FAQ
Hello Guys and Gals,

I can use your help. I'm a n00b when it comes to SSL. This is my first
time getting a CA signed cert issued and coding a node.js instance to use
https/tls.

I have the node https/tls running without any error messages upon
instantiation. I have followed the this code here to get some error
messages to be produced from the server when a call comes in with the wrong
authorization.
http://nodejs.org/api/tls.html

I'm using this for my credentials. Network solutions gave me 4 .crt and I
attempted to cat filess < All_AddTrust_DV_2_CA.crt. Unfortunately I do not
know if this is right or wrong, if it needs extra line feeds or whatever.
var secure_options = {
    key: secure_fs.readFileSync('THE_PATH/sample.whataremindsfor.com.key',
'utf8'),
    cert: secure_fs.readFileSync('THE_PATH/SAMPLE.WHATAREMINDSFOR.COM.crt',
'utf8'),
    ca: secure_fs.readFileSync('THE_PATH/All_AddTrust_DV_2_CA.crt', 'utf8')
};



I found away to attempt to test the SSL CA cert with the following call
from another terminal on the same machine, getting this output below.
I hope someone can help me here.


[2014-11-21 11:11:11.380] [INFO] console - server connected 'unauthorized'
[2014-11-21 11:46:57.673] [INFO] console - server connected 'unauthorized'


openssl s_client -connect 127.0.0.1:46900
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN =
sample.whataremindsfor.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN =
sample.whataremindsfor.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN =
sample.whataremindsfor.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
  0 s:/OU=Domain Control Validated/OU=nsProtect Secure Xpress/CN=sample.
whataremindsfor.com
    i:/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions
DV Server CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQZKH2LzShxkMU//ZbvGTeKDANBgkqhkiG9w0BAQsFADB6
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xITAf
BgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5DLjEpMCcGA1UEAxMgTmV0d29y
ayBTb2x1dGlvbnMgRFYgU2VydmVyIENBIDIwHhcNMTQxMTE4MDAwMDAwWhcNMTUx
MTE4MjM1OTU5WjBqMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQx
IDAeBgNVBAsTF25zUHJvdGVjdCBTZWN1cmUgWHByZXNzMSMwIQYDVQQDExpzYW1w
bGUud2hhdGFyZW1pbmRzZm9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMml21naQ4VeSJTgO986uAxT65PGDsiR0Di7khtCSZBYbsIcxbI8K33B
VE6cEOb8rZXDzACG5XEBDkBAE1N/WEzfsFMEDRfDWMQkKDqgK5/GDetUHB6UFfDF
jhXVHItDo2yUHrVtDYa9uTLfQ78jp+fARwZ+VVu8kXEI7CojXC9hHTNyiHpwt1rF
Z5+pKMq8WCc1gQoBU6LFlFa4DTTKrpqSBhlJOHLe3GNj/TjMjxayTRilxh0EVx/M
Y+SBpkQYM7bbD++Ob9QXgANK7QwfGKj8HrLQCFVF8heSQVmRJKLRiyd+BDYj5i4N
JcrUbSoQMcfDoWSyXEIACMlznTwfFvkCAwEAAaOCAgcwggIDMB8GA1UdIwQYMBaA
FFHO31QdtyxXq2hhSAIa07KF7ECqMB0GA1UdDgQWBBSRr6nTyTFe3OIcMiKOkFV8
VlEbIDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0gBG4wbDBgBgwrBgEEAYYOAQIBCQEwUDBO
BggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLmNvbS9sZWdh
bC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMAgGBmeBDAECATBJBgNVHR8E
QjBAMD6gPKA6hjhodHRwOi8vY3JsLm5ldHNvbHNzbC5jb20vTmV0d29ya1NvbHV0
aW9uc0RWU2VydmVyQ0EyLmNybDB7BggrBgEFBQcBAQRvMG0wRAYIKwYBBQUHMAKG
OGh0dHA6Ly9jcnQubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zRFZTZXJ2
ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5uZXRzb2xzc2wuY29t
MEUGA1UdEQQ+MDyCGnNhbXBsZS53aGF0YXJlbWluZHNmb3IuY29tgh53d3cuc2Ft
cGxlLndoYXRhcmVtaW5kc2Zvci5jb20wDQYJKoZIhvcNAQELBQADggEBAExoI6yX
b0Dv4mlWrJ0pTpp3CQvu0zp8V1mWrXYtxB5DUss6VRf6r7fiL15Skb+uayILgFwx
egs63fb/KuX2LT8xIQyMGNZ429DSzoA2I4lJjYpShb3FS0wcrt0uWxbyByZM1Yt0
SN3ARpePSZupIaplcfcemNSdgSXSGFhmlrihiq+z/oW5k5/jZZ6TDt1bJwZ2Bxww
SIox9MdGV/92QrpjjXcnKsJ4gL5nSA9C4YRUN4pih7buffq+DFRnvEo6kBJctGeO
4qNdRkz+V+Rmev/JbbxEMtRWf/HCBginxbyG1fJaccMXzqrS6lf4X89DD6x6YUgd
ZDEirYzqLRoDtvY=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=nsProtect Secure Xpress/CN=sample.
whataremindsfor.com
issuer=/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions
DV Server CA 2
---
No client certificate CA names sent
---
SSL handshake has read 1711 bytes and written 581 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol : TLSv1.2
     Cipher : AES256-GCM-SHA384
     Session-ID:
6328E390DEBF3DBF9377410DDA07D2F6795E32E0EE4E1FDC9D9C1539CD7AE212
     Session-ID-ctx:
     Master-Key:
16DE4CDDA2167BD8157406E3D95062DF37EE69409961E6A8F549EA0D16939800C9A402ECE052BC2907C57591EA3FC17E
     Key-Arg : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     TLS session ticket lifetime hint: 300 (seconds)
     TLS session ticket:
     0000 - 8d e3 93 fb dd 5d d5 d1-5a 88 14 72 5d 70 6e f1 .....]..Z..r]pn
.
     0010 - 25 c3 4c af 6e 51 66 af-fb b4 08 09 47 2c bd 4d %.L.nQf.....G,.
M
     0020 - 7c 79 71 66 35 bb b9 30-ff 29 61 41 12 46 bb e6 |yqf5..0.)aA.F
..
     0030 - d4 ea d9 86 b3 59 75 dc-ad 2c 27 19 87 33 97 e4 .....Yu..,
'..3..
     0040 - bc 9c 1d 0b 02 96 1f 96-1b ef 4c d7 ab f6 32 b2
..........L...2.
     0050 - cc 1e fc 85 28 70 c1 bd-2f 94 aa df 9e 80 e3 6e
....(p../......n
     0060 - 52 9d 89 5e ac 52 df 8e-16 8a 25 33 37 56 1f e0
R..^.R....%37V..
     0070 - cc 24 c9 f2 e9 69 5d 14-15 56 22 c2 ae c4 8b 1f
.$...i]..V".....
     0080 - 09 4e 1c 1a 43 c1 27 38-35 77 21 db 8e d2 b4 26 .N..C.'85w
!....&
     0090 - d3 1e f0 bd f8 42 58 6e-7b b3 0f ef 55 58 1d 6c .....BXn{...UX.
l


