Running SSL node.js server with godaddy gd_bundle.crt

问题

I am having trouble getting my SSL server working with the certificate's from godaddy

Using Express: 3.1.0

Below this works with a key/crt that was generated locally / not signed by go daddy (The browser complains but if you add exception it works.

var http = require('https');    
var privateKey  = fs.readFileSync('/var/www/dev/ssl/server.key').toString();
    var certificate = fs.readFileSync('/var/www/dev/ssl/server.crt').toString();
    var credentials = {key: privateKey, cert: certificate};
    var https = http.createServer(credentials, app);

With godaddy I am provided an extra file gd_bundle.crt which I believe you implement like this, however I am getting an error

var http = require('https');
    var privateKey  = fs.readFileSync('/var/www/prod/ssl/mysite.key').toString();
    var certificate = fs.readFileSync('/var/www/prod/ssl/mysite.com.crt').toString();
    var ca = fs.readFileSync('/var/www/prod/ssl/gd_bundle.crt').toString();
    var credentials = {key: privateKey, cert: certificate, ca: ca};
    var https = http.createServer(credentials, app);

With this configuration I get: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Truth be told I am not creating they keys/certs our devops guy does... I am not sure how I can troubleshoot if I am implementing the godaddy ones incorrectly or if there is a way to ensure he setup the key/crt files correctly....

Does anyone see anything blatantly obviously wrong?

回答1:

Node requires each certificate in the CA chain to be passed separately in an array. gd_bundle.crt probably looks like this:

-----BEGIN CERTIFICATE-----
MIIE3jCCA...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCA...
-----END CERTIFICATE-----

Each certificate needs to be put in its own file (ie gd1.crt and gd2.crt) and read separately.

https.createServer({
    key: fs.readFileSync('mysite.key'),
    certificate: fs.readFileSync('mysite.crt'),
    ca: [fs.readFileSync('gd1.crt'), fs.readFileSync('gd2.crt')]
});

回答2:

Ask GoDaddy for your ssl certificate in SHA-1 signature and break the bundle file into two files, this way...

FROM your gd_bundle.crt

-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VILs9RaRegAhJhldX
RQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/bvZ8
-----END CERTIFICATE-----

TO gd_bundle_01.crt

-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-----END CERTIFICATE-----

AND gd_bundle_02.crt

-----BEGIN CERTIFICATE-----
56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VILs9RaRegAhJhldX
RQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/bvZ8
-----END CERTIFICATE-----

then on your server do this

var fs = require('fs'),
    https = require('https');

var ssl = {
    key: fs.readFileSync('./ssl/server.key', 'utf8'),
    cert: fs.readFileSync('./ssl/server.crt', 'utf8'),
    ca: [fs.readFileSync('./ssl/bundle_01.crt', 'utf8'),
         fs.readFileSync('./ssl/bundle_02.crt', 'utf8')]
};

https.createServer(ssl, function(req, res) {
    //... your code here ...
}).listen(443);

回答3:

Recently I had a similar problem with Godaddy's SSL certificates on one of our node.js servers. In my case the problem was with one of our servers validating the SSL using PHP's curl functions.

It turns out I had to choose SHA-1 signature algorithm when submitting the CSR to Godaddy. I guess it is more compatible with older systems.

回答4:

Simpler

Why be so specific just for GoDaddy's CA bundle when you can keep the same approach for different environments? I only need two files for dev env for example but production is using GoDaddy certs and has many so what to do?

For GoDaddy, I take their bundle and append it into a single file and name the extension as PEM as well as the key file which gives a pretty standard approach for all types of certs.

Then you end up just doing this for all environments:

server = https.createServer({           
    key: fs.readFileSync(config.sslKey),
    cert: fs.readFileSync(config.sslCert),
},app).listen(config.sslPort);

In your GoDaddy cert.pem file you just place your certificate and your bundle files from 1 to x (top to bottom) and you're done like so:

-----BEGIN CERTIFICATE-----
site certificate goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 1 goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 2 goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA X goes here
-----END CERTIFICATE-----

Not necessarily better but I prefer it. I didn't encounter on Express 3.x that I had to do the CA array route but I could be wrong for the specific version.

来源：https://stackoverflow.com/questions/16224064/running-ssl-node-js-server-with-godaddy-gd-bundle-crt