问题
I am running a Node.js server and I'm trying to host this server locally and not get any SSL errors.
Here's what I did to create the certificate. I opened up Terminal in Visual Studio Code and typed the following:
$ openssl req -nodes -new -x509 -keyout server.key -out server.cert
This created a .cert and a .key file in my current directory.
Next, in my app.js file, I added this:
https.createServer({
key: fs.readFileSync('./server.key'),
cert: fs.readFileSync('./server.cert')//,
//passphrase: ''
}, app)
.listen(3000);
I then ran the command node app.js in my terminal window to start the Node.js server.
I then visited https://localhost:3000/ and am getting the following - notice "Not secure" - this is what I am trying to get rid of:
At this point, I did some Googling and saw where it might be helpful to export this certificate, and import directly into Chrome. I did this by clicking on the "Not secure" button and Click on Certificate:
Then, clicking on Details and "Copy to file":
Then, I clicked Next on the next screen and chose DER encoded binary X.509 (.CER):
I clicked Next and gave the exported certificate a name of serverMike.cer:
Then, I clicked Next and Finish:
Export was successful:
Finally, I go to import this exported certificate in Chrome settings and choose "Trusted Root Certification Authorities" as where to place this certificate in:
I then clicked Next and Finish. I closed out of Chrome and opened it back up, visited https://localhost:3000 and receive the same "Not secure" message. Is there something I might be doing wrong?
回答1:
Step 0: this is not a programming question
Step 1: if you hadn't apparently suppressed the error you should have seen the 'Not secure' error page formerly said NET::ERR_CERT_AUTHORITY_INVALID and now says NET::ERR_CERT_COMMON_NAME_INVALID and if you click on Advanced it says "This server could not prove that it is [domain]; its security certificate does not specify Subject Alternative Names."
Step 2: see
https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58
https://serverfault.com/questions/880804/can-not-get-rid-of-neterr-cert-common-name-invalid-error-in-chrome-with-self
https://security.stackexchange.com/questions/89319/creating-my-own-ca-for-an-intranet
https://security.stackexchange.com/questions/172440/generate-x509-err-cert-common-name-invalid
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
https://security.stackexchange.com/questions/113484/followup-to-one-liner-to-create-cert-request-with-san
Chrome accept self-signed localhost certificate
BTW: since this is local, you don't need to export the cert from the browser prior to importing it. If you create the cert from openssl req ... -x509 ... with extension .cer or .crt, or rename or copy it that way, you can just doubleclick and then import to TrustedRoots. Or for any name you can run MMC and select Certificates, or just directly run certmgr.msc, and import from there.
来源:https://stackoverflow.com/questions/61125319/node-js-self-signed-certificate-is-still-showing-as-not-trusted-in-my-browser