Note: this post was updated on 10/21/16, in the
crontabentry for Setting up automatic certificate renewal
In our application amblr, my team and I are using geolocation data from the browser to place the user on a map. As of Chrome version 50, an encrypted connection is required for using location services, per this announcement:
Starting with Chrome 50, Chrome no longer supports obtaining the user’s location using the HTML5 Geolocation API from pages delivered by non-secure connections. This means that the page that’s making the Geolocation API call must be served from a secure context such as HTTPS.
To get HTTPS working in the browser, we used Let’s Encrypt, a new certificate authority that is ‘free, automated, and open.’ I took on the task of setting up the SSL certificates, with some help from a team member who has more command line chops than I do. I learned some useful things along the way.
How Web Servers Work
Servers have both an operating system and server software. Generally, the OS is some fork of Linux; Ubuntu is a popular example which is an option during setup if you use DigitalOcean for hosting. In addition to the OS, server software like Apache or Nginx allows you to serve files and perform routing and other tasks. Node takes the place of Apache/Nginx in simple setups. There may be some situations where you have both Apache/Nginx and Node running. For example, one way to set up SSL is to use Apache as a reverse proxy server that sits between the open Internet and your Node server. We tried this approach, but ran into roadblocks with the configuration file.
Instead, we chose to serve our site directly from Node, so we didn’t want Apache/Nginx to be running at the same time as Node.
Configuring up your Node server
There are a few ways to set up your Node server to use SSL; one of the most straightforward is to use the
https module. You’ll need to do the usual routing and set up a static file server. Here’s a simplified
server.js file using Express that shows how we set up
https with an
http server forwarding to it. This allows you to forward requests that come in on port 80 (the default port for http) to port 443 (the default port for https).
For more details, check out my GitHub repo for this post.
Note that you have created a regular HTTP server as a temporary way to set up Let’s Encrypt with the
--webroot plugin. You’ll modify the server to switch to HTTPS once you’ve created the certificate files.
path-to-static-files is the directory where you serve static files from with your Node server. This will be important when using the
webroot method to renew your certificates.
path-to-privkey is the location of your private key file.
path-to-cert is the location of your certificate file. If you follow the directions above, they will be in the following locations – replace ‘node-https-example.com’ with your domain:
Configuring Let’s Encrypt
To configure Let’s Encrypt, I referenced this tutorial, but modified the steps to work with a Node-only setup. Instead of using
--apache, I used
--webroot to set up and renew the certificates. You’ll be installing the Let’s Encrypt Certbot, an automated command line tool that helps you get things configured.
These directions were tested with Ubuntu 16.04.1 on DigitalOcean; other setups may require slightly different steps. Before you start, you’ll need to set up your server with a non-root user that has
sudo privileges and configure your domain name.
- SSH into the server.
- If your Node server is not running already, start it:
cdinto the directory where your server file is, then do:
sudo node server.js
sudois necessary because root privileges are required to expose ports below 1024. If you see an
EACCESSerror when you try to start Node on a server, it’s usually because you didn’t use
sudoor because Node is already running.
- In another terminal window, SSH into your server and update the package manager cache:
sudo apt-get update
- Install git:
sudo apt-get install git
- Install Let’s Encrypt:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
- Navigate to the Let’s Encrypt repository:
- Run the configuration, inserting the folder where your site lives instead of
node-https-exampleand your SSH user instead of
user. The second flag for
-d www.node-https-example.comis optional, but recommended for encrypting traffic at both the
./letsencrypt-auto certonly --webroot -w /home/user/node-https-example/client/www -d www.node-https-example.com -d node-https-example.com
- Follow the steps provided and be sure to include an admin email address, in case there are any issues renewing your certificates.
- Go to the terminal window where Node is running and enter
CTRL + Cto stop the Node server.
vi server.jsor another bash text editor, comment out the lines in the first block, starting from:
- Uncomment the bottom portion of the file, starting from:
// // set up path to key and certificate files
- Save and close the file. This will effectively swap out your HTTP server for an HTTPS server.
- Start the Node server with
sudo node server.js. Note that the server will stop once you close your terminal window. See this post to keep Node running forever.
- To see if it worked, go to this URL, replacing ‘node-https-example.com’ with your domain:
Setting up automatic certificate renewal
To set up automatic certificate renewal, use the
cron job as described below. It will try to update the certificate every Monday morning at 2:30 am. If the certificates are less than 30 days away from expiring, they will be renewed.:
- SSH in to the server if you aren’t already logged in.
- Edit the crontab file for the root user. If necessary, go ahead and create a new
sudo crontab -e
- Add this line to the file to set up the cron job. It will save a log of the results to
/var/log/le-renewal.logso you can check back later and see if the renewal is working. Replace
userwith your SSH user and
node-https-examplewith the folder where your site lives.
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /home/user/node-https-example/client/www -d www.node-https-example.com -d node-https-example.com >> /var/log/le-renew.log
- Save and exit.
That’s it! You should now have valid SSL certificates that auto-renew, and your site should be accessible via HTTPS.
For more reading, check out the Certbot documentation.