search

IBM / ibmi-oss-issues

Important resources for anyone interested in open source on IBM i
Creative Commons Zero v1.0 Universal
13 stars 0 forks source link

NODE.JS #23

Closed Dmaynard1961 closed 1 month ago

Dmaynard1961 commented 2 years ago

I am trying to setup SSL to use with NODE.JS and followed the instructions on this document https://www.ibm.com/support/pages/how-extract-ssltls-certificates-digital-certificate-manager-dcm-and-use-them-openssl-ibm-i-os

when i try to access i get privacy error,and net::err_cert_common_name_invalid

i am not sure how to fix this

kadler commented 2 years ago

AFAICT, this is a client issue (net::err_cert_common_name_invalid is a Chrome error). Sounds like your SSL certificate's common name is set to a different hostname than what you're connecting to. Are you trying to connect to the IP address instead of the hostname or vice-versa? Maybe try some of the steps here: https://www.hostinger.com/tutorials/net-err_cert_common_name_invalid (first search hit for the error).

Dmaynard1961 commented 2 years ago

I am at a loss, I am extracting the Certificate from the AS400 DCM, and then running some openssl commands but each time I get this same error

Am I missing something on the AS400 DCM There are six certificates listed I used the latest one created

@.***

Don Maynard Analyst

Contrans Corp. Tel.: 416-419-7769 Mob.: 416-419-7769 http://www.contrans.cahttps://www.contrans.ca/

@.***

From: Kevin Adler @.> Sent: Thursday, September 22, 2022 11:08 AM To: IBM/ibmi-oss-issues @.> Cc: Don Maynard @.>; Author @.> Subject: Re: [IBM/ibmi-oss-issues] NODE.JS (Issue #23)

AFAICT, this is a client issue (net::err_cert_common_name_invalid is a Chrome error). Sounds like your SSL certificate's common name is set to a different hostname than what you're connecting to. Are you trying to connect to the IP address instead of the hostname or vice-versa? Maybe try some of the steps here: https://www.hostinger.com/tutorials/net-err_cert_common_name_invalidhttps://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.hostinger.com%2Ftutorials%2Fnet-err_cert_common_name_invalid&data=05%7C01%7Cdmaynard%40contrans.ca%7C75e57e4c4cce493eb89f08da9cac2bdf%7C9c42da122071412797b85682235e324f%7C0%7C0%7C637994560529793256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v%2BD7kE1FuwN1skw4GrHWF%2BjbRohbd6Q8h9Rm%2BwQBr4E%3D&reserved=0 (first search hit for the error).

- Reply to this email directly, view it on GitHubhttps://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIBM%2Fibmi-oss-issues%2Fissues%2F23%23issuecomment-1255164164&data=05%7C01%7Cdmaynard%40contrans.ca%7C75e57e4c4cce493eb89f08da9cac2bdf%7C9c42da122071412797b85682235e324f%7C0%7C0%7C637994560529793256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UBoNKGdNh8kEs7rVFcpQ1JZWVZ94%2B88NhLVo42ZGx9Y%3D&reserved=0, or unsubscribehttps://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FA3GSFLDRXITORYY46GHG43LV7RY3FANCNFSM6AAAAAAQTCLSEE&data=05%7C01%7Cdmaynard%40contrans.ca%7C75e57e4c4cce493eb89f08da9cac2bdf%7C9c42da122071412797b85682235e324f%7C0%7C0%7C637994560529793256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MGQaNSAoutF19n0iqhKDrkyZLDMzzi8EkzwCR4Nof2U%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

ATTENTION: Ce courriel est survenu de l'extérieur de la compagnie. Ne pas cliquer sur les liens ou les pièces-jointes à moins que vous connaissiez l'expéditeur et que vous sachiez que le contenue est sécuritaire.

kadler commented 2 years ago

Sounds like you should talk to your sysadmin or whoever is in charge of your SSL certificates to see which one you should use.

Dmaynard1961 commented 2 years ago

Would the certificate be in the DCM on the AS400 or somewhere else How would I tell which certificate to use

@.***

Don Maynard Analyst

Contrans Corp. Tel.: 416-419-7769 Mob.: 416-419-7769 http://www.contrans.cahttps://www.contrans.ca/

@.***

From: Kevin Adler @.> Sent: Thursday, September 22, 2022 12:08 PM To: IBM/ibmi-oss-issues @.> Cc: Don Maynard @.>; Author @.> Subject: Re: [IBM/ibmi-oss-issues] NODE.JS (Issue #23)

Sounds like you should talk to your sysadmin or whoever is in charge of your SSL certificates to see which one you should use.

