https not working in localhost in sailsjs

I am trying to setup ssl in my local system. I am using windows machine with sails js application.

here is the configuration that I did.

 * Production environment settings
 * (sails.config.*)
 * What you see below is a quick outline of the built-in settings you need
 * to configure your Sails app for production.  The configuration in this file
 * is only used in your production environment, i.e. when you lift your app using:
 * ```
 * NODE_ENV=production node app
 * ```
 * > If you're using git as a version control solution for your Sails app,
 * > this file WILL BE COMMITTED to your repository by default, unless you add
 * > it to your .gitignore file.  If your repository will be publicly viewable,
 * > don't add private/sensitive data (like API secrets / db passwords) to this file!
 * For more best practices and tips, see:
// returns an instance of greenlock.js with additional helper methods
const glx = require('greenlock-express').create({
  server: '',
  version: 'draft-12', // Let's Encrypt v2 (ACME v2)
  telemetry: true,
  configDir: 'D:\\cert\\localhost',
  email: '[email protected]',
  agreeTos: true,
  servername: '',
  domains: ['localhost', 'www.localhost'],
  debug: true

// handles acme-challenge and redirects to https
// require('http')
//   .createServer(glx.middleware(require('redirect-https')()))
//   .listen(80, function() {
//     console.log('Listening for ACME http-01 challenges on', this.address());
//   });

module.exports = {
   *                                                                         *
   * Tell Sails what database(s) it should use in production.                *
   *                                                                         *
   * (                                 *
   *                                                                         *
  datastores: {
     *                                                                          *
     * Configure your default production database.                              *
     *                                                                          *
     * 1. Choose an adapter:                                                    *
     *                                 *
     *                                                                          *
     * 2. Install it as a dependency of your Sails app.                         *
     *    (For example:  npm install sails-mysql --save)                        *
     *                                                                          *
     * 3. Then set it here (`adapter`), along with a connection URL (`url`)     *
     *    and any other, adapter-specific customizations.                       *
     *    (See for help.)                 *
     *                                                                          *
    default: {
      adapter: 'sails-mysql',
      url: 'mysql://root:[email protected]:3306/fulfil_db'

      // adapter: 'sails-mysql',
      // url: 'mysql://user:password@host:port/database',
      //  /\   To avoid checking it in to version control, you might opt to set
      //  ||   sensitive credentials like `url` using an environment variable.
      //  For example:
      //  ```
      //  sails_datastores__default__url=mysql://admin:[email protected]:3306/my_prod_db
      //  ```

       *                                                                           *
       * More adapter-specific options                                             *
       *                                                                           *
       * > For example, for some hosted PostgreSQL providers (like Heroku), the    *
       * > extra `ssl: true` option is mandatory and must be provided.             *
       *                                                                           *
       * More info:                                                                *
       *                                     *
       *                                                                           *
      // ssl: true,

  models: {
     *                                                                          *
     * To help avoid accidents, Sails automatically sets the automigration      *
     * strategy to "safe" when your app lifts in production mode.               *
     * (This is just here as a reminder.)                                       *
     *                                                                          *
     * More info:                                                               *
     * *
     *                                                                          *
    migrate: 'safe'

     *                                                                          *
     * If, in production, this app has access to physical-layer CASCADE         *
     * constraints (e.g. PostgreSQL or MySQL), then set those up in the         *
     * database and uncomment this to disable Waterline's `cascadeOnDestroy`    *
     * polyfill.  (Otherwise, if you are using a databse like Mongo, you might  *
     * choose to keep this enabled.)                                            *
     *                                                                          *
    // cascadeOnDestroy: false,

   *                                                                         *
   * Always disable "shortcut" blueprint routes.                             *
   *                                                                         *
   * > You'll also want to disable any other blueprint routes if you are not *
   * > actually using them (e.g. "actions" and "rest") -- but you can do     *
   * > that in `config/blueprints.js`, since you'll want to disable them in  *
   * > all environments (not just in production.)                            *
   *                                                                         *
  blueprints: {
    shortcuts: false

