HTTPS / SSL:
- get / generate SSL certificate (*.key and *.crt files)
- NOTE: to get a "trusted" certificate (for production) that browsers won't issue a warning for, it will cost money (around $50 - $100+ per year)
- add certificates (i.e. to the
appfolder) and then reference those certifications inconfig.jsonsslkey/object - set
server.schemetohttpsinconfig.json
- open port 443
- configure (node) server to use certificates and HTTPS (instead of plain HTTP) and port 443
- [on production] ip tables redirect the 443 as well as port 80
-
startSSL for free (development) certificate
-
generating self-signed certificate (using openSSL)
- https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html
- https://devcenter.heroku.com/articles/ssl-certificate-self
- https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
- NOTE: can use 'localhost' for Common Name / domain
- full steps copied / combined from above:
which opensslopenssl genrsa -des3 -out ssl.pass.key 2048to generate pass key- when prompted, enter EASY password value as it's just for generating CSR, not the actual password the app will use
openssl rsa -in ssl.pass.key -out ssl.keyto strip password and generate key- if you want to create a UC or wildcard certificate that can be used on multiple servers / with multiple domains, you'll now have to create a config file (e.g.
openssl-csr.cnf) that will set the "Subject Alternate Name" fields. Then in the step below, add a flag to use this config, e.g.openssl req -nodes -new -key ssl.key -out ssl.csr -config openssl-csr.cnf- https://rtcamp.com/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/
- other references and example config files:
- NOTE: some walkthroughs talk about "exporting", "importing" and focus on "where/what server the CSR was generated from" - this should not matter and makes things seem overly complicated. You're simply using the SAME, ONE certificate on multiple servers. Create ONE CSR from ANYWHERE (locally, production server, development server, etc.) and then put the certificates on all servers (e.g. with GIT version control or the
scpcommand below as normal - no special "export" process is needed).
openssl req -nodes -new -key ssl.key -out ssl.csr- most can be blank / are self-explanatory but make sure to use proper country code
- use your domain name for the 'Common Name' prompt, e.g.
example.comorwww.example.comor*.example.comorlocalhost - leave the 'Challenge Password' blank (just press 'Enter' to skip)
- NOTE: if you want to check your CSR, use
openssl req -in ssl.csr -noout -textto decode it
openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
-
using "official" / verified certificates
- some SSL certs such as with GoDaddy will give you multiple certificate files (i.e. a 'bundle' certificate that actually has multiple certificates in it) - in which case one of these should be the standard certificate and the other(s) should be CA certificates). If you have a bundle certificate, you'll need to break them out into separate CA cert files and use those in node.
- http://stackoverflow.com/questions/16224064/running-ssl-node-js-server-with-godaddy-gd-bundle-crt
- to copy the ssl certs to the server use the
scpcommand (the reason for doing so is that your SSL certs should NOT be in version control!)
-
steps for 3rd party ("official") certificates, i.e. with GoDaddy:
- generate a .csr (locally) [see above]
- this will also generate the .key (and .pass.key) files
- upload CSR to GoDaddy to get .crt and the .ca file(s)
- break the .ca bundle file into individual .ca files [see above]
-
using with node.js / express (already handled for you in MEAN-seed - just update
config.jsonsslfield to point to your certs and be enabled) -
run BOTH http & https (& redirect http to https)
-
places that do (or DID) have 'http' scheme
- ci.js
- Gruntfile.js
- app
- modules
- emailMandrill.js
- src
- index-*-grunt.html
- config-grunt.js
- protractor.conf-grunt
- test
- apiTestHelpers.js
- modules
- docs
- README