     Start Time: 1416583205
     Timeout : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
---
welcome!

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
To post to this group, send email to nodejs@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/568d3c12-e51c-4b69-841e-8c1c881a372a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Rog at Nov 22, 2014 at 10:24 pm
    All,

    I changed the port to 56900.
    openssl s_client -connect sample.whataremindsfor.com:56900
    <http://127.0.0.1:46900/>


    >

    --
    Job board: http://jobs.nodejs.org/
    New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
    Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
    ---
    You received this message because you are subscribed to the Google Groups "nodejs" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
    To post to this group, send email to nodejs@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/9fc43e22-8fe8-467d-aa8f-0f601ee30583%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Rog at Nov 22, 2014 at 11:47 pm
    Ok. I figured it out.
    There are a few things wrong with the instructions from everyone that I
    have seen give out node examples for public CA-signed certs.

    Again this is for NetworkSolutions as a CA provider. This is as a server
    CA and NOT a client CA. There is no dual-CA authentication, only the
    single side from the server.

    The notes for adding the CA public certs are confusing, because the CA is
    not the CA attribute in the options. It is the cert attribute.

    Symptoms for this are no matter what you do the same error appears and you
    can authenticate it if you use your creds as a part of the call
    openssl s_client -CAfile 4_CRTs_Sample_DVServ_DVUser_AddT.crt -connect
    sample.whataremindsfor.com:56900



    Step 1: If you have several crts cat them all together using your
    full-qualified domain first.
    cat SAMPLE.WHATAREMINDSFOR.COM.crt DV_NetworkSolutionsDVServerCA2.crt
    DV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > 4
    _CRTs_Sample_DVServ_DVUser_AddT.crt

    Step 2: Ensure that after you cat the files together the beginning and end
    tags are on a different line
    NO:
    -----BEGIN CERTIFICATE----------END CERTIFICATE-----

    YES:
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----


    Step 3: Don't use the 'ca' attribute for server side CA. Only use the
    'cert' attribute.
    var secure_options = {
        key: secure_fs.readFileSync('PATH/sample.whataremindsfor.com.key', 'utf8'
    ),
        cert: secure_fs.readFileSync('PATH/4_CRTs_Sample_DVServ_DVUser_AddT.crt',
    'utf8'),
    };



    --
    Job board: http://jobs.nodejs.org/
    New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
    Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
    ---
    You received this message because you are subscribed to the Google Groups "nodejs" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
    To post to this group, send email to nodejs@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/f477b0c8-b7fe-4d19-b3d4-a42f15c4326b%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupnodejs @
categoriesnodejs
postedNov 22, '14 at 3:19a
activeNov 22, '14 at 11:47p
posts3
users1
websitenodejs.org
irc#node.js

1 user in discussion

Rog: 3 posts

People

Translate

site design / logo © 2022 Grokbase