HTTPS Certificates on TLS for different subdomains

[matthew119427]

• Node.js Version: 8.15.0
• OS: Ubuntu Linux
• Scope (install, code, runtime, meta, other?): Runtime
• Module (and version) (if relevant): TLS

Hi, I was referred here by the question at https://github.com/expressjs/vhost/issues/35

I was wondering on how to send different x509 certificates depending on the subdomain name visited on the site for Express/HTTPS. Basically, say someone visits cdn.example.com, it would see the site name and send a different certificate than the default one for example. Any help would be appreciated!

(Response on that issue above informed me to come here, referenced the TLS module and SNI.

[devsnek]

You have to complete the TLS handshake before you can get the host header, so this isn't really possible. What people do instead is use one certificate with multiple domains (SANs).

[matthew119427]

Hmm, I was using a module to do this but it appears that module doesn't want to send the intermediate certificates with it.

[bnoordhuis]

You can make this work with server.addContext(hostname, context): https://nodejs.org/docs/latest/api/tls.html#tls_server_addcontext_hostname_context

It selects the TLS context to use based on the SNI (Server Name Indication extension) in the client's handshake.

If you need something fancier / more dynamic, you probably have to set up a net.Server and parse the ClientHello yourself before forwarding it to a tls.Server. The SNI hostname is a plaintext part of the ClientHello.

[matthew119427]

Is a "TLS" server basically a "HTTPS" server? Like would this work with https.createServer();?

[bnoordhuis]

https.Server extends tls.Server so yes, that should work.

[matthew119427]

Thanks @bnoordhuis, appreciate the responsiveness and support.

[matthew119427]

Actually, gonna have to reopen this. I just did that and it's throwing me unknown issuer errors. Looks like the https server with .addContext isnt sending the intermediate certificates I specified.

[bnoordhuis]

Can you post a standalone test case? Hard to say what's going wrong without the corresponding code.

[matthew119427]

Just the basics of setting it up.

  const https = require('https');
const options = {
      key: fs.readFileSync(path.join(__dirname + '/ssl/wildcard.key.pem')),
      cert: fs.readFileSync(path.join(__dirname + '/ssl/wildcard.crt')),
      ca: fs.readFileSync(path.join(__dirname + '/ssl/secure-chain.crt', ))
    };

const server = https.createServer(options, main).listen(port, function() { //eslint-disable-line
      console.log('Express server listening on port ' + port);
    });

    const caCreds = {
      key: fs.readFileSync(path.join(__dirname + '/ssl/casite.key.pem')),
      cert: fs.readFileSync(path.join(__dirname + '/ssl/casite.crt')),
      ca: fs.readFileSync(path.join(__dirname + '/ssl/ov-c.crt', ))
    };
    server.addContext('certificates.libraryofcode.us', caCreds);```

[bnoordhuis]

Can you post the contents of wildcard.crt and secure-chain.crt? What does openssl s_client -connect <host>:<port> print?

[matthew119427]

OpenSSL doesn't take the certificates either, Chrome and FireFox both do not take them as well.

