 in the following book.

https://www.amazon.com/WebSocket-Client-Server-Communications-Andrew-Lombardi/dp/1449369278/ref=sr_1_1?keywords=websocket&qid=1581782142&sr=8-1

I setup the server code as they say in the book. All good there, but there is some problem with the certificates.

According to the book I am supposed to take four steps in setting up the certificates

1. Generate a 2048 bit key.
openssl genrsa -des -passout pass:x -out server.pass.key 2048

2. Generate a passphrase free key.
openssl rsa -passin pass:x -in server.pass.key -out server.key

3. Generate csr from the private key.
openssl req -new -key server.key -out server.csr

4. Generate the certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

When I run step 1 I get error

"UI_set_result:result too small .."

For which the fix is here.

He basically says to run the following snipped instead of step 1.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key

It looks like he is skipping the .pass part. For which step 2 is taken. So I am unsure if I should take that step or not, after the fix.

I run those four steps, then in server.js i have:

var connection={
    ssl:true,
    port:port_number_here,
    ssl_key:'server.key',
    ssl_cert:'server.crt'
    }

//..
var processRequest=function(req,res){
    res.writeHead(200);
    res.end("Hi!\n");
    //console.log('connecting');
    };

var app=null;
app = httpsServ.createServer({
    key: fs.readFileSync(connection.ssl_key),
    cert:fs.readFileSync(connection.ssl_cert)
    },processRequest).listen(connection.port);


var wss = new WebSocketServer({server:app});

var clients=[];
var client_number=0;
wss.on('connection', function(cclient_socket){
    console.log('Estabished Connection with client.');
    }

Then I start the server with:

node server.js

But when I run the client code via Firefox I get error:

Firefox can’t establish a connection to the server at wss://somedomain:someportnumber/.

And in Chromium I get error:

(index):9 WebSocket connection to 'wss://thedomain.org:theportnumber/'    
failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

I am unsure how to proceed from here. I would guess I somehow didn't make the certificates correctly but the error doesn't give me much to work with.

Any help would be appreciated.

p.s. I tried implementing the following directions, to no avail.

https://stackoverflow.com/a/41366949/322537

Also, I have a suspicion the Chromium error "ERR_CERT_AUTHORITY_INVALID" is a key thing here. I googled it and found https://www.guildcafe.com/fix-net-err_cert_authority_invalid-error.html it has to do with the certificate authority. which is just me. I'm still stranded though for I don't know how to fix it.

My guess at the connection object the ssl key and ssl cert supposed to be loaded from the file system, with like fs.readFileSynch — Sándor Bakos, Feb 16 '20 at 21:00
from this I see only a secure http server, but I do not see the websocket component, you suppose to bind it to the http server — Sándor Bakos, Feb 16 '20 at 21:08
https://stackoverflow.com/questions/6599470/node-js-socket-io-with-ssl — Sándor Bakos, Feb 16 '20 at 21:10
You can find out if your certificate works or not if you just visit your site with an https request, if you can establish a secure connection the certificate must be fine — Sándor Bakos, Feb 16 '20 at 21:17

O. Jones · Answer 1 · 2020-02-17T11:48:05.637

It looks to me like you use a self-signed server certificate. You have to tell your client -- your Chromium instance--to trust that key before it will use a websocket to connect to the server you are developing. You can sweet-talk your browser into accepting an incorrectly signed https webpage connection, but not a websocket connection.

In Chromium's case you actually need to tell your machine's OS (not the server machine, but rather the machine where you run Chromium). Please look up those instructions for your OS. You're looking up "trust self-signed certificate in Chrome on Ubuntu" or ".. on MacOS" or "...on Windows" or whatever.

Firefox has its own UI for that purpose. You can read about that too. It might be a quicker route to success for you.

Then there's Let's Encrypt, with which you can make a trusted certificate for free. For a tutorial, check this out. https://itnext.io/node-express-letsencrypt-generate-a-free-ssl-certificate-and-run-an-https-server-in-5-minutes-a730fbe528ca

Are we having fun yet? Are we? Are we?

My thinking was to set it up so that any browser can connect without any special setup. Is that not what Websockets offer? Is there anything that offers that? — john-jones, Feb 17 '20 at 12:57
Im already using letsencrypt for the websites certificate. should i refer to the websites certificate in the server.js code? where does the .key fit in in that case? — john-jones, Feb 17 '20 at 12:58
Yes we are having fun. router configuration and certificate setup technicality issues is the reason to be alive. — john-jones, Feb 17 '20 at 13:01

score 0 · Accepted Answer · answered Feb 18 '20 at 14:52

0

The solution was to not create the certificates as the book described but instead simply refer to the ssl certificates that had already been created for the given website.

answered Feb 18 '20 at 14:52

john-jones

7,490
18
53
86

WebSocket TLS certificate setup fun

2 Answers2