0

I have deployed my react app on firebase which comes with a pre-configured SSL certificate, but since I am making API calls to a node js server using HTTP and not HTTPS. Since I am accessing a non-secured content from within a secured site browser is blocking all my API calls.

The best and obvious choice is to load all resources via HTTPS to improve the security of my site which means generating a separate certificate signed by 'Certificate Authority' in this case LetsEncrypt for my node server, but I am having trouble achieving this.

Steps To Reproduce

  1. Installed Certbot
  2. Generate an SSL certificate with Certbot with the command $ certbot certonly --manual
  3. Type your domain name
  4. Go through HTTP-01 challenge process

Questions

  1. Why do I need to provide my domain in step 3 if my domain is already secured with an SSL certificate? I mean this is a web server and would receive API requests via public IP why the need for the domain?

  2. For the HTTP-01 challenge process, Certbot will ask you to create a file with an auto-generated key in your web server document root, inside directories .well-known/acme-challenge/ and this file must contain the auth key, when I do this I am getting below error:

    Some challenges have failed. To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

I would also be happy to receive other suggestions. Thanks for your time.

amo
  • 147
  • 1
  • 3
  • 13
  • Are you hosting your Node.JS server on the ***exact same*** domain as your Firebase react app? – Take-Some-Bytes Aug 27 '20 at 20:37
  • @Take-Some-Bytes I am not sure if I understand your question, but node js server is hosted locally on window server while the react app is hosted on Firebase. I am using IP to send a request from my site to my server. – amo Aug 28 '20 at 08:58

1 Answers1

2

First, you have to understand that you have a domain which points to your Firebase-hosted React application. That domain already has a TLS (aka SSL) certificate. Now, you are trying to secure a Node.JS server, which doesn't have a domain pointing to it, using cerbot, with your already-secured domain.

You should see now, why that doesn't work as expected. You have a domain that is pointing to your React application, but not your Node.JS server, and you are trying to use certbot to secure that domain (which is already secured anyways). certbot will make a request to your React application for the HTTP-01 challenge, and it will fail, because the challenge isn't there.

How do you solve this? By giving your Node.JS server a domain name, and using that domain with certbot.

Now, you don't have to go and buy another domain name just for your Node.JS server. You could use a subdomain, and then make that subdomain point to your Node.JS server. Then, you could use certbot to secure your Node.JS application.

Take-Some-Bytes
  • 918
  • 1
  • 8
  • 21
  • everything is straight forward but the most confusing part is how to make http:///.well-known/acme-challenge/ available or reachable? I understand from my webserver side I need to save and serve the static file with the token generated by Certbot, but I don’t understand how or where I am calling/serving this file from. – amo Aug 31 '20 at 07:59
  • You mean you don't know how to serve the file up? Or do you not know how to make it available to the the web? – Take-Some-Bytes Sep 01 '20 at 03:35
  • First of all thanks for the help and attention, second, here is what I am doing currently a). create a sub-domain that points to my Node Js server since the sub-domain will be available after 24-48 hours of creation, I wanted to understand how the flow would work. first, start certbot and enter the domain then create .wellknown/acme-challenge/authkey directory inside my root directory of my server then inside the authkey file add the token then server the file when challenge request comes in.... – amo Sep 01 '20 at 13:19
  • Then to make sure everything is ok, open my browser and navigate to: `http://example.com/.well-known/acme-challenge/auth-key` to be verified. is this a working or recommended path? – amo Sep 01 '20 at 13:21
  • That seems alright to me, and it is what the docs say works. So try that, and if you need further help, please let me know :). – Take-Some-Bytes Sep 01 '20 at 17:58
  • so regarding the ports, the documentation outlines that it only listens on port 80 or 443. does that mean it listens on those two ports just for the challenges to verify you or the would be the default port for future reference? – amo Sep 03 '20 at 13:14
  • The Lets Encrypt validation server *always* use port 80 (the HTTP port) to verify you, because HTTP doesn't require TLS and such, if that's what you mean by "future reference". – Take-Some-Bytes Sep 03 '20 at 20:11