Node.js HTTPS reading SSL certificates

Question

I have a node.js HTTPS server setup which is using the SSL certificate on the server to secure socket.io connections. While this setup works and communication between the client and server is successful, node must be run as root so that it can read the files because the certificate files are owned by root.

Is there a way of running node without using the sudo command?

My first thought was to change the owner of the certificate files to the user running the command. However, this does not seem to be secure.

Also, the permissions of the files could be changed to allow other users to read the files, however would this make the certificate files less secure?

Answer 1

Does the private key contained in your certificate files have/require a passphrase? If not, you might add one.

That way, you could make the certificate file be readable by anyone:

$ chmod 444 /path/to/server.pem

And anyone could read the public certificate/key from that file -- but they could do so from your HTTPS server as well, so no loss of security there. And anyone could not obtain the private key, since they wouldn't have the passphrase for decrypting that private key, encrypted by that passphrase.

Then, in your Node.js code, you provide the passphrase, eg :

const httpsOptions = {
  cert: fs.readFileSync("/path/to/server.pem"),
  key: fs.readFileSync("/path/to/server.pem"),
  passphrase: "PasswordHere"
  ...
};

You'd want to make sure that that passphrase isn't easy to read ( eg from your Node.js source files) -- the security of your private key depends on that passphrase in this situation, rather than on filesystem permissions.

Hope this helps!