Rss Feed Tweeter button Facebook button Technorati button Reddit button Linkedin button Webonews button Delicious button Digg button Flickr button Stumbleupon button Newsvine button

A Waage Blog

Ruby, Rails, Life

Install Comodo PositiveSSL Certificate with Node.js

with 5 comments

So today I tried to install the cheap Comodo PositiveSSL certificate to use on my Node.js / express.js server. Unfortunately, all the documentation and examples of installing an SSL certificate on a Node.js server only mention two options in the createServer() method (See my full example here) :

var https = require('https');
var fs = require("fs");

var https_options = {
  key: fs.readFileSync("/path/to/server.key"),
  cert: fs.readFileSync("/path/to/mydomain.crt")
};
var https_server = https.createServer(https_options);

However, with the PositiveSSL certificate, Comodo will actually send you 3 files:
1) PositiveSSLCA2.crt
2) AddTrustExternalCARoot.crt
3) mydomain.crt

This is quite confusing for someone who doesn’t really understand (nor want to understand) all the details of how an SSL certificate works. Which one do I use for the cert: option??

Naturally, I started with the mydomain.crt file. This led to a cryptic web browser error message:
“this certificate was signed by an unknown authority”

So, a bit of googling found that when installing the PositiveSSL cert on Apache servers, you must use a chain file (mod_ssl option: SSLCertificateChainFile). If you check the Apache mod_ssl documentation you will see that this file is a concatenation of certificate files:

“Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.”

So, what you have to do is the following:
1) Create a “bundle” file by concatenating the PositiveSSLCA2 and AddTrustExternalCARoot certificates

cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > mydomain.ca-bundle

2) Add this certificate as the “ca” option when creating your Node.js sever:

var https = require('https');
var fs = require("fs");

var https_options = {
  ca: fs.readFileSync("/path/to/mydomain.ca-bundle"),
  key: fs.readFileSync("/path/to/server.key"),
  cert: fs.readFileSync("/path/to/mydomain.crt")
};
var https_server = https.createServer(https_options);

This should properly set up the CA chain so that browsers can verify the SSL certificate.

Written by Andrew Waage

March 4th, 2012 at 5:42 pm

5 Responses to 'Install Comodo PositiveSSL Certificate with Node.js'

Subscribe to comments with RSS or TrackBack to 'Install Comodo PositiveSSL Certificate with Node.js'.

  1. THe article is great thanks:)I will buy on monday comodo certificate for my website :) Hope does the job for 9$

    mitko

    24 Mar 12 at 8:25 pm

  2. Thank you so much! We got three files from GoDaddy and were similarly confused.

    Domenic Denicola

    23 May 12 at 1:20 pm

  3. Hi Andrew – unfortunately this article is a little misleading with the latest versions of NodeJS – you have to specify the certificate files separately. For details have a look at my post on the subject:
    http://www.benjiegillam.com/2012/06/node-dot-js-ssl-certificate-chain/

    Benjie

    28 Jun 12 at 3:06 am

  4. Thanks for this post and to Benjie as this cleared up my bundle-problem.

    Simplest solution for me was to use this CA-config instead of bundle/de-bundle:

    ca: [
    fs.readFileSync("/path/to/PositiveSSLCA2.ctr"),
    fs.readFileSync("/path/to/AddTrustExternalCARoot.ctr")
    ]

    terjeto

    28 Aug 13 at 4:17 am

  5. A common misconception about SSL certs is that you need to include the root certificate in your chain file. This isn’t actually the case and in most cases it just adds more bloat and (slightly) slows down performance of SSL connections. I learned this from one of the core Chrome developers when trying to get a site on their internal HSTS list.

    I’ll admit that I’m not positive if this applies to Node servers but its definitely worth a try. Most servers have most root certificates preinstalled and I believe that browsers use their own built in root certificates and only need to see your domain’s certificate plus the intermediate certs.

    I know this is the case when serving up sites on Nginx and Apache and I don’t see why it’d be different with Node.js. I usually proxy requests to my Node apps through Nginx but next time I’ll try to use Node directly and see if it works.

    Bill

    1 Jan 15 at 1:09 pm

Leave a Reply