Node.js self signed certificate is still showing as "not trusted" in my browser

Question

I am running a Node.js server and I'm trying to host this server locally and not get any SSL errors.

Here's what I did to create the certificate. I opened up Terminal in Visual Studio Code and typed the following:

$ openssl req -nodes -new -x509 -keyout server.key -out server.cert

This created a .cert and a .key file in my current directory.

Next, in my app.js file, I added this:

https.createServer({
  key: fs.readFileSync('./server.key'),
  cert: fs.readFileSync('./server.cert')//,
  //passphrase: ''
}, app)
.listen(3000);

I then ran the command node app.js in my terminal window to start the Node.js server.

I then visited https://localhost:3000/ and am getting the following - notice "Not secure" - this is what I am trying to get rid of:

At this point, I did some Googling and saw where it might be helpful to export this certificate, and import directly into Chrome. I did this by clicking on the "Not secure" button and Click on Certificate:

Then, clicking on Details and "Copy to file":

Then, I clicked Next on the next screen and chose DER encoded binary X.509 (.CER):

I clicked Next and gave the exported certificate a name of serverMike.cer:

Then, I clicked Next and Finish:

Export was successful:

Finally, I go to import this exported certificate in Chrome settings and choose "Trusted Root Certification Authorities" as where to place this certificate in:

I then clicked Next and Finish. I closed out of Chrome and opened it back up, visited https://localhost:3000 and receive the same "Not secure" message. Is there something I might be doing wrong?

Answer 1

You can try using caddy server, which will create a reverse proxy and handles tls automatically.

create caddyFile in the project root and, install the caddy Server https://caddyserver.com/download

https://localhost:3007 {
    reverse_proxy localhost:3000
    tls internal
}

https://localhost:3007 → This tells Caddy to listen on port 3007 using HTTPS.

reverse_proxy localhost:3000 → Requests to https://localhost:3007 are forwarded to localhost:3000, where the actual app runs.

terminal caddy run

When you visit https://localhost:3007, Caddy securely forwards your request to localhost:3000, acting as a reverse proxy.

Answer 2

Step 0: this is not a programming question

Step 1: if you hadn't apparently suppressed the error you should have seen the 'Not secure' error page formerly said NET::ERR_CERT_AUTHORITY_INVALID and now says NET::ERR_CERT_COMMON_NAME_INVALID and if you click on Advanced it says "This server could not prove that it is [domain]; its security certificate does not specify Subject Alternative Names."

Step 2: see
https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58
https://serverfault.com/questions/880804/can-not-get-rid-of-neterr-cert-common-name-invalid-error-in-chrome-with-self
https://security.stackexchange.com/questions/89319/creating-my-own-ca-for-an-intranet https://security.stackexchange.com/questions/172440/generate-x509-err-cert-common-name-invalid
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
https://security.stackexchange.com/questions/113484/followup-to-one-liner-to-create-cert-request-with-san
Chrome accept self-signed localhost certificate

BTW: since this is local, you don't need to export the cert from the browser prior to importing it. If you create the cert from openssl req ... -x509 ... with extension .cer or .crt, or rename or copy it that way, you can just doubleclick and then import to TrustedRoots. Or for any name you can run MMC and select Certificates, or just directly run certmgr.msc, and import from there.