Node app (running in Windows)

I’m so close to this working I just need to get a certificate added. I have a Node app that I’ve tested and run locally (using http) but I need to have https access.

Two questions (hopefully someone knows) can Certify the Web request/maintain a certificate for a service that is not hosted in IIS? This service does not redirect properly from IIS.

And anyone have any idea where I set up the certificate manually if I need to do that? Ok I found that answer it goes in my server code. So now I just need the certificate.

But I thought of one more question. Does the challenge have to be done on port 80? At the moment I don’t have anything listening on port 80. Another edit…it worked apparently I just have to locate the certificate.

I have the certificate in the “store” I believe (I see it listed). I identified the path to the .pfx file. Instructions I have found (I’ll look around more) say I need to provide a path the private key, the domain_name.crt, the CA_root.crt and to the certificate. Not actually sure where I find those items.

I’m closer but not there yet. Found the files and installed openssl. Trying to extract the key and certificate from the .pfx file but… openssl is prompting for an “import password” and I don’t know what that is.

Is this a password setup/used in CTW? Found an example on this site and they use pass: which it was happy with but I still got an error about a digital envelope which is coming from openssl clearly.

This is the setup for Express server. Does anyone know where I find the CA_root.crt file?

Okay so now I have OpenSSL and trying to extract keys and certificates. I am prompted for the password used when creating the .pfx file. This was generated by CTW so I don’t know if it uses a password I set up in that program or one that I set up in Let’s Encrypt.

It looks to me like CTW has the credentials for Let’s Encrypt stored so I’m guessing that’s the password it used. I tried that password but it didn’t work.

Can I change the password on Let’s Encrypt and match it in CTW to correct it with no ill effects?

Hi Tom,

There are two parts to the problem:

• acquiring your certificate
• deploying it to your service (and using it within your service)

It sounds like you are managing to get your certificate OK, http validation on port 80 is the easiest and the app will temporarily listen to port 80 for you if you have nothing else (other than IIS) using that port. You can also optionally use DNS validation which involves updating a DNS TXT record each time you renew, that’s best done using a supported API: DNS Validation (dns-01) | Certify The Web Docs

For deployment, it depends on what the target service needs and in your case your probably developing an Express based app in node. Looking at an example like: How to Create an HTTPS NodeJS Web Sevice with Express you would want to export the certificate as a certificate file and a private key file. You can do this using the Tasks feature, add a Deploy to Generic Server task (even just the same as Deploy To Apache: Deployment Task - Deploy to Apache | Certify The Web Docs ) then run that to export the files you need. I would suggest you use the Full Chain option (and the private key option) to export your certificate file as this outputs your certificate plus any intermediate CA certificates the server might need.

Your app then needs to load those files and setup the https listener. By default a simple app will be listening for http requests on a whatever port you assign the app to, to get https (TLS) to work you need to explicitly be listening for a TLS conversation as it has a different protocol for how the conversation takes place. So in the above linked example you need to review the Enabling HTTPS Nodejs in Express step (the other stuff like openssl commands etc are not relevant if you already have your certificate files). It mainly looks like:

https
  .createServer(
		// Provide the private and public key to the server by reading each
		// file's content with the readFileSync() method.
    {
      key: fs.readFileSync("key.pem"),
      cert: fs.readFileSync("cert.pem"),
    },
    app
  )
  .listen(4000, () => {
    console.log("server is running at port 4000");
  });

The difference here is that specifying the certificate and key turns the server in the given port into a TLS listener, talking https. The specific choice of port number doesn’t really matter, it’s just conventional. Note that you would now need to load the app as https://<yourdomain>:4000 as standard http conversations would no longer work once TLS is enabled.

It’s also important to note that when your certificate renews you may need to restart your service or otherwise tell it to load the latest cert. The simplest way is to use a script task to restart your node server (as your last task under Tasks > Deployment Tasks), otherwise you’d need to signal your application somehow to get it to load the latest certificate files.

Another completely and common different strategy is to reverse proxy your application via a web server (IIS is a good choice). This involves setting up an IIS site which acts as your front end for https requests and it then forwards the requests to your backend app via http (e.g. http://localhost:4000). You would then just use Certify to renew the cert against IIS (which is knows how to do by default, using the hostname specified in your website bindings).

Regarding passwords, the default is blank but you can set it under Certificate > Advanced > Signing & Security, then re-request your certificate to rebuild the stored PFX. You probably don’t need this step if you are using a deployment task to export the files you need, as this skips using openssl commands etc entirely.

Thanks. I have several node apps being hosted by IIS but this particular one just wouldn’t work. I suspect it has to do with redirects (the other apps don’t redirect anything). I tried all sorts of CORS things but could never get it working.

So it is now a standalone Express server and it is working. Thanks for the info on how to handle renewals.