   *                                                                          *
   * Configure your security settings for production.                         *
   *                                                                          *
   * IMPORTANT:                                                               *
   * If web browsers will be communicating with your app, be sure that        *
   * you have CSRF protection enabled.  To do that, set `csrf: true` over     *
   * in the `config/security.js` file (not here), so that CSRF app can be     *
   * tested with CSRF protection turned on in development mode too.           *
   *                                                                          *
  security: {
     *                                                                          *
     * If this app has CORS enabled (see `config/security.js`) with the         *
     * `allowCredentials` setting enabled, then you should uncomment the        *
     * `allowOrigins` whitelist below.  This sets which "origins" are allowed   *
     * to send cross-domain (CORS) requests to your Sails app.                  *
     *                                                                          *
     * > Replace "" with the URL of your production server.  *
     * > Be sure to use the right protocol!  ("http://" vs. "https://")         *
     *                                                                          *
    cors: {
      allRoutes: true,
      allowOrigins: '*',
      allowCredentials: false

   *                                                                          *
   * Configure how your app handles sessions in production.                   *
   *                                                                          *
   * (                                     *
   *                                                                          *
   * > If you have disabled the "session" hook, then you can safely remove    *
   * > this section from your `config/env/production.js` file.                *
   *                                                                          *
  session: {
     *                                                                          *
     * Production session store configuration.                                  *
     *                                                                          *
     * Uncomment the following lines to finish setting up a package called      *
     * "@sailshq/connect-redis" that will use Redis to handle session data.     *
     * This makes your app more scalable by allowing you to share sessions      *
     * across a cluster of multiple Sails/Node.js servers and/or processes.     *
     *                   *
     *                                                                          *
     * > While @sailshq/connect-redis is a popular choice for Sails apps, many  *
     * > other compatible packages (like "connect-mongo") are available on NPM. *
     * > (For a full list, see            *
     *                                                                          *
    // adapter: '@sailshq/connect-redis',
    // url: 'redis://user:password@localhost:6379/databasenumber',
    // /\   OR, to avoid checking it in to version control, you might opt to
    // ||   set sensitive credentials like this using an environment variable.
    // For example:
    // ```
    // sails_session__url=redis://admin:[email protected]:9562/0
    // ```

     *                                                                          *
     * Production configuration for the session ID cookie.                      *
     *                                                                          *
     * Tell browsers (or other user agents) to ensure that session ID cookies   *
     * are always transmitted via HTTPS, and that they expire 24 hours after    *
     * they are set.                                                            *
     *                                                                          *
     * Note that with `secure: true` set, session cookies will _not_ be         *
     * transmitted over unsecured (HTTP) connections. Also, for apps behind     *
     * proxies (like Heroku), the `trustProxy` setting under `http` must be     *
     * configured in order for `secure: true` to work.                          *
     *                                                                          *
     * > While you might want to increase or decrease the `maxAge` or provide   *
     * > other options, you should always set `secure: true` in production      *
     * > if the app is being served over HTTPS.                                 *
     *                                                                          *
     * Read more:                                                               *
     *                *
     *                                                                          *
    cookie: {
      // secure: true,
      maxAge: 24 * 60 * 60 * 1000 // 24 hours

   *                                                                          *
   * Set up for your production environment.                        *
   *                                                                          *
   * (                                     *
   *                                                                          *
   * > If you have disabled the "sockets" hook, then you can safely remove    *
   * > this section from your `config/env/production.js` file.                *
   *                                                                          *
  sockets: {
    onlyAllowOrigins: []
     *                                                                          *
     * Uncomment the `onlyAllowOrigins` whitelist below to configure which      *
     * "origins" are allowed to open socket connections to your Sails app.      *
     *                                                                          *
     * > Replace "" etc. with the URL(s) of your app.        *
     * > Be sure to use the right protocol!  ("http://" vs. "https://")         *
     *                                                                          *
    // onlyAllowOrigins: [
    //   '',
    //   '',
    // ],

