Using 'http in' node with https

[Colin Law]

I am trying to use the http in node to get from an https server with a
self signed certificate, but can't work out exactly what to do. I used
Julian's excellent script [0] (many thanks for that Julian) to create
the stuff for the server and that is working well when I fetch using
the browser (having installed the the certificate
my-private-root-ca.crt in the browser. I am having difficulty doing
the same thing using the http in node though.

I have put the url as https and enabled tls, but in the tls config it
wants a certificate, private key and ca certificate, whereas for the
browser I just needed the ca certificate. I tried filling in just the
ca but I just get 'self signed certificate in chain'. The other files
the script makes for the client are chain.pem and server-pubkey.pem
but those don't seem to fit the field names in the tls config.

Can someone point me in the right direction?

Colin

[0] https://github.com/TotallyInformation/SelfSigned-Cert-Creator

[Julian Knight]

Hmm, OK. So when you serve up HTTPS, you give the server (node.js in this case) the private key of the server's cert and a certificate containing the full chain of authorisation (the server's cert and the ca cert). The private key and cert of the CA MUST be kept secret - forever!

But when you want to consume an HTTPS connection, you don't get the private key. However, you do need the public key and certificate of the CA otherwise you cannot verify that the servers certificate is valid & you get an error.

Assuming Node-RED isn't doing anything special, you have the choice of turning off CA checks in Node.js by adding an environment variable when calling node.js. "NODE_TLS_REJECT_UNAUTORISED" is the variable and you need to set it to 0 (zero). BUT, this turns off CA checks for Node-RED as a whole which is not ideal.

Node.JS also allows you to pass an optional "ca" attribute to an https.request call which is really what you want but I'm pretty sure that Node-RED currently doesn't support that. I think that we should raise an issue and see if we can get that added to the enhancements Q

Reference: http://stackoverflow.com/questions/10888610/ignore-invalid-self-signed-ssl-certificate-in-node-js-with-https-request

Example node.js client request with self-signed CA:

#!/usr/bin/env node
var https = require('https')
  , fs = require('fs')
  , path = require('path')
  , ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.crt.pem'))
  ;

var options = {
  host: 'local.ldsconnect.org',
  path: '/',
  ca: ca
};
options.agent = new https.Agent(options);

https.request(options, function(res) {
  res.pipe(process.stdout);
}).end();

From: https://github.com/Daplie/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js

[Colin Law]

OK, thanks for that Julian.

In the meantime I have been exploring a different route, that of
getting a certificate from letsencrypt [0] which, looking at various
tutorials, appears to be ridiculously easy and is free. I think that
if I go that route I will not need to do anything special other than
specify https in the node.

I will report progress.

Colin

[0] https://letsencrypt.org/

> --
> http://nodered.org
>
> Join us on Slack to continue the conversation: http://nodered.org/slack
> ---
> You received this message because you are subscribed to the Google Groups
> "Node-RED" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to node-red+u...@googlegroups.com.
> To post to this group, send email to node...@googlegroups.com.
> Visit this group at https://groups.google.com/group/node-red.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/node-red/d9acc250-5671-47ee-9df4-7a4ccf71b554%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Julian Knight]

I've added an issue to my script repo to remind me to update it at some point with the information below.

[Julian Knight]

OK, depending on where you run your PHP server, you can also use the free tier of Cloudflare to get a free cert too. All you need to do is make sure that all traffic does via CF instead of direct - by adjusting your DNS and optionally, using the local firewall to enforce. You get lots of other benefits too. That's what I do with my VPS servers that include PHP/WordPress.

[Colin Law]

My server is actually serving Ruby on Rails apps via nginx. Following
this tutorial (more or less) and looking good so far.
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

Cheers

Colin

> https://groups.google.com/d/msgid/node-red/ff828d26-80fb-4013-af05-5e7271b2864a%40googlegroups.com.

[Colin Law]

I can confirm that, having set my server up with no problems using a
free certificate from letsencrypt, that the http in node happily
fetches data just by specifying https in the url.

I must have a look at how to use such a certificate to protect a
node-red server, when I have a little time.

Colin

[Julian Knight]

The trick with Lets Encrypt certs is to automate their update since their lifespan is so short. I think they have other restrictions too.

Have a look at my script for generating and using a cert for Node-RED https://github.com/TotallyInformation/SelfSigned-Cert-Creator 
It should point you in the right direction.

Don't forget also that you can use either Cloudflare or a front-end proxy to handle the certificate termination instead of NR itself.

[Cor Bosman]

I have a dozen or so personal domains running using letsencrypt certs. They normally expire after 3 months, but it's pretty trivial to fully automate the process. I have had this running on autopilot for over a year, never had any issues. As a normal end user you will never run into any restrictions.  It does mean you need to have a server, real or vps, to run this on. 

My company is in the process of moving thousands of domains to letsencrypt, and even that is entirely possible with some planning.