wildcard.crt -----BEGIN CERTIFICATE----- MIIJHzCCBpOgAwIBAgICEAEwDQYJKoZIhvcNAQENBQAwgcAxCzAJBgNVBAYTAlVT MREwDwYDVQQIDAhWaXJnaW5pYTEeMBwGA1UECgwVTGlicmFyeSBvZiBDb2RlIHNw LXVzMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTExMC8GA1UEAwwo TGlicmFyeSBvZiBDb2RlIFNlY3VyZSBTZXJ2ZXIgQ2xhc3MgNiBDQTEpMCcGCSqG SIb3DQEJARYaY2FAc3lzdGVtLmxpYnJhcnlvZmNvZGUudXMwHhcNMTkwMjIyMjAy OTA0WhcNMjAwMzE3MjAyOTA0WjCBsjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zs b3JpZGExGTAXBgNVBAoMEExpYnJhcnkgb2YgQ29kZSAxMzAxBgNVBAsMKkVuZ2lu ZWVyaW5nIFRlYW0gJiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEbMBkGA1UEAwwS Ki5saWJyYXJ5b2Zjb2RlLnVzMSQwIgYJKoZIhvcNAQkBFhVoZWxwQGxpYnJhcnlv ZmNvZGUudXMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0IW3IqpAY tMGryVBs9shsZHzhT+tXZzh5mBdOK+Npbzf9oaBq8+b9sCW1pmGqxJCsMykQF7jI K79LIUNCcKkzUw7N0HC+JTD65XarWzlIv5bZbid847AETg4Ai/z027KnuW6UEFiQ nUWlR9f5ZyC/w+7GAISBG0AHcrtbsR01e2+ZD0NlkV0nhcdgP8lqxeaHytxI+qqn x1rbh6AJnuol7Psm1ISxJusJGoiWkr27/cONr3oBiQtwD39LXKfCWBMYkiojevQt pn8qLZr3PsQAmpv/vxNQUDZumD22LU7JHG1sL2qC/gnAG4o0XkJxAuVkWPIm5Lnb O2LSBQJ3+8KeeYzD4ldZDTuwSw0XLxCDH9UH/4f9YQYSX0x3c7YCRHkDPhqPfoka iqttyV0sTuZjLtjO9F/fUvxIOegoV9NlaUJzv0UrSIprIi8N8sWA6dPRQgCn7Nh+ RlyQmjw6eK2jSRdYvOBUJRr0mXcws3BT++UppmpdATVhq10wVPduL7vZlCFurCC7 0hgKQIMH0cpjcwG4E5flRXryO+LqjGa2OISEKyr1YnApxrPW0g3EpvQ95FN+n2xT 33NUvibNd4kz7Mn0+LMcaak0XpDq1EBorF9NRlfVjalT5kmSMGmtgYTOxTRsU6vs fxfNOC9fxJjep/P+xpOqmAuwcxsSxjDeswIDAQABo4ICuTCCArUwCQYDVR0TBAIw ADARBglghkgBhvhCAQEEBAMCBkAwPgYJYIZIAYb4QgENBDEWL1NlcnZlciBjZXJ0 aWZpY2F0ZSBzaWduZWQgYnkgTGlicmFyeSBvZiBDb2RlIENBMB0GA1UdDgQWBBQD vu76ykO+dlusw4zWMjSGnDjLpjCB6wYDVR0jBIHjMIHggBTrOVhJI0t74XbvaDyG d1cebx2HzqGBw6SBwDCBvTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGEx HjAcBgNVBAoMFUxpYnJhcnkgb2YgQ29kZSBzcC11czEgMB4GA1UECwwXQ2VydGlm aWNhdGlvbiBBdXRob3JpdHkxLzAtBgNVBAMMJkxpYnJhcnkgb2YgQ29kZSBEaXJl Y3RvcmF0ZSBDbGFzcyA1IENBMSkwJwYJKoZIhvcNAQkBFhpjYUBzeXN0ZW0ubGli cmFyeW9mY29kZS51c4ICEAEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwczovL2Nkbi5s aWJyYXJ5b2Zjb2RlLnVzL3NlY3VyZS5jcmwucGVtMEcGA1UdIARAMD4wPAYKYIZI AYb6bAoBAjAuMCwGCCsGAQUFBwIBFiBodHRwczovL2Nkbi5saWJyYXJ5b2Zjb2Rl LnVzL3JwYTCBkQYDVR0RBIGJMIGGghgqLnN0YWZmLmxpYnJhcnlvZmNvZGUudXOC FnN0YWZmLmxpYnJhcnlvZmNvZGUudXOCHyouY2VydGlmaWNhdGVzLmxpYnJhcnlv ZmNvZGUudXOCHWNlcnRpZmljYXRlcy5saWJyYXJ5b2Zjb2RlLnVzghIqLmxpYnJh cnlvZmNvZGUudXMwDQYJKoZIhvcNAQENBQADggJ1AA7xUTzCYEOCGczjMKky2nog GLqDMo4a1jbwd+rY9znLKq0pkne57S8IMZyfgnsoMY+l+i5eXP8pNP8auDeNDbrs HvaAZ+VhkuegSz+FTG7Of+/eNkdhA7ANPxnx+yb82NATuZ99N1z2AEBwNyVsb2K3 JuWyOvNJkWT5YNF9wOu7yjrOwG+Z+4pjgE3G/RwjnDdf3dL+wLPpq4MftvArjESu xFqaJARUNn/B79FhzFt4U1E4b89cXG7TA8+iRFWr5tF2YRgI1DWJgzHnkjSt180a XMi9YzC2oOnkFortKDKVBlObJLgGiNYk6do+ngSjblBZ5FuWTJs4n5uMy0fT2QX7 nBMxYGXKCZ9sNG5dqivAow71z+QhGUW+MN8399bZp5QmnJFjBIU6aGnknvKH9ArE e3ewT9vZshfyF40giVSADV57ADnZdsboJ3qZaOPA8P3MO0cT5ntHFBKVhg+6L5G5 VuPjyZ/uYrbEDuoXWIZmbyJ1jyo6AbgcTJnI47br9K0Vd/3QyHmbqG39pUhrQQ9r aCqBAl0iXZJ4GoTGZN2mCMhUn+e4b98YZYkqdzi9FUYHPOKOEHCVwh9tcpDQU9G2 bBqkgHi3cmroU78vYhVbBslWB5S17UZQ1tG7zv2qM0GMvNukgTS+TrnO5XwLS5gP N9yJdntmG+Xsu2FVZXHHHzCoURgATCyhurC2odpea+jQsVURrzW+NE39C3jIoIaU qaquJ9uz7xhki3MgDm//37d+O45F2JWnv81nC9SmszjwTtszqPD1zJASNEmHbdET LKsG30Q25Mvvuyd2cDG2l1Aud1kvqi2iXCuip1Pp8+wz+UM= -----END CERTIFICATE-----

