can node HTTPS server be created without public and private keys?

Question

I am using expressjs to create an http/https server.

There was a case wherein the server was not able to fetch the public and private certificate files from a directory.

In which case I create the server using http and send a raw HTML file to the client indicating that there was an issue, but here lies the problem, the user does not know that they need to move to http url rather than https to see the HTML file.

So is there a way I can redirect my users to a https url when they try to access the http URL

init.js
    try {
      // options = get public and private certificate file
    } catch(e) {
      // accessError
    }

    if(accessError) {
     server = http.createServer();
    } else {
      server = https.createServer(options, (req, res) => {
         res.writeHead(200);
         res.end('hello world\n');
      });
     );
    }

server.listen(8080);


app.js

let app = require('express');

app.use((req, res, next) => {
   if(accessError) {
     res.sendFile(index.html);
   } else {
     next();
   }
});

index.html
<h1> there was an error <h1>

Without valid certificates the browser cannot (and will not) trust any data coming from your server, including any indication to move to http. That's what basically certificates are for. — Lyth, Nov 14 '17 at 17:27

score 0 · Answer 1 · answered Nov 14 '17 at 17:32

0

You can try a 301 Redirect like in the answer to this question.

Whenever somebody tries to access the http variant of a resource, they'll be redirected to the https one.

As a design decision I'd treat the inability to retrieve certificates as a fatal error. I imagine you're reading them at start time. If you can't read them for some reason, you should just terminate the application, and log an exception. You do need to have some monitoring in place to notice that the thing hasn't started and act accordingly when you can't find it. But displaying an error page seems like more trouble than it's worth. You're going to have the application in an up state, but not really. Cause it won't be able to do anything, and you'll need to rely on clients telling you that it doesn't work and there's a https related message etc. Better to fail hard.

answered Nov 14 '17 at 17:32

Horia Coman

8,681
2
23
25

I agree with you, its better to fail hard. But I was wondering how other sites do it, they show some neat HTML when some server fails. May they are redirecting to some other URL site which is up and running. – patz Nov 14 '17 at 17:42
It strongly depends on the error. If it's something as critical as this, or as being unable to load some data files which are needed etc. they'll also fail hard and you won't get to see anything because there won't be anything running. If it's a softer error, like not being able to make an API request, they'll just generate an "error page", instead of the regular page. Or if it's an API it will return an error code and the calling page will show an error message. There isn't a one size fits all, but some practices which are good to follow. – Horia Coman Nov 14 '17 at 17:46

can node HTTPS server be created without public and private keys?

1 Answers1