Testing with self-signed certs
363 views
Skip to first unread message
James Coglan
May 20, 2013, 11:15:00 AM5/20/13
to Node list
Hi there,
--
James Coglan
http://jcoglan.com
+44 (0) 7771512510
I have various test suites that use self-signed certs to test HTTPS/TLS stuff. I'm trying to use the 'ca' option of the tls and https clients to make them trust my certs, rather than forgoing validation at all, since I would rather give my projects APIs for adding CAs than for disabling validation.
However when I pass my server certificate in the 'ca' option of an HTTPS request I get this error:
"Error: Hostname/IP doesn't match certificate's altnames"
I followed these steps to generate the certificate: http://www.akadia.com/services/ssh_test_certificate.html
What does this error mean and how do I fix it?
Here are some example scripts that demo the problem:
// server.js
var https = require('https'),
fs = require('fs');
var server = https.createServer({
cert: fs.readFileSync('./server.crt'),
key: fs.readFileSync('./server.key')
});
server.on('request', function(request, response) {
response.writeHead(200, {'Content-Type': 'text/plain'});
response.end('Hello\n');
});
server.listen(8000);
// client.js
var https = require('https'),
fs = require('fs');
var request = https.request({
method: 'GET',
host: 'localhost',
port: 8000,
path: '/',
ca: [fs.readFileSync('./server.crt')]
});
request.on('error', function(error) {
console.log('ERROR', error);
});
request.on('response', function(response) {
console.log(response.statusCode);
});
James Coglan
http://jcoglan.com
+44 (0) 7771512510
Forrest L Norvell
May 20, 2013, 11:22:48 AM5/20/13
to nod...@googlegroups.com
Hey James,
I've never gotten cert stuff to work properly with localhost as the host name. Try generating your certificate for lvh.me (*.lvh.me resolve to 127.0.0.1 -- super handy) and requesting from same, and that should fix it.
F
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
James Coglan
May 20, 2013, 11:46:32 AM5/20/13
to Node list
On 20 May 2013 16:22, Forrest L Norvell <for...@newrelic.com> wrote:
Do you know how to specify the hostname when generating the certs?
Forrest L Norvell
May 20, 2013, 12:00:53 PM5/20/13
to nod...@googlegroups.com
On Monday, May 20, 2013, James Coglan wrote:
Two ways:
1. If you're using the default, interactive process to generate the cert, provide whatever.lvh.me when prompted for the certificate's "common name."
2. if you're passing a complete X.509 subject to the OpenSSL command (--subj), make sure .../CN=whatever.lvh.me is in the subject.
See https://github.com/newrelic/node-newrelic/blob/master/Makefile for an example of generating a CA / cert pair from scratch unattended.
F
Evan
May 21, 2013, 12:30:03 AM5/21/13
to nod...@googlegroups.com
Whoa! Thanks for the helpful lvh.me idea Forrest!
I'm now going to setup 'localhost.*.com' on every domain I own to facilitate HTTPS testing :D
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
James Coglan
May 30, 2013, 6:15:58 AM5/30/13
to Node list
On 20 May 2013 18:00, Forrest L Norvell <for...@newrelic.com> wrote:
On Monday, May 20, 2013, James Coglan wrote:
On 20 May 2013 16:22, Forrest L Norvell <for...@newrelic.com> wrote:
Two ways:1. If you're using the default, interactive process to generate the cert, provide whatever.lvh.me when prompted for the certificate's "common name."2. if you're passing a complete X.509 subject to the OpenSSL command (--subj), make sure .../CN=whatever.lvh.me is in the subject.See https://github.com/newrelic/node-newrelic/blob/master/Makefile for an example of generating a CA / cert pair from scratch unattended.
I've now generated a self-signed cert for lvh.me and the client has stopped emitting errors. However, it doesn't emit a response either, the script just hangs. What's going on?
// server.js
var https = require('https'),
fs = require('fs');
var server = https.createServer({
cert: fs.readFileSync('./server.crt'),
key: fs.readFileSync('./server.key')
});
server.on('request', function(request, response) {
response.writeHead(200, {'Content-Type': 'text/plain'});
response.end('Hello\n');
});
server.listen(8000);
// client.js
var https = require('https'),
fs = require('fs');
var request = https.request({
method: 'GET',
host: 'lvh.me',
James Coglan
May 30, 2013, 6:36:32 AM5/30/13
to Node list
On 30 May 2013 12:15, James Coglan <jco...@gmail.com> wrote:
I've now generated a self-signed cert for lvh.me and the client has stopped emitting errors. However, it doesn't emit a response either, the script just hangs. What's going on?
It turns out the server is not receiving the request, but I'm not sure why. I can make a TLS connection to the server and write a request myself, and it works:
var tls = require('tls'),
fs = require('fs');
James Coglan
May 30, 2013, 6:53:40 AM5/30/13
to Node list
On 30 May 2013 12:36, James Coglan <jco...@gmail.com> wrote:
On 30 May 2013 12:15, James Coglan <jco...@gmail.com> wrote:I've now generated a self-signed cert for lvh.me and the client has stopped emitting errors. However, it doesn't emit a response either, the script just hangs. What's going on?It turns out the server is not receiving the request, but I'm not sure why. I can make a TLS connection to the server and write a request myself, and it works:
I've put together a gist if you want to try this out: https://gist.github.com/jcoglan/5677049
Reply all
Reply to author
Forward
0 new messages