secure-chain.crt -----BEGIN CERTIFICATE----- MIIIizCCBP+gAwIBAgICEAEwDQYJKoZIhvcNAQENBQAwgb0xCzAJBgNVBAYTAlVT MRAwDgYDVQQIDAdGbG9yaWRhMR4wHAYDVQQKDBVMaWJyYXJ5IG9mIENvZGUgc3At dXMxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MS8wLQYDVQQDDCZM aWJyYXJ5IG9mIENvZGUgRGlyZWN0b3JhdGUgQ2xhc3MgNSBDQTEpMCcGCSqGSIb3 DQEJARYaY2FAc3lzdGVtLmxpYnJhcnlvZmNvZGUudXMwHhcNMTkwMjE4MjA1OTE0 WhcNMjUxMjIzMjA1OTE0WjCBwDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdp bmlhMR4wHAYDVQQKDBVMaWJyYXJ5IG9mIENvZGUgc3AtdXMxIDAeBgNVBAsMF0Nl cnRpZmljYXRpb24gQXV0aG9yaXR5MTEwLwYDVQQDDChMaWJyYXJ5IG9mIENvZGUg U2VjdXJlIFNlcnZlciBDbGFzcyA2IENBMSkwJwYJKoZIhvcNAQkBFhpjYUBzeXN0 ZW0ubGlicmFyeW9mY29kZS51czCCApYwDQYJKoZIhvcNAQEBBQADggKDADCCAn4C ggJ1ANEKb7CcqghmXUePy2VIKxVOQDWx2sHkR3GFyEXcEs8vscTtq110e9BI65bg XMkA1RvkGKL+V1qLpH9edzCN7ysX715nZR498e/ivtOs/Oq6p2D1n+7p4TUrcCix p1Y+uDmYfW+uX0eqgv1f0aLmUeRQ/ZQYqq/+GSh2FtwFZ1PuipvXbDayrftHY9Y8 XJ0ocIAb6JMXbjP3MYnH/iEq+WkL58Df8QGWh8mmU7a0x1K7riVlWWlW4d3MwbOa fMlEwHwbIYhUtax/4wIDe1exKPrLThxF0wQon3Mbt2sFPCV6xvS4EBAoRS95sp3i bfdE1jAxB+0ENc/h+DTPzKhUhnLfYByQ8mX+eUmPoFscNJ/ywknUMRuyVEe0ytA8 eLI3PJ7ZFNQBe6JiGJ2SU45DFVSXtvgQSOP9KfeFy1qEn2lylAHpZNLgUtCbgm0D kv5e4Ou55X/9V4ZSGu2PyqZO+3n3PN8O4RqRprvf+FlQmZPop7omqw6mvF8/6vuT zXh3AXmfKeIwA5kCHMacpO8tncMP/J8G/eaeaitSU8HYVeIiVzj7E+a385zmCRFO yrUIDs/MX47r9TRpwp/1NpX/q+ZuYQb/joKIdrHb7eoGYSuZLuaz04vZOSCzMmVl Z0GWYdoEBumvxagU2EbOq9rlmb4zJrMMGXyhI8/b7qex/9YX0qnMzYtDhcDHBgjK ObhvdNFLXrB2mSleNvjpNh8VLUM8aCyNF66XdRFgqmJbDh9KHo9XsEc/93GRu8H2 VKgExS4qL/qewmnI6qEh4PUmYUcLkw+E2ni6iMI1YChNuJWM8ob0FOJzeTlSOolE I/ZQhkjwME0CAwEAAaOBpzCBpDAdBgNVHQ4EFgQU6zlYSSNLe+F272g8hndXHm8d h84wHwYDVR0jBBgwFoAUQJry9piNoVwoIx8diiEulcrqp4QwEgYDVR0TAQH/BAgw BgEB/wIBADAOBgNVHQ8BAf8EBAMCAb4wPgYDVR0fBDcwNTAzoDGgL4YtaHR0cHM6 Ly9jZG4ubGlicmFyeW9mY29kZS51cy9kaXJlY3Rvci5jcmwucGVtMA0GCSqGSIb3 DQEBDQUAA4IDdQCwLpKX3ONnL83+HyB3VrBAjxgvCwosZ8Z7yBUoKMNJsBzxMtV9 5ySXOtKPdtLPuC/1+ae3F8TmxDUPMfd9q/UbkA4r+Y3gf9vxlzQjukE8WmvpgV62 sGHHvWKTu83AoG54PYvqO/TBoLY4exxrdHCeWx/jUEe/LtB53OEzJmQwTOyaalMu