I'm creating an Express app in which I wanted to use HTTPS. I created a certificate at StartSSL, imported it in my server, and now the connection can be properly established to the server.

But there is something wrong:

Why does this happen? Do I have to add the intermediate certificates, in some way? This certificate is supposed to be already signed, tho I may be wrong. This is my configuration part in index.js:

var bodyParser = require('body-parser');
app.use(bodyParser.json()); // support json encoded bodies
app.use(force_https);
app.use(bodyParser.urlencoded({ extended: true })); // support encoded bodies

app.use(helmet());
app.disable('x-powered-by');
app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    next();
  });

// Setup HTTPS
const httpsPort = 3443;
const options = {
  key: fs.readFileSync("./key.pem", "utf8"),
  cert: fs.readFileSync("./cert.pem", "utf8")
};

var secureServer = https.createServer(options, app).listen(httpsPort, () => {
    console.log(">> CentraliZr listening at port "+httpsPort);
});

My certificate has this content (no problem sharing it; this is just a test app):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3084 (0xc0c)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Seattle, O=getaCert - www.getacert
        Validity
            Not Before: Oct 23 16:54:10 2017 GMT
            Not After : Dec 22 16:54:10 2017 GMT
        Subject: C=ES, ST=Madrid, L=Madrid, O=centralizr, OU=devops, CN=centralizr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:23:37:c0:18:77:4d:a1:22:b4:97:08:bb:c8:
                    11:06:03:ab:40:f3:da:ed:ff:e4:bc:5c:e9:60:86:
                    3f:ff:b3:49:93:b1:af:8c:cd:90:ae:96:24:d2:13:
                    f3:cd:d0:90:c3:34:9b:d9:72:4c:f7:95:48:27:c6:
                    0b:33:15:a0:a9:4f:14:03:e2:02:ac:67:b1:10:b6:
                    78:45:c1:75:bb:50:18:8f:40:58:0e:a1:d9:a1:89:
                    ec:1f:80:31:1f:dc:30:53:6a:97:1b:6e:99:0d:13:
                    8c:de:c2:32:1b:7e:06:43:e3:d3:34:77:62:85:fe:
                    2b:2f:87:a3:0d:85:92:75:97:95:10:49:6b:ee:77:
                    03:56:a7:a9:fd:d6:77:d9:da:10:6d:fa:77:34:99:
                    0f:ee:17:27:3c:9c:bc:08:94:9b:a1:c9:fa:81:a9:
                    d8:94:05:d1:69:40:08:28:e4:42:b1:be:21:2e:dc:
                    21:16:e3:4a:25:55:da:f6:7b:5f:2c:32:0e:af:88:
                    cb:da:cc:e5:c0:cf:80:1b:33:91:27:aa:bf:ab:ef:
                    bd:a8:77:f8:6e:46:1a:cb:e3:38:d9:a9:3f:3d:9b:
                    36:b5:8e:fd:b3:01:90:18:c5:b1:b0:09:c3:39:5b:
                    60:e8:9f:cc:26:9b:e2:3b:5c:7c:41:50:2f:0e:fe:
                    eb:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, SSL Server, S/MIME, Object Signing
            X509v3 Key Usage: 
                Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         76:67:0f:a8:e0:eb:46:ef:dc:b2:76:c8:f4:7d:55:0a:dd:62:
         02:6a:54:f4:ab:de:49:89:31:1e:26:2b:b5:61:04:7c:31:80:
         c2:92:6e:ae:b7:97:86:cf:5b:7e:23:c4:ba:46:f1:57:6e:ea:
         c6:70:06:e9:79:f8:03:5c:fc:ac:8c:f3:02:22:b6:71:1a:ac:
         22:87:b1:26:c8:d3:6d:09:d2:22:6a:d1:b2:d0:17:94:6b:36:
         ce:99:84:7f:7d:26:09:bd:82:69:b1:59:a0:34:cc:5b:fb:19:
         e8:40:03:21:6a:fd:40:74:2b:a6:08:ef:c8:3c:86:31:fb:1e:
         ac:a5:09:7f:f5:7f:68:bd:4c:28:89:c0:35:24:d6:73:0e:f7:
         68:aa:b3:40:3c:49:22:40:54:ee:8b:eb:a3:39:ef:31:e8:72:
         fa:33:93:fd:45:a8:11:d6:c0:11:73:ac:8e:2c:c0:7e:17:0a:
         25:46:05:e4:ae:bc:6d:a5:16:df:fb:ee:8c:cb:7f:d2:82:14:
         22:23:d4:67:92:ad:ce:ca:77:36:52:ea:86:fb:8b:db:ef:b2:
         bb:da:4f:66:d9:45:af:45:0a:15:5d:f6:32:2d:d3:3c:73:21:
         bc:aa:f0:c8:16:3e:62:43:4a:61:e7:db:24:86:e3:79:13:5e:
         62:63:22:30
-----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgICDAwwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxJDAiBgNVBAoT
G2dldGFDZXJ0IC0gd3d3LmdldGFjZXJ0LmNvbTAeFw0xNzEwMjMxNjU0MTBaFw0x
NzEyMjIxNjU0MTBaMG4xCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQxDzAN
BgNVBAcTBk1hZHJpZDETMBEGA1UEChMKY2VudHJhbGl6cjEPMA0GA1UECxMGZGV2
b3BzMRcwFQYDVQQDEw5jZW50cmFsaXpyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJgjN8AYd02hIrSXCLvIEQYDq0Dz2u3/5Lxc6WCGP/+zSZOx
r4zNkK6WJNIT883QkMM0m9lyTPeVSCfGCzMVoKlPFAPiAqxnsRC2eEXBdbtQGI9A
WA6h2aGJ7B+AMR/cMFNqlxtumQ0TjN7CMht+BkPj0zR3YoX+Ky+How2FknWXlRBJ
a+53A1anqf3Wd9naEG36dzSZD+4XJzycvAiUm6HJ+oGp2JQF0WlACCjkQrG+IS7c
IRbjSiVV2vZ7XywyDq+Iy9rM5cDPgBszkSeqv6vvvah3+G5GGsvjONmpPz2bNrWO
/bMBkBjFsbAJwzlbYOifzCab4jtcfEFQLw7+618CAwEAAaMtMCswCQYDVR0TBAIw
ADARBglghkgBhvhCAQEEBAMCBPAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBCwUA
A4IBAQB2Zw+o4OtG79yydsj0fVUK3WICalT0q95JiTEeJiu1YQR8MYDCkm6ut5eG
z1t+I8S6RvFXburGcAbpefgDXPysjPMCIrZxGqwih7EmyNNtCdIiatGy0BeUazbO
mYR/fSYJvYJpsVmgNMxb+xnoQAMhav1AdCumCO/IPIYx+x6spQl/9X9ovUwoicA1
JNZzDvdoqrNAPEkiQFTui+ujOe8x6HL6M5P9RagR1sARc6yOLMB+FwolRgXkrrxt
pRbf++6My3/SghQiI9Rnkq3Oync2UuqG+4vb77K72k9m2UWvRQoVXfYyLdM8cyG8
qvDIFj5iQ0ph59skhuN5E15iYyIw
-----END CERTIFICATE-----