- Reply to this email directly, view it on GitHubhttps://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIBM%2Fibmi-oss-issues%2Fissues%2F23%23issuecomment-1255244737&data=05%7C01%7Cdmaynard%40contrans.ca%7C06c790330f5d4ee49f3508da9cb4ab79%7C9c42da122071412797b85682235e324f%7C0%7C0%7C637994597025714662%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aTQ7NoW%2BWWdSN7Fuhny%2FHErO7wNRkjU5lXpQ2Qj6jTc%3D&reserved=0, or unsubscribehttps://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FA3GSFLAB2JBLETXEHI3CHEDV7R77JANCNFSM6AAAAAAQTCLSEE&data=05%7C01%7Cdmaynard%40contrans.ca%7C06c790330f5d4ee49f3508da9cb4ab79%7C9c42da122071412797b85682235e324f%7C0%7C0%7C637994597025714662%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ERd7IsAzco3J%2Fi9TDsQ%2By%2BH7tS2d5qdZ%2FFWgal2sKs%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

ATTENTION: Ce courriel est survenu de l'extérieur de la compagnie. Ne pas cliquer sur les liens ou les pièces-jointes à moins que vous connaissiez l'expéditeur et que vous sachiez que le contenue est sécuritaire.

kadler commented 2 years ago

Does the system have SSL enabled for other services already? If so, the certificate must be in DCM.

Alternatively, you may be using the right certificate but using the wrong hostname to browse to it. The URL you connect to must match the Common Name in the certificate. You can view the Common Name using the openssl command, eg. openssl x509 -noout -subject -in /path/to/cert.pem; the Common Name follows the CN abbreviation.

Dmaynard1961 commented 2 years ago

Okay I have two extracts from DCM

One has no common name after the CN

The other has *.contrans.ca

In config.js file the SSLKEY and SSLCERT point to the *.contrans.ca

So I used url https://contrans.contrans.ca:8072

I know I will be asked but how can I use https://contrans:8072

@.***

Don Maynard Analyst

Contrans Corp. Tel.: 416-419-7769 Mob.: 416-419-7769 http://www.contrans.cahttps://www.contrans.ca/

@.***

From: Kevin Adler @.> Sent: Thursday, September 22, 2022 12:22 PM To: IBM/ibmi-oss-issues @.> Cc: Don Maynard @.>; Author @.> Subject: Re: [IBM/ibmi-oss-issues] NODE.JS (Issue #23)

Does the system have SSL enabled for other services already? If so, the certificate must be in DCM.

Alternatively, you may be using the right certificate but using the wrong hostname to browse to it. The URL you connect to must match the Common Name in the certificate. You can view the Common Name using the openssl command, eg. openssl x509 -noout -subject -in /path/to/cert.pem; the Common Name follows the CN abbreviation.

- Reply to this email directly, view it on GitHubhttps://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIBM%2Fibmi-oss-issues%2Fissues%2F23%23issuecomment-1255262433&data=05%7C01%7Cdmaynard%40contrans.ca%7C530613a53c114d1544ed08da9cb696d1%7C9c42da122071412797b85682235e324f%7C0%7C0%7C637994605268771468%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hH2uKMFkt2xp5%2BvftEQ719zMfLPPmVvdNMA2rdyKh0Q%3D&reserved=0, or unsubscribehttps://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FA3GSFLA7BTW4ASETLCKGPNLV7SBSZANCNFSM6AAAAAAQTCLSEE&data=05%7C01%7Cdmaynard%40contrans.ca%7C530613a53c114d1544ed08da9cb696d1%7C9c42da122071412797b85682235e324f%7C0%7C0%7C637994605268771468%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F8tWEwfZJas1tdibKiJ1VJ2YJWRLqkjFUQYjhMWs21A%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

ATTENTION: Ce courriel est survenu de l'extérieur de la compagnie. Ne pas cliquer sur les liens ou les pièces-jointes à moins que vous connaissiez l'expéditeur et que vous sachiez que le contenue est sécuritaire.

kadler commented 1 year ago

I know I will be asked but how can I use https://contrans:8072

That's usually done via a DNS search domain list on the client, eg. on Windows: https://social.technet.microsoft.com/Forums/windowsserver/en-US/2bfa85ab-a013-4b53-b593-1bf5e13dcd35/where-does-dns-server-specify-search-domains