tp/gYoW/UHKdsh7G+3nbfhy8vp+bvitvrDlpyM5GCEP4twhMfTGmd+2uUdpm3c1h +41qgnLt4PslrmfQpu+qrIjCVeIGNBMunp4L9USYkP941y/oZ+95R+ZNcVHGJEre q62nggmvmunxn9XGHMcB3MMVX6zE5Oz/6WCqqgNK/lMZbnG/RuyGiGDImCWkUyMn bSxu8NnQd7xO2xdaWEklmFjzFz28GYJYK8CY70NQwS31QIlRqj6SI3A5RKuENx+V XGlrp+dkcLWr1rCizDaHcjU8CcgxDiToVfOQ7wFKswFzy9XqHXND24++qT/+rKnZ 0iAwVU48BQhalkYB3+NS/NhYiS6tN2QxrGRwVO+/5XgscjMIWiOUPyIrmnbtxVvr n83P3auTisY51DFMN36fKa42DqTTplmu3A3vKR9JJop7szf/xkMjHVfowbNCDNRn b6By+4Vy0XW6ScSf/UxJN+ASPaRycL5K2l23jUo7MDWyB/bPgRl51QLgQ8jmVGw5 5G5OocKJl2AACJI/San2q75ulp5kXsZP/zmciGgb9wzqWyLwsfhy9w/jUkITBIaR ugm80Ko9DyuQ+5pZEGsH7GMizQHpELrvbRvi2mtBaRMAhdOH7Lnae8/KPf3Ql4Iv 4N4Exc5/qTv4TFcXy1esL7RzhP1WlIItMN6275nil9OC0MO23dkjuRtNIYXZl7X5 heVjm5pX+XZihiz3z8AmPmuI0kMhVxTR5cP714ZnSWqgXPGmnt0oSKcnDqG956zF oJGFvPobTZJH9sW0nGq4Fbxc5H/yH+r8Ux38hUskrKuoMlkF0/AzWXbYKdA7ctp9 xuc8GCv1kaGHn4U3LAti7D08juwBwblcKZKPJo/5sPraPdptYibjaW0qtb6fRok3 RMYPaswia2yFv2D+o8uIiiX1PEX6KtEfJDI9hB2pL+LUYVSl6WsaYIdtTOW0ngof LWOY/u6bbERDR7VZRKCqA+r8mtcJIwvxW34Txx1gqA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIILCTCCBwOgAwIBAgICEAkwDQYJKoZIhvcNAQENBQAwgb4xCzAJBgNVBAYTAlVT MRAwDgYDVQQIDAdGbG9yaWRhMRowGAYDVQQHDBFBbHRhbW9udGUgU3ByaW5nczEY MBYGA1UECgwPTGlicmFyeSBvZiBDb2RlMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBB dXRob3JpdHkxIzAhBgNVBAMMGkxpYnJhcnkgb2YgQ29kZSBDQSBSb290IEEyMSIw IAYJKoZIhvcNAQkBFhNjYUBsaWJyYXJ5b2Zjb2RlLnVzMB4XDTE5MDIxODA0MzYz NVoXDTI3MDUwNzA0MzYzNVowgb0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9y aWRhMR4wHAYDVQQKDBVMaWJyYXJ5IG9mIENvZGUgc3AtdXMxIDAeBgNVBAsMF0Nl cnRpZmljYXRpb24gQXV0aG9yaXR5MS8wLQYDVQQDDCZMaWJyYXJ5IG9mIENvZGUg RGlyZWN0b3JhdGUgQ2xhc3MgNSBDQTEpMCcGCSqGSIb3DQEJARYaY2FAc3lzdGVt LmxpYnJhcnlvZmNvZGUudXMwggOWMA0GCSqGSIb3DQEBAQUAA4IDgwAwggN+AoID dQD9VnU6Hs5vT4NR+g2iXpU9uLFhYjMG5eciQ3QsxVLidLIsQNa8/wHnZWL/WQHj OGjdvNlelodGhI2a4UNVsG9rZJEXX5P3gS274M2tctn197n5YH4NiEw19p1/kJli 5cuxfqzyE+IOrYOruJcQ4f9LP4l38iYRtxAyFiCS1F0kXmpMMrjFV/lfXhUMKmxe Ss5rKOKjzyf+fl95RoxPcCGyS/SHjE2mYfirHE+oGTu4NKiweQZVfK2X79Ixn4jm