So, two questions:

1. Why does this error occur?
2. Is the info I'm sending there, encrypted, at least?

Thank you!

EDIT: This is the error that my navigator throws:

NET::ERR_CERT_AUTHORITY_INVALID

I'm creating an Express app in which I wanted to use HTTPS. I created a certificate at StartSSL., imported it in my server, and now the connection can be properly established to the server.

But there is something wrong:

Why does this happen? Do I have to add the intermediate certificates, in some way? This certificate is supposed to be already signed, tho I may be wrong. This is my configuration part in index.js:

var bodyParser = require('body-parser');
app.use(bodyParser.json()); // support json encoded bodies
app.use(force_https);
app.use(bodyParser.urlencoded({ extended: true })); // support encoded bodies

app.use(helmet());
app.disable('x-powered-by');
app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    next();
  });

// Setup HTTPS
const httpsPort = 3443;
const options = {
  key: fs.readFileSync("./key.pem", "utf8"),
  cert: fs.readFileSync("./cert.pem", "utf8")
};

var secureServer = https.createServer(options, app).listen(httpsPort, () => {
    console.log(">> CentraliZr listening at port "+httpsPort);
});

My certificate has this content (no problem sharing it; this is just a test app):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3084 (0xc0c)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Seattle, O=getaCert - www.getacert.
        Validity
            Not Before: Oct 23 16:54:10 2017 GMT
            Not After : Dec 22 16:54:10 2017 GMT
        Subject: C=ES, ST=Madrid, L=Madrid, O=centralizr, OU=devops, CN=centralizr.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:23:37:c0:18:77:4d:a1:22:b4:97:08:bb:c8:
                    11:06:03:ab:40:f3:da:ed:ff:e4:bc:5c:e9:60:86:
                    3f:ff:b3:49:93:b1:af:8c:cd:90:ae:96:24:d2:13:
                    f3:cd:d0:90:c3:34:9b:d9:72:4c:f7:95:48:27:c6:
                    0b:33:15:a0:a9:4f:14:03:e2:02:ac:67:b1:10:b6:
                    78:45:c1:75:bb:50:18:8f:40:58:0e:a1:d9:a1:89:
                    ec:1f:80:31:1f:dc:30:53:6a:97:1b:6e:99:0d:13:
                    8c:de:c2:32:1b:7e:06:43:e3:d3:34:77:62:85:fe:
                    2b:2f:87:a3:0d:85:92:75:97:95:10:49:6b:ee:77:
                    03:56:a7:a9:fd:d6:77:d9:da:10:6d:fa:77:34:99:
                    0f:ee:17:27:3c:9c:bc:08:94:9b:a1:c9:fa:81:a9:
                    d8:94:05:d1:69:40:08:28:e4:42:b1:be:21:2e:dc:
                    21:16:e3:4a:25:55:da:f6:7b:5f:2c:32:0e:af:88:
                    cb:da:cc:e5:c0:cf:80:1b:33:91:27:aa:bf:ab:ef:
                    bd:a8:77:f8:6e:46:1a:cb:e3:38:d9:a9:3f:3d:9b:
                    36:b5:8e:fd:b3:01:90:18:c5:b1:b0:09:c3:39:5b:
                    60:e8:9f:cc:26:9b:e2:3b:5c:7c:41:50:2f:0e:fe:
                    eb:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, SSL Server, S/MIME, Object Signing
            X509v3 Key Usage: 
                Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         76:67:0f:a8:e0:eb:46:ef:dc:b2:76:c8:f4:7d:55:0a:dd:62:
         02:6a:54:f4:ab:de:49:89:31:1e:26:2b:b5:61:04:7c:31:80:
         c2:92:6e:ae:b7:97:86:cf:5b:7e:23:c4:ba:46:f1:57:6e:ea:
         c6:70:06:e9:79:f8:03:5c:fc:ac:8c:f3:02:22:b6:71:1a:ac:
         22:87:b1:26:c8:d3:6d:09:d2:22:6a:d1:b2:d0:17:94:6b:36:
         ce:99:84:7f:7d:26:09:bd:82:69:b1:59:a0:34:cc:5b:fb:19:
         e8:40:03:21:6a:fd:40:74:2b:a6:08:ef:c8:3c:86:31:fb:1e:
         ac:a5:09:7f:f5:7f:68:bd:4c:28:89:c0:35:24:d6:73:0e:f7:
         68:aa:b3:40:3c:49:22:40:54:ee:8b:eb:a3:39:ef:31:e8:72:
         fa:33:93:fd:45:a8:11:d6:c0:11:73:ac:8e:2c:c0:7e:17:0a:
         25:46:05:e4:ae:bc:6d:a5:16:df:fb:ee:8c:cb:7f:d2:82:14:
         22:23:d4:67:92:ad:ce:ca:77:36:52:ea:86:fb:8b:db:ef:b2:
         bb:da:4f:66:d9:45:af:45:0a:15:5d:f6:32:2d:d3:3c:73:21:
         bc:aa:f0:c8:16:3e:62:43:4a:61:e7:db:24:86:e3:79:13:5e:
         62:63:22:30
-----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgICDAwwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxJDAiBgNVBAoT
G2dldGFDZXJ0IC0gd3d3LmdldGFjZXJ0LmNvbTAeFw0xNzEwMjMxNjU0MTBaFw0x
NzEyMjIxNjU0MTBaMG4xCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQxDzAN
BgNVBAcTBk1hZHJpZDETMBEGA1UEChMKY2VudHJhbGl6cjEPMA0GA1UECxMGZGV2
b3BzMRcwFQYDVQQDEw5jZW50cmFsaXpyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJgjN8AYd02hIrSXCLvIEQYDq0Dz2u3/5Lxc6WCGP/+zSZOx
r4zNkK6WJNIT883QkMM0m9lyTPeVSCfGCzMVoKlPFAPiAqxnsRC2eEXBdbtQGI9A
WA6h2aGJ7B+AMR/cMFNqlxtumQ0TjN7CMht+BkPj0zR3YoX+Ky+How2FknWXlRBJ
a+53A1anqf3Wd9naEG36dzSZD+4XJzycvAiUm6HJ+oGp2JQF0WlACCjkQrG+IS7c
IRbjSiVV2vZ7XywyDq+Iy9rM5cDPgBszkSeqv6vvvah3+G5GGsvjONmpPz2bNrWO
/bMBkBjFsbAJwzlbYOifzCab4jtcfEFQLw7+618CAwEAAaMtMCswCQYDVR0TBAIw
ADARBglghkgBhvhCAQEEBAMCBPAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBCwUA
A4IBAQB2Zw+o4OtG79yydsj0fVUK3WICalT0q95JiTEeJiu1YQR8MYDCkm6ut5eG
z1t+I8S6RvFXburGcAbpefgDXPysjPMCIrZxGqwih7EmyNNtCdIiatGy0BeUazbO
mYR/fSYJvYJpsVmgNMxb+xnoQAMhav1AdCumCO/IPIYx+x6spQl/9X9ovUwoicA1
JNZzDvdoqrNAPEkiQFTui+ujOe8x6HL6M5P9RagR1sARc6yOLMB+FwolRgXkrrxt
pRbf++6My3/SghQiI9Rnkq3Oync2UuqG+4vb77K72k9m2UWvRQoVXfYyLdM8cyG8
qvDIFj5iQ0ph59skhuN5E15iYyIw
-----END CERTIFICATE-----

