Sign in to follow this  
Awoken

SSL certificate warning.

Recommended Posts

I'm trying to get my site running on https, I followed some tutorials on creating certificates and have a functional https server running with node.js.  Thing is when I access my site via localhost on chrome I get a "Not Secure" warning.  Anybody familiar with this.  I don't know how to make it go away, and so far, no idea how to create a certificate that will work.

 

Share this post


Link to post
Share on other sites
A certificate that you create on your own will not be by default trusted by a regular browser. The reason is that, if the browser trusted it, then anyone could create a certificate for any website on their own, and the certificate trust wouldn't be useful.

The easiest way to get a trusted certificate is to use letsencrypt.org. It's free, and it can be automated. The draw-back is that their certificates only last for three months, so you HAVE to automate it if you're running a real site. (But there are node modules to do this.)

Share this post


Link to post
Share on other sites
The draw-back is that their certificates only last for three months, so you HAVE to automate it if you're running a real site. (But there are node modules to do this.)

 

It's quite easy. Certbot, GetSSL, and a few others will run from a Bash shell and can be put as a cron entry to run periodically If you're windows, letsencrypt-win-simple, ACMESharp, Certify, and a few others can be run as a Windows scheduled task.

There are libraries for various languages (including node) if you want them for building your own system, but there is probably no need to build your own.

Share this post


Link to post
Share on other sites

Thanks for the quick reply.  I also just found out that the certificates are only issued to registered domains.  So my thinking is that I can continue on with what I've got, server and client side, and when it comes time to go live, that is when I register a domain and get a certificate.  At that time I'm thinking a user connecting to my site won't run into the same security pop-up as I am now...  Am I understanding this right?  I guess it also costs $20 bucks for you're own certificate.

Edited by Awoken

Share this post


Link to post
Share on other sites

letsencrypt.org is free.  I believe they also allow you to register even if you only have a subdomain.  Go check out their site, they've got documentation for putting it together on several major hosting systems.

Share this post


Link to post
Share on other sites

I believe they also allow you to register even if you only have a subdomain

No certificate authority is going to let you sign a certificate for 'localhost'.

@OP, you should add the certificate to your browser's trust store, and ignore the issue till you deploy to an actual server.

Share this post


Link to post
Share on other sites
Sorry, forgot it was on localhost, I'm not sure why I was thinking it was on some other site that lets you do yourdomain.histing.com.

Share this post


Link to post
Share on other sites
During development, you can edit your etc/hosts file to say that "myhost.mydomain.com" has the address 127.0.0.1.
That way, you will be connecting to the local machine, but using the intended domain.
This works on both UNIX and Windows (Windows has an etc/hosts file somewhere in the Windows directory hierarchy.) Edited by hplus0603

Share this post


Link to post
Share on other sites

alright.  k I think I've got https covered and when this project goes to production if I encounter any problems I'm pretty confident I'll be able to address them then and won't need to do any major overhauls.  Unless someone thinks otherwise???

So.. o.k  right now I have a few html text-fields that a user needs to input their information so that the site can register them.  I'm going to require a username, password and email.  Then I'm going to do the email confirmation thing before they can play the game or participate in the forum/discussion feed.  My plan is to use JavaScript to grab the info in the text-fields, then fire it off to the server via socket.io.  [edit]: I'm thinking of using a closure functions for the purposes of sending socket.io information... thoughts??[/edit] On the server side I'm going to make sure that the characters being used are of a specific type, and then I'm going to use bcrypt with salting before I store their password.  

Then, I'm going to send an email to the user with an instance of a webpage used to verify their email address.  Once they verify their email, they will have to login and at that point I will create an instance of the website containing access to a link which will direct them to the game server.

What are your thoughts on my proposed approach?  what things may I be overlooking??

Edited by Awoken

Share this post


Link to post
Share on other sites

Note that "you must use one special character and one digit and two uppercase characters and ..." rules are just dumb.

The most important rule: Passwords must be 12 characters or longer (I would even go so far as to require 16 characters for an important account!) and must contain at least 4 different characters, and must not contain the username somewhere within them. That's it! Also make sure you support passwords up to 99 characters long.

So, just tell people "your password must be at least 12 characters," and then check the other rules on the server, and if it violates one of those rules, send back status that says "not valid, and here is why." You don't need to list all the rules up front; that just scares people.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this