XkXqcanECR8SJRC2/hy++9wJYTDObOxDNQFvIMXaovRQa3yJCpejXPhR9c5SeTrb Zy17G9lGtswIqOI4iLNGwRh1u6b0AtN2BE5qo4Ml2XsK5D9G4dM2Pgp6yuka7Dof ucPIl8OWGrDJEx+cJgUkwIBqF/h3O0J315c4I6CjbDMIfaeCoPGkZN6Yl9eXb1jO bFr/gyuN1V1+6sf+GS7zT8FC2q0EF/iR/mdloyzron/76XIdRhq2Fxd1wpi0jbDm IUAufh7SAlC/Qce/BiBOPSlVSAVAtjMIBtnn1g0nvmQe9Yc7S3btvsWF8HuWMnpq UyuQno/Ebfl3uLlUOkpQLvjXQr+p7W0FB26ANY6MN+Pm/PbPBJPoT+vlvBDeEn4W 2ALPFyr1yr1sbH1zpP/1X4xFxsJOlLvV8Apj+rJqCUF0WeTP5FKJeCxVTt1uL8q6 mG6pqb9JhbxAZYv4/kYz30kSs6CL648prWAFhd6VK/4cpEtr+WZ1pF+IFHLOOLYo 9GLDO0HEQQlU8w7hd4Oh3kUN3jpZF96FQVz20o1d3QhG2j/Y4c/r/VQ1AX9wE+P5 UTd4Wyn7f4YKfCmCB4gmG+S0jCneBaMzGvLHvnly/FrP9R4OE1qIxlx/h9cOwMfu gCXb2B6RbRT1FUawq0eHumIh7G2MbHmUELKx4BiHAf3QFv+Dah+SU+Q5w5OC7PTL suhoQDv0lOxt7D6gog3PQZsuxqyCHc2d82/GDPsjsRgQ+kmn8UhqQ/UtSalWliG0 3SQoE28vQoh1fBAFnhlopvigE/+EoSDYvtopb1Uh/3k72BeM59DVxmghI97jMZLH pKA5UIaTlhaKH0LoUyii60owFY0IG3an0zbsBsLQ61Niel8ur8iQA/nSlgj7/5Y8 gGwEdIAJA6MSj0771FCdWfu9nKMbbwIDAQABo4IBrDCCAagwHQYDVR0OBBYEFECa 8vaYjaFcKCMfHYohLpXK6qeEMB8GA1UdIwQYMBaAFKWz9rNPINOb4A9HBVUPRZ+U s/NjMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQDAgH+MHMGA1UdJQRs MGoGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEF BQcDCAYIKwYBBQUHAwkGCCsGAQUFBwMRBgorBgEEAYI3AgEVBgorBgEEAYI3AgEW BgorBgEEAYI3CgMBMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHBzOi8vY2RuLmxpYnJh cnlvZmNvZGUudXMvcm9vdC1hMi5jcmwucGVtMEUGCWCGSAGG+EIBCAQ4FjZodHRw czovL2Nkbi5saWJyYXJ5b2Zjb2RlLnVzL21pcnJvci9wYWdlcy9jZXJ0aWZpY2F0 ZXMwRwYDVR0gBEAwPjA8BgpghkgBhvpsCgECMC4wLAYIKwYBBQUHAgEWIGh0dHBz Oi8vY2RuLmxpYnJhcnlvZmNvZGUudXMvcnBhMA0GCSqGSIb3DQEBDQUAA4ID7wC1 vEpmkepq4Z+79DxBl1/PFT2OOGfmhhp5GfNxOm+tCn/m6bCnXJ1BCby/FHIO7Gl3 kAxOMtgEeM7PeqoJoOPRYr4ft3RmJJHX4lvVu9idJezf/hxstJD7vjvxlHFPbEO7 Zh7C2rREcWl7REnC2k6AV0SYVJrlEOow37IMU0oLAyy+DDf/tQSDMAhWSkUD0MkG QArG55gx8cAGngOuj08Z6S+O5D+rrC6FmffriFmEV8kFTdcegnmmkpoWWw/Y/1/5 1919/l+kDmiW1JFY9UMpM0GUNgz3AQJu72I2NMp9sk1LF+fXBFjGu1rJX5RaUQv1 gHkZd2P2p6S+5GN+Xsx89VOCnE8iXKuDKAIYEiWilE10xz5bdTMs+Chpg/twDKi0 W55YFe/gNPujEGOeLxFItYV4F5UAieOs9LIH5bzyUPxcPLd9Wjxc+dA0dla3EeOv