     *                                                                          *
     * If you are deploying a cluster of multiple servers and/or processes,     *
     * then uncomment the following lines.  This tells about a Redis  *
     * server it can use to help it deliver broadcasted socket messages.        *
     *                                                                          *
     * > Be sure a compatible version of @sailshq/ is installed! *
     * > (See for the latest version info)   *
     *                                                                          *
     * (                   *
     *                                                                          *
    // adapter: '@sailshq/',
    // url: 'redis://user:[email protected]:9562/databasenumber',
    // /\   OR, to avoid checking it in to version control, you might opt to
    // ||   set sensitive credentials like this using an environment variable.
    // For example:
    // ```
    // sails_sockets__url=redis://admin:[email protected]:9562/0
    // ```

   *                                                                         *
   * Set the production log level.                                           *
   *                                                                         *
   * (                                        *
   *                                                                         *
  log: {
    level: 'debug'

  http: {
    serverOptions: glx.httpsOptions,
     *                                                                          *
     * The number of milliseconds to cache static assets in production.         *
     * (the "max-age" to include in the "Cache-Control" response header)        *
     *                                                                          *
    cache: 365.25 * 24 * 60 * 60 * 1000 // One year

     *                                                                          *
     * Proxy settings                                                           *
     *                                                                          *
     * If your app will be deployed behind a proxy/load balancer - for example, *
     * on a PaaS like Heroku - then uncomment the `trustProxy` setting below.   *
     * This tells Sails/Express how to interpret X-Forwarded headers.           *
     *                                                                          *
     * This setting is especially important if you are using secure cookies     *
     * (see the `cookies: secure` setting under `session` above) or if your app *
     * relies on knowing the original IP address that a request came from.      *
     *                                                                          *
     * (                                        *
     *                                                                          *
    // trustProxy: true,

   *                                                                         *
   * Lift the server on port 80.                                             *
   * (if deploying behind a proxy, or to a PaaS like Heroku or Deis, you     *
   * probably don't need to set a port here, because it is oftentimes        *
   * handled for you automatically.  If you are not sure if you need to set  *
   * this, just try deploying without setting it and see if it works.)       *
   *                                                                         *
  host: '',
  port: 443,
  ssl: true,

   *                                                                         *
   * Configure an SSL certificate                                            *
   *                                                                         *
   * For the safety of your users' data, you should use SSL in production.   *
   * ...But in many cases, you may not actually want to set it up _here_.    *
   *                                                                         *
   * Normally, this setting is only relevant when running a single-process   *
   * deployment, with no proxy/load balancer in the mix.  But if, on the     *
   * other hand, you are using a PaaS like Heroku, you'll want to set up     *
   * SSL in your load balancer settings (usually somewhere in your hosting   *
   * provider's dashboard-- not here.)                                       *
   *                                                                         *
   * > For more information about configuring SSL in Sails, see:             *
   * >*#?sailsconfigssl                          *
   *                                                                         *
  // ssl: undefined,

  lifejacket: {
    // Disabled by default. (e.g. for local dev)
    // So you'll want to override this in your config/env/production.js file,
    // setting it to `true`.
    ensureHttps: true

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    // If you don't already have the conventional `sails.config.custom.baseUrl` set,
    // then uncomment the following `host` config.  This must be set manually if `ensureHttps`
    // is enabled.
    // > Should be provided as a string, like ``.
    // host: '',
    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

When I fire up below command then it shows image like this enter image description here but when I run this application in browser https://localhost then it shows error.


