Logo
Skip to main content
Development
9 min read

Expressjs Error: SSL Certificate Error

D

Divya Mahi

July 12, 2024 · Updated July 12, 2024

Expressjs Error_ SSL Certificate Error

Navigating Express.js SSL Certificate Errors: Solutions and Best Practices

Introduction

Deploying Express.js applications with SSL (Secure Sockets Layer) is essential for securing data transmission, especially in production environments handling sensitive information. However, developers often encounter SSL certificate errors, which can stem from misconfigured certificates, issues with certificate authorities, or client-server handshake failures. This blog post aims to demystify SSL certificate errors in Express.js, offering targeted solutions and preventive measures.

const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();

// ✅ Use valid SSL certificates
const options = {
  key: fs.readFileSync('/etc/letsencrypt/live/domain.com/privkey.pem'),
  cert: fs.readFileSync('/etc/letsencrypt/live/domain.com/fullchain.pem')
};

https.createServer(options, app).listen(443, () => {
  console.log('HTTPS server running on port 443');
});

// ✅ Auto-renew with Let's Encrypt
// certbot certonly --webroot -w /var/www/html -d domain.com
// Add cron: 0 12 * * * certbot renew --quiet

// ✅ For development, use HTTP
app.listen(3000, () => {
  console.log('Dev server on http://localhost:3000');
});

// ✅ Use a reverse proxy (nginx) to handle SSL
// nginx handles SSL termination
// Express only listens on HTTP internally

Understanding the Error

SSL certificate errors in Express.js typically indicate problems with the SSL/TLS setup, where the server presents a certificate that the client (usually a web browser) cannot trust or verify. These errors can prevent users from accessing your application and compromise data security.

const https = require('https');
const express = require('express');
const app = express();

// SSL certificate is invalid, self-signed, or expired
https.createServer(app).listen(443);
// Error: SSL Certificate Error

Diving Deeper

SSL certificate errors can range from expired certificates and name mismatches to untrusted certificate authorities. Addressing these errors is crucial for maintaining user trust and application security.

Common Scenarios and Fixes with Example Code Snippets

Scenario 1: Expired SSL Certificate

Problematic Code: Running an Express.js server with an SSL certificate that has passed its expiration date.

const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();

const options = {
  key: fs.readFileSync('expired-key.pem'),
  cert: fs.readFileSync('expired-cert.pem')
};

https.createServer(options, app).listen(443);

Explanation: Browsers and clients will reject connections to servers with expired SSL certificates, leading to certificate errors.

Solution: Renew the SSL certificate and update the server configuration with the new certificate files.

const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();

// Use renewed certificate
const options = {
  key: fs.readFileSync('server-key.pem'),
  cert: fs.readFileSync('server-cert.pem'),
  ca: fs.readFileSync('ca-bundle.pem')
};

https.createServer(options, app).listen(443, () => {
  console.log('HTTPS server running with valid certificate');
});

Explanation: Renewing and configuring the server with a valid, unexpired SSL certificate resolves connection issues related to certificate expiration.

Scenario 2: Self-Signed Certificates in Production

Problematic Code: Using a self-signed SSL certificate for a production Express.js application.

const https = require('https');
const express = require('express');
const app = express();

// Self-signed cert — browsers will reject it
const options = {
  key: fs.readFileSync('self-signed-key.pem'),
  cert: fs.readFileSync('self-signed-cert.pem')
};

https.createServer(options, app).listen(443);

Explanation: While self-signed certificates can be useful for development, they are not trusted by default in production environments, leading to certificate errors in browsers.

Solution: Obtain a certificate from a trusted Certificate Authority (CA) and update the server configuration.

const https = require('https');
const express = require('express');
const app = express();

// Use a proper CA-signed certificate (e.g., Let's Encrypt)
// Install certbot: sudo certbot certonly --standalone -d yourdomain.com
const options = {
  key: fs.readFileSync('/etc/letsencrypt/live/yourdomain.com/privkey.pem'),
  cert: fs.readFileSync('/etc/letsencrypt/live/yourdomain.com/fullchain.pem')
};

https.createServer(options, app).listen(443, () => {
  console.log('HTTPS server with CA-signed certificate');
});

Explanation: Using a certificate issued by a trusted CA ensures that clients and browsers can establish a secure connection without certificate errors.

Scenario 3: Incorrect Certificate Configuration

Problematic Code: Misconfiguration of SSL certificate and key files, or using a certificate that doesn't match the domain name.

const options = {
  key: fs.readFileSync('server.key'),
  cert: fs.readFileSync('wrong-cert.pem') // Cert doesn't match key
};

https.createServer(options, app).listen(443);

Explanation: An incorrect SSL setup, such as a domain name mismatch or improper chaining of certificates, can lead to SSL errors.