VKoRSpvMnhjqK1HcLvEuYh55Jzq2Pn0TtFPQ/CnxO3zHPBlDbcz3wQoS+KcjN1oH +oD4vp1XojwGFIgOikEHwqiBvtMNpA9LdIaeIY4vyNOO3oaRfCnepGnHe7+dcidq wpIujanrdreo+De0UoqqEVVi5ocMXCP4l97bSaKa29SGe/VaSXEX1HOGLBT65O/2 j6kcJ46Mr7HZCdmYE4aPGsa6po6CWx3RPjTVVFVSGhgTaeNNg8U6byqjBDpNjxOX 4rqkciv8FzqHYfEq87l2wyI+NhGyiyNd4/nk/2HcSkK0m2axZ2LikYa6Zu19fIH/ KAWp+S2JGwokYmicK6WhGlSloD7hxXEFy4lXLTUEBjlEmkDyMtaHHsi1V2t5gLxO X9QQXpmza+d0EJWxaA0hHlLhrlEnaEjJlp/HDtoyUi9JjjnI0lcJ6gdYRaRLzZlp +9i0THRE2NNdf3R2FWJMK7km7Y0brDaDBp1j/wIcUq4x5nJr0ki2EBLswgMiqEOQ mKJmukpOuwcclkhjCGPNWkXsOYDxbZEASpQflVNLuYDpGKhmtwwJpXW/F+4iaDBn dJB8ivI78P/eCI8pcGeCzlrvhQN4Ipl0P7uhkH+5Vt3Axl3nqnJYr6q2HDdvPOuR bkNzRE4ivisQvV2e6gXz+WUUplg4zvnu0Tj9t1RT8ZqibFrTgu6VD87M+ij/P6Cp zOfjIMJPwMMjUo5GWqzQhOWsPkvAHv4PDTdRXYfGewAXiQGo1Wex250HLxviy3oP 4a5bpfp5/qCaWUVudviLr4+euCfQxzx4vTc0MkGtzNeFEBdVdKC79PWhSOt6YO1k O273dK5hw1nlOtgv4CfPWNG5xfB1JbI2x7pWzfAhfQNuK+8RVZlYIHUekDEv -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIILPTCCBzegAwIBAgIJANLmE/0/qNS+MA0GCSqGSIb3DQEBDQUAMIG+MQswCQYD VQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTEaMBgGA1UEBwwRQWx0YW1vbnRlIFNw cmluZ3MxGDAWBgNVBAoMD0xpYnJhcnkgb2YgQ29kZTEeMBwGA1UECwwVQ2VydGlm aWNhdGUgQXV0aG9yaXR5MSMwIQYDVQQDDBpMaWJyYXJ5IG9mIENvZGUgQ0EgUm9v dCBBMjEiMCAGCSqGSIb3DQEJARYTY2FAbGlicmFyeW9mY29kZS51czAeFw0xOTAy MDUwMjU4MDZaFw00NzExMDUwMjU4MDZaMIG+MQswCQYDVQQGEwJVUzEQMA4GA1UE CAwHRmxvcmlkYTEaMBgGA1UEBwwRQWx0YW1vbnRlIFNwcmluZ3MxGDAWBgNVBAoM D0xpYnJhcnkgb2YgQ29kZTEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MSMwIQYDVQQDDBpMaWJyYXJ5IG9mIENvZGUgQ0EgUm9vdCBBMjEiMCAGCSqGSIb3 DQEJARYTY2FAbGlicmFyeW9mY29kZS51czCCBBAwDQYJKoZIhvcNAQEBBQADggP9 ADCCA/gCggPvAN8fp36I55LfYP9IITs9+RV0XYjy7T/A0nxMqSYe8XkqG+BpQMp7 SrasumxCT+RtDW2tzTjJEkqH/DlFEUeWweAE9X196bnqIODf9ISmL1bWvMNsoQjb qvyOR/CB5CF32e9x3OEfr5mvjI+IecwT+GgoPgyOIolkReJJS2dOiiWq+CZxu5ir YTENXq9vJWwzMi/vF1kVHOpqPK9+XVkUYNjxXiSe0kqvmW64dqHhT7XIM7dJAEmf 9bGZFvAEr2YZhZ1vywBwwLdJSr5JsDtPY/7Pvp5xaOM3/HNXw6Jkwl+o9tarvfix