[gl/index.js] gl.getCertificates called for localhost with certs for NONE
[gl/index.js] gl.approveDomains called with certs for NONE and options:
[gl/index.js] { domain: 'localhost',
  domains: [ 'localhost' ],
  certs: null,
  certificate: {},
  account: {},
  wildname: '*.' }
[gl/index.js] gl getting from disk or registering new
[greenlock/lib/core.js] checkAsync failed to find certificates
[le-store-certbot] success reading arg.accountsDir
[le-store-certbot] regrs.length 1
[le-store-certbot] accountId: 7deec612c26a9f3163c582e4ea6a972d
[greenlock/lib/core.js] calling greenlock.acme.getCertificateAsync localhost [ 'localhost' ]
[acme-v2] DEBUG get cert 1
[acme-v2] accounts.create
[acme-v2] agreeToTerms
[acme-v2] accounts.create JSON body:
{ protected:
   'niurbbdEwbyPPXdLEWw_Qi1iQSHQ2otsqZPUEUAZ4HN3BNDo2ugknJMQdvPEzMrsfyntxMyX6hqiM5sgYcbaPX5TErolPebmITXC3lqgBn8nZaMx2JInqD0s8OQM71l-N95PqAmbOpTykGPaEASwN95acm47gQdbjLu6nBsnF6sfzFghRDTVhk8xpGhUTqhKjQ7vIrH6QlpPVi8N5WTabfCQDWeaNCFjq6vKiCvbfjFPmLZn2junDwAe4utIpuP3FqZYMlCvXFCmr_o7qyyQZWxWWZbajHJO75HBkrqKx_fbI5ogj3wuLikddQmzDqPARV0F8coEaYqmQsfh24h43A' }
[DEBUG] new account location:
{ statusCode: 200,
   { key:
      { kty: 'RSA',
        e: 'AQAB' },
     contact: [ 'mailto:[email protected]' ],
     initialIp: '',
     createdAt: '2019-09-20T08:07:38Z',
     status: 'valid' },
   { server: 'nginx',
     date: 'Fri, 20 Sep 2019 08:11:39 GMT',
     'content-type': 'application/json',
     'content-length': '551',
     connection: 'close',
     'cache-control': 'public, max-age=0, no-cache',
     'replay-nonce': '00027sSdL_GbUp842Yw5P-69vfX0wI1vzkxBJGo6_9o6jwY',
     'x-frame-options': 'DENY',
     'strict-transport-security': 'max-age=604800' },
   { uri:
      Url {
        protocol: 'https:',
        slashes: true,
        auth: null,
        host: '',
        port: null,
        hostname: '',
        hash: null,
        search: null,
        query: null,
        pathname: '/acme/new-acct',
        path: '/acme/new-acct',
        href: '' },
     method: 'POST',
      { 'Content-Type': 'application/jose+json',
        'Content-Length': 1155 } } }
[acme-v2] DEBUG get cert 1
[greenlock/lib/core.js] setChallenge called for 'localhost'

[DEBUG] waitChallengeDelay 500

[acme-v2] handled(?) rejection as errback:
Error: connect ECONNREFUSED
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
Error loading/registering certificate for 'localhost':
{ Error: connect ECONNREFUSED
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
  errno: 'ECONNREFUSED',
  syscall: 'connect',
  address: '',
  port: 80 }

Hostname localhost is not allowed

You can use Greenlock with Let's Encrypt with local certs, but not specifically the hostname localhost.

Use a local / private domain instead

Instead, use a domain such as (which may have the IP address with one of the plugins for Let's Encrypt DNS validation:

Or write a plugin for your DNS provider:


For your CI/CD environment, be sure to use the Let's Encrypt Staging URL.

In production, be sure to locate the certificates on a mounted volume (and set the Greenlock config accordingly).

If you fail to do so you'll hit Let's Encrypt's rate limits for certificate generation as you get new certs every time your ephemeral docker instance is started (such as when you change environment variables in your cloud provider's control panel).

Upvotes: 2