So, two questions:

1. Why does this error occur?
2. Is the info I'm sending there, encrypted, at least?

Thank you!

EDIT: This is the error that my navigator throws:

NET::ERR_CERT_AUTHORITY_INVALID

• javascript
• node.js
• express
• ssl
• https

• 1 Connecting to https://localhost is not the same as connecting to https://centralizr.. You won't have a cert for localhost. – James Commented Oct 25, 2017 at 15:01
• Click the /!\ and the browser will tell you what the problem is. – Quentin Commented Oct 25, 2017 at 15:02
• @James Well yeah, I'm probably not even using a domain for this testing app, but, will the content of the packets be encrypted anyways? If I wanted to use it in prod, registering that same domain and getting the app there, would work? – Zerok Commented Oct 25, 2017 at 15:06
• Like pointed out localhost does not equal centralizr., now if your on windows a quick and dirty solution to make it valid is alter your hosts file for centralizr. to point to 127.0.0.1. Linux/Mac you should be able to do the same. You might even have a router you can do this on. For development though we have a *.domain cert, we then created a subdomain called local, we had this then point to our internal dev server, and we get nice valid certs during development. – Keith Commented Oct 25, 2017 at 15:14

2 Answers 2

1. The subject of the certificate must match the domain you're visiting. That certificate does not seem to be valid for localhost. In fact, it's virtually impossible for a proper CA to issue you a certificate for localhost, since it's impossible for them to verify that domain.
2. Chrome, and many other browsers, stopped accepting StartCom certificates as valid.

The only way to get a valid certificate for localhost is to create a self-signed root certificate, install that in all relevant local trust stores, and use that to sign a self-created certificate.

This is how I do setup my server using HTTP2 and SSL, hope it helps!

const fs = require('fs');
const path = require('path');
const http = require('http');
const https = require('https');
const spdy = require('spdy')
const express = require('express');
const privateKey  = fs.readFileSync('certs/server.key', 'utf8');
const certificate = fs.readFileSync('certs/server.crt', 'utf8');
const credentials = {key: privateKey, cert: certificate};
const app = express();

app.use(express.static(path.join(__dirname, 'build')));
    app.get('*', (req, res) => {
       res.sendFile(path.join(__dirname + '/build/index.html'));
    });

const httpServer = http.createServer(app);
const httpsServer = spdy.createServer(credentials, app);

httpServer.listen(80);
httpsServer.listen(443);

console.log('Server started over HTTP2 protocol.');