"Error: self signed certificate" --> Cannot connect to a localhost TLS server
227 views
Skip to first unread message
q2dg2b
Aug 20, 2014, 10:05:54 PM8/20/14
to nod...@googlegroups.com
Hello friends.
The (simplified) code of my localhost TLS server is:
var tls = require("tls")
var fs = require("fs")
var options = {
key: fs.readFileSync("PrivKeyServer.pem"),
cert: fs.readFileSync("CertServer.pem") //Self-signed with CertCA.pem file, see below
}
var server = tls.createServer(options)
server.on("secureConnection", function(socket){
console.log("New connection")
})
server.listen(4000)
The (simplified) code of my localhost TLS client (which doesn't need to be certified, but if it is, nothing changes: I've already tested it) is:
var tls = require("tls")
var fs = require("fs")
var options = {
ca: [ fs.readFileSync("CertCA.pem") ],
host: "127.0.0.1",
port: 4000
//With ejectAuthorized:false happens the same error
}
var client = tls.connect(options)
client.on("secureConnect", function() {
console.log("Connected")
})
"PrivKeyServer.pem" has been generated by this command: openssl genrsa -out PrivKeyServer.pem 1024
CSR has been generated by this command: openssl req -new -key PrivKeyServer.pem -out csr.pem
"CertCA.pem" has been generated by these commands (in the same machine, too):
openssl genrsa -out PrivKeyCA.pem 1024
openssl req -x509 -new -key PrivKeyCA.pem -out CertCA.pem
"CertServer.pem" has been generated by this command: openssl x509 -req -in csr.pem -CA CertCA.pem -CAkey PrivKeyCA.pem -CAcreateserial -out CertServer.pem
I've also tried to generate "CertServer.pem" without "CertCA.pem", like official documentation says: openssl x509 -req -in csr.pem -signkey PrivKeyServer.pem -out CertServer.pem (and changing value of property "ca" of options object in the client, of course) with the same result
If I try to connect with openssl s_client -connect 127.0.0.1:4000 I have the same error: Verify return code: 18 (self signed certificate) , but I can connect to server.
I've also tried to put another thing different from "localhost" as Common Name when creating the CSR. Specifically, I've put the name shown by hostnamectl command (I'm on Fedora 20), as my machine hasn't any DNS name. But with no luck.
I'm really really desesperated. Help, please!!!
Thanks!!!
Note: I use last Node version 0.11.10, OpenSSL 1.0.1e-fips
The (simplified) code of my localhost TLS server is:
var tls = require("tls")
var fs = require("fs")
var options = {
key: fs.readFileSync("PrivKeyServer.pem"),
cert: fs.readFileSync("CertServer.pem") //Self-signed with CertCA.pem file, see below
}
var server = tls.createServer(options)
server.on("secureConnection", function(socket){
console.log("New connection")
})
server.listen(4000)
The (simplified) code of my localhost TLS client (which doesn't need to be certified, but if it is, nothing changes: I've already tested it) is:
var tls = require("tls")
var fs = require("fs")
var options = {
ca: [ fs.readFileSync("CertCA.pem") ],
host: "127.0.0.1",
port: 4000
//With ejectAuthorized:false happens the same error
}
var client = tls.connect(options)
client.on("secureConnect", function() {
console.log("Connected")
})
"PrivKeyServer.pem" has been generated by this command: openssl genrsa -out PrivKeyServer.pem 1024
CSR has been generated by this command: openssl req -new -key PrivKeyServer.pem -out csr.pem
"CertCA.pem" has been generated by these commands (in the same machine, too):
openssl genrsa -out PrivKeyCA.pem 1024
openssl req -x509 -new -key PrivKeyCA.pem -out CertCA.pem
"CertServer.pem" has been generated by this command: openssl x509 -req -in csr.pem -CA CertCA.pem -CAkey PrivKeyCA.pem -CAcreateserial -out CertServer.pem
I've also tried to generate "CertServer.pem" without "CertCA.pem", like official documentation says: openssl x509 -req -in csr.pem -signkey PrivKeyServer.pem -out CertServer.pem (and changing value of property "ca" of options object in the client, of course) with the same result
If I try to connect with openssl s_client -connect 127.0.0.1:4000 I have the same error: Verify return code: 18 (self signed certificate) , but I can connect to server.
I've also tried to put another thing different from "localhost" as Common Name when creating the CSR. Specifically, I've put the name shown by hostnamectl command (I'm on Fedora 20), as my machine hasn't any DNS name. But with no luck.
I'm really really desesperated. Help, please!!!
Thanks!!!
Note: I use last Node version 0.11.10, OpenSSL 1.0.1e-fips
q2dg2b
Aug 23, 2014, 5:00:57 AM8/23/14
to nod...@googlegroups.com
Hello friends.
Could you tell me if I'm doing something wrong?? I can't see it, really: none of the docs in Internet tells anything about it
Could someone reproduce the same steps in his machine (it's only one minute), please?
I'm very desesperated.
Thanks!!
Could you tell me if I'm doing something wrong?? I can't see it, really: none of the docs in Internet tells anything about it
Could someone reproduce the same steps in his machine (it's only one minute), please?
I'm very desesperated.
Thanks!!
George Snelling
Aug 26, 2014, 12:52:27 AM8/26/14
to nod...@googlegroups.com
rejectUnauthorized is supposed to toggle this behavior. Make sure you set it to false in the options, then step through the connection code.
If you're sure this is just running from a test environment, you might try setting this:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0
Before running the connection code. It is a very blunt instrument, and will leave you wide open if set in production, but worth a try for tests.
I miss Ben.
-g
q2dg2b
Aug 26, 2014, 10:41:39 AM8/26/14
to nod...@googlegroups.com
Oooh, thanks for answering!!!
I've tried what you suggest, and well...there are some improvements but not enough: if I write the two possible solucions you say (rejectUnauthorized=false option and/or process.env.NODE_TLS_REJECT_UNAUTHORIZED="0" line -by the by, which are the difference between them??- ) in client's code (since the only machine who is certificated in my environment is the server) I get this message in console's client...:
authorized: false
DEPTH_ZERO_SELF_SIGNED_CERT
...and nothing else. Client remains running but doesn't do anything. Server detects event "secureConnection" but doesn't react to socket.on("data"). As always, I haven't found any relevant information in Internet about this message inside this context. <complain>I'm not doing things so strange!!!</complain>
Well...we are in the path but we haven't arrived yet.
Thanks a lot for your time.
I've tried what you suggest, and well...there are some improvements but not enough: if I write the two possible solucions you say (rejectUnauthorized=false option and/or process.env.NODE_TLS_REJECT_UNAUTHORIZED="0" line -by the by, which are the difference between them??- ) in client's code (since the only machine who is certificated in my environment is the server) I get this message in console's client...:
authorized: false
DEPTH_ZERO_SELF_SIGNED_CERT
...and nothing else. Client remains running but doesn't do anything. Server detects event "secureConnection" but doesn't react to socket.on("data"). As always, I haven't found any relevant information in Internet about this message inside this context. <complain>I'm not doing things so strange!!!</complain>
Well...we are in the path but we haven't arrived yet.
Thanks a lot for your time.
q2dg2b
Aug 29, 2014, 8:57:12 PM8/29/14
to nod...@googlegroups.com
Well, I've found the solution.
There was two errors:
-Common Name server certificate MUST be equal to the name of the machine (the one shown by hostnamectl).
-Property "host" of options object in client's code MUST be equal to the name of the server: localhost or 127.0.0.1 doesn't work.
I hope someone will find useful this information.
Reply all
Reply to author
Forward
0 new messages