EFaMRG7PCFL59teCHxOSbrCuL3NPOsAz1ECTctO4j79J9ZmzEziCOnRTMK5bN9OF vnJcTIASKXf/Y20AnULOn0c/mh/3cyBYMIH1ettVi04yuD9W7GrVVHuEI6DXzf+f f8tvsSiBFeIkjYGysY+Nb/UYba6oTA1AYWqd/PYpw6Z2AQKi+vhxyBT3H4mK7JUp Jo42CZUggkuNRPMozUb7/WB82cr43zr9LsnrDR+JjFLvSp5JtNs3QcYGbKrvFn/h J2Hl9kbjQU8mEhzyf3dM8pwGa60qzwPRVKWnFNOrbIxWYuF64lDsxti9tsUv73CF hxwdrJOEaRbROjSVRYWaZpXYCLkxgA5WuqJubrXwciwek2HN6gNilho1vDAyvkx1 bNX4k7uF2J2bH5pL9akJCywlx1yhto4FjMmOtB2C57++TeOYJJHFEFn3ErjidVYZ ZaFsrbVWg/AtFwCmf1W6oTrlG/wxjYbc8mm18NVKtf7ySTuEmd2NdWEn4jQsbXba WRbnnzRphstwV1aUuSB1HVAxTJnNYE+5g3YJRLMh2TW8xn94tY+Ai19kq7OB+I0Z 6IdXCKrbz9u+yFetGY0U5a52GOEQtoEHxSTkk6eChWpRT6ByRqxdWKRd7YOxoPeQ NCQL7avjSmSxinuBRBar9WBoE//KXmptKbSoH0+xtEaDPqbdqeTqZmb8SHF5pWRU HWRo8nzJgjRi/NpPR+WtEf8/YrjCgOTw+njoBN0mIQAcx83XeFC7C9xDsfzJeHae RdZr5SyyZ4Rng4d0k1rKRD04QqCSG48NZH5QASIJ0B6hHNv5UVq3dnPhj5KV+J73 dQH32/d237odKL7otWx1r8cSrPYGf30h8fDlcGhm9ecTNjHXELN/Aw40LH5UH6GK ib6AHUtpUq3HwIOJDs7Wg3PTvSFfmCP2EklPqYcVkvKDkwiprrQTeUokvDNVt4hN /MaVWaOIUwUk624X8mnK0o/3mi2akup3Wr0032bMla080VKHuvW5nOV01oQO/OJc yB1j50ZtfG0CAwEAAaOCAV4wggFaMB0GA1UdDgQWBBSls/azTyDTm+APRwVVD0Wf lLPzYzAfBgNVHSMEGDAWgBSls/azTyDTm+APRwVVD0WflLPzYzAPBgNVHRMBAf8E BTADAQH/MA4GA1UdDwEB/wQEAwIBvjBzBgNVHSUEbDBqBggrBgEFBQcDAQYIKwYB BQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggr BgEFBQcDEQYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDATA7Bglg hkgBhvhCAQQELhYsaHR0cHM6Ly9jZG4ubGlicmFyeW9mY29kZS51cy9yb290LWEy LmNybC5wZW0wRQYJYIZIAYb4QgEIBDgWNmh0dHBzOi8vY2RuLmxpYnJhcnlvZmNv ZGUudXMvbWlycm9yL3BhZ2VzL2NlcnRpZmljYXRlczANBgkqhkiG9w0BAQ0FAAOC A+8AQRB5R5u0uAo4RmBZsMOFWdpYEi8swGrx84yk3qQ2VZHCQ8w0vWummXgHmCps lDN2DMxo10+nTrHBNZaYSPAhkk51A4X9/G1EYejyvCRVxJXuqBv2nZF6XHTpmTiQ LC8Ms5uL2Ntbf7hS3X4g84S1Rx5LlofIkrFd4InTRmNW4/D8h4rRQGpYZHtv7IpA WWQRg7V5VpgH3QuH/I80BolVRiH4uqyJnmC3Hh/+gQk1McLDsJk8/ag1t6IGJ3eD bg7kG3gyEWp+Z+VPF8s0i+GamK9Ga+V4k2ysRYy0SJ6tXOXS4ymGogLMVfLqOAzB jIvQVoekD6r+KovUE0Q73LUaqcVLU3yBTgJlx3Qf8/VfpA6T5gw08+uaPk9nXFCj gvzieMMxHI3HuJ1AMvMdqxhdi4PLfAcIsVcm/mDwodChzKuwbJNAUGIipckGBhGl