Solution: Ensure the certificate matches the domain and is properly chained with intermediate certificates if necessary.

const options = {
  key: fs.readFileSync('server.key'),
  cert: fs.readFileSync('server.crt') // Must match the private key
};

// Verify key and cert match:
// openssl x509 -noout -modulus -in server.crt | openssl md5
// openssl rsa -noout -modulus -in server.key | openssl md5
// Both MD5 hashes should be identical

https.createServer(options, app).listen(443);

Explanation: Correctly configuring SSL certificates, including intermediate certificates, eliminates most misconfiguration-related SSL errors.

Scenario 4: Untrusted Certificate Authority

Problematic Code: The SSL certificate is issued by a Certificate Authority not trusted by the client's browser or system.

const axios = require('axios');

// Requesting from a server with untrusted CA
axios.get('https://internal-server.company.com/api')
  .then(res => console.log(res.data));
// Error: unable to verify the first certificate

Explanation: Certificates from untrusted CAs will cause browsers to show security warnings or block access to the site.

Solution: Switch to a certificate issued by a widely recognized and trusted CA.

const axios = require('axios');
const https = require('https');
const fs = require('fs');

// Add the internal CA to trusted certificates
const agent = new https.Agent({
  ca: fs.readFileSync('internal-ca.pem')
});

axios.get('https://internal-server.company.com/api', { httpsAgent: agent })
  .then(res => console.log(res.data))
  .catch(err => console.error('SSL Error:', err.message));

Explanation: A trusted CA-issued certificate ensures broad compatibility and trust with clients and browsers, preventing SSL trust errors.

Scenario 5: Incomplete Certificate Chain

Problematic Code: The server is configured with an SSL certificate without the necessary intermediate certificates, leading to chain errors.

const options = {
  key: fs.readFileSync('server.key'),
  cert: fs.readFileSync('server.crt')
  // Missing intermediate certificate
};

https.createServer(options, app).listen(443);

Explanation: Clients might not trust the server's certificate if the intermediate certificates linking it to a trusted root CA are not included, resulting in SSL errors.

Solution: Include all intermediate certificates in the server configuration to complete the certificate chain.

const options = {
  key: fs.readFileSync('server.key'),
  cert: fs.readFileSync('server.crt'),
  ca: [
    fs.readFileSync('intermediate.crt'),
    fs.readFileSync('root-ca.crt')
  ]
};

// Or concatenate certs into fullchain.pem:
// cat server.crt intermediate.crt root-ca.crt > fullchain.pem

https.createServer(options, app).listen(443);

Explanation: Providing the complete certificate chain, including intermediate certificates, ensures clients can verify the server's certificate against a trusted root CA, resolving chain errors.

Scenario 6: Mixed Content Issues

Problematic Code: An Express.js application served over HTTPS requests or includes resources (like images, scripts, or stylesheets) over HTTP.

// Express serving HTTPS but loading HTTP resources
app.get('/', (req, res) => {
  res.send(`
    <html>
      <head>
        <script src="http://cdn.example.com/script.js"></script>
      </head>
    </html>
  `);
  // Browser blocks mixed HTTP/HTTPS content
});

Explanation: Browsers block or warn about "mixed content" when secure pages include resources fetched over insecure HTTP, which can be perceived as an SSL-related error.

Solution: Ensure all resources requested by your application are served over HTTPS to prevent mixed content issues.

// Use protocol-relative or HTTPS URLs
app.get('/', (req, res) => {
  res.send(`
    <html>
      <head>
        <meta http-equiv="Content-Security-Policy"
              content="upgrade-insecure-requests">
        <script src="https://cdn.example.com/script.js"></script>
      </head>
    </html>
  `);
});

// Redirect HTTP to HTTPS
app.use((req, res, next) => {
  if (!req.secure) {
    return res.redirect('https://' + req.headers.host + req.url);
  }
  next();
});

Explanation: Serving all content over HTTPS, including external resources, eliminates mixed content warnings and enhances the security of your application.

Scenario 7: CORS Policy Blocking HTTPS Requests

Problematic Code: Cross-Origin Resource Sharing (CORS) policies that block HTTPS requests from different origins.

const express = require('express');
const app = express();

// No CORS configuration — HTTPS cross-origin requests blocked
app.get('/api/data', (req, res) => {
  res.json({ data: 'sensitive' });
});

Explanation: Incorrectly configured CORS policies can block requests to your Express.js application over HTTPS, leading to what may seem like SSL certificate errors.