McPsRME2JgHoAHsMITTL61iw4pMJB9bCqsEW24mnBrSm9mTGtp/5SOuV9Lm01IQP OFqqU9kQ8/A5zis8rN71ID3XQI8NFu6iZCqn+N5YZITDLfEgUsJuuL7HOkO1w2IP XqQ5tc6LAM2tx5TnS5otg6L+TdwkW1XEJpJTmFRuTQz7LTGE9pa2ZFeQKxtLkaAG ImbTJP0YsX71BOoJNqB8dUnNgugJABkxyk8TZvnnYIaY9FAk06q5rKRE8yQu4WUY kZkUuUdzziU+Wzqb8oBxlUF44Z9mVh3FyT8584A25X6nx6Lh8LxBv6xEJZFubCV1 PTWAMn0SavVQi6+TiK8SUHtGZPofSNYFMxdrwlfZvMn4eNfyG8Teol5r0bWnWNAM fjWCTS04/2G+sC0PV0yHytbAg2zIxhUXbKerOQSR4hf+dWl2X+ffk2zn4b22Itoj iPjXVXr0YrRiJwRzXfXpzoSpC/LoXNIzN++SysiibYgAhg12wW4tus0i3S4ygR5A ekwUKdSCRp8WGBX0Cize6rYA/Mag2dmosRKfX9UZHsHRBSoF1xCy6CIi6JlLlWvc DSbJRs0sDaablVMUmI2JUzXlL2cE0uf0/Ld05uDOApNSYD0uYSNVZEzKwp7xQeqv gQeFjlWeRWltqTgBzdVyH4qfjL0yKxYrF6zOF7SiS/XZZesI4X2xgA8b+dmsIOwF 3/mIdtweMou8Ffb6QFWfLj5GKeXyw2TM16adOzwGnMDz0d6G9318pFyiVQsA7xbl XxzFjIsq7vG/0DibOGA15vAcvmJ9XhEvf5ycA9+Jh7pmrN2Owi0Ym6DjCHcai1/T bqxau677dpfM6vVTqKw1TBWlR6xTLpFQ+EEbxUFEI7PAgfD4E/YAFLsfkfvSLpKo iw== -----END CERTIFICATE-----

[bnoordhuis]

I'm not sure it's the cause but the chain's certificates have really unusual public key sizes: 5024, 7072 and 8048 bits.

The first chain certificate and the server's certificate have the same serial number but that probably doesn't matter because they have different issuers.

What did openssl s_client print?

[matthew119427]

@bnoordhuis Basically says "cannot verify"

[matthew119427]

This is with certificates from my own CA authority, but I've tried it with certificates from Sectigo (Comodo CA) and it still does the same thing.

[gireeshpunathil]

@dutchvanderlinde - was this progressed further / resolved?

[matthew119427]

Never really got a clear answer or conclusion to my issue, was never fixed but just ended up using Nginx as a replacement.

[preveen-stack]

is anybody having update on this issue; is it addressed in the current version of the nodejs

[ForbiddenEra]

is anybody having update on this issue; is it addressed in the current version of the nodejs

Look at SNICallback + TLS context

[RedYetiDev]

@matthew119427 Do you still need help or can this be closed?