Solution: Configure CORS policies in your Express.js application to allow HTTPS requests from trusted origins.

const express = require('express');
const cors = require('cors');
const app = express();

app.use(cors({
  origin: ['https://yourdomain.com', 'https://app.yourdomain.com'],
  methods: ['GET', 'POST'],
  credentials: true
}));

app.get('/api/data', (req, res) => {
  res.json({ data: 'sensitive' });
});

Explanation: Properly configured CORS policies ensure that legitimate HTTPS requests from trusted origins are not blocked, mitigating issues that could be mistaken for SSL errors.

Scenario 8: Server Name Indication (SNI) Mismatch

Problematic Code: The server is configured with multiple SSL certificates without properly handling Server Name Indication (SNI), leading to certificate mismatches.

// Certificate is for 'example.com' but server accessed via 'api.example.com'
const options = {
  key: fs.readFileSync('example.com.key'),
  cert: fs.readFileSync('example.com.crt')
};

// Clients accessing api.example.com get SNI mismatch error
https.createServer(options, app).listen(443);

Explanation: Without proper SNI configuration, the server might present the wrong SSL certificate for a given domain, causing SSL errors.

Solution: Use SNI to serve the correct certificate based on the hostname requested by the client.

const tls = require('tls');

// Use SNI callback for multiple domains
const options = {
  SNICallback: (servername, cb) => {
    const ctx = tls.createSecureContext({
      key: fs.readFileSync(servername + '.key'),
      cert: fs.readFileSync(servername + '.crt')
    });
    cb(null, ctx);
  }
};

// Or use a wildcard certificate for *.example.com
const wildcardOptions = {
  key: fs.readFileSync('wildcard.example.com.key'),
  cert: fs.readFileSync('wildcard.example.com.crt')
};

https.createServer(wildcardOptions, app).listen(443);

Explanation: Implementing SNI allows the server to select the appropriate SSL certificate based on the requested hostname, ensuring the correct certificate is used and preventing mismatches.

Strategies to Prevent Errors

Regular Certificate Renewal: Keep track of certificate expiration dates and renew certificates well in advance to prevent downtime.

Use Trusted CAs: Obtain SSL certificates from reputable, widely-recognized Certificate Authorities to ensure client trust.

Automate Certificate Management: Consider using tools like Let's Encrypt with automated tools (e.g., Certbot) for hassle-free certificate issuance and renewal.

Thorough Testing: Regularly test your SSL configuration using tools like SSL Labs' SSL Test to identify and rectify potential issues.

Best Practices

Redirect HTTP to HTTPS: Implement redirects from HTTP to HTTPS endpoints in Express.js to ensure all traffic is encrypted.

HSTS Headers: Use HTTP Strict Transport Security (HSTS) headers to instruct browsers to only use secure connections, enhancing security.

Monitoring and Alerts: Set up monitoring and alerting for SSL certificate validity and configuration to proactively address potential issues.

Conclusion

SSL certificate errors in Express.js can undermine the security and credibility of your applications. By understanding common pitfalls, applying targeted fixes, and adhering to best practices in SSL certificate management, developers can ensure secure, encrypted connections for their users, fostering a secure and trustworthy application environment.

Development
D

Written by

Divya Mahi

Building innovative digital solutions at Poulima InfoTech. We specialize in web & mobile app development using React, Next.js, Flutter, and AI technologies.

Ready to Build Your Next Project?

Transform your ideas into reality with our expert development team. Let's discuss your vision.

Get a Free QuoteView Our Work

Continue Reading

Related Articles

AI and machine learning technology transforming business operations

February 18, 2026

How AI Is Transforming Business Operations in 2026: A Complete Guide

Artificial Intelligence is no longer a futuristic concept — it is the driving engine behind the most successful businesses in 2026. From automating repetitive tasks to making data-driven decisions in

JavaScript code on screen representing Next.js and React development

February 15, 2026

Next.js vs React in 2026: Which One Should You Choose for Your Project?

Choosing the right frontend framework is one of the most critical decisions for any web project. In 2026, the debate between Next.js and React continues to evolve as both technologies mature. This com

Mobile app development on smartphone screens

February 12, 2026

How Much Does It Cost to Build a Mobile App in 2026? Complete Pricing Guide

One of the most common questions we receive at Poulima InfoTech is: "How much does it cost to build a mobile app?" The answer depends on numerous factors, but this comprehensive guide will give you a

View All Articles