Someone who had opened up an issue in [greenlock-express.js](
[To see links please register here]
) and referenced this post, so I'll include the way to do this with *Greenlock for Let's Encrypt* here as well:
Use Greenlock.js for Dynamic SSL Certificates
====
Greenlock does exactly what you need, but bakes in security and convenience.
* Dynamic loading of tls certificates using a structured directory path
* Automated SSL certificate issuance and renewal via Let's Encrypt v2
* Protects against SNI and Host attacks, and domain fronting.
### Install
npm install --save greenlock-express
### Use Let's Encrypt via Greenlock
```js
require("greenlock-express")
.init(function getConfig() {
return { package: require("./package.json") };
})
.serve(httpsWorker);
function httpsWorker(server) {
// Works with any Node app (Express, etc)
var app = require("./my-express-app.js");
// See, all normal stuff here
app.get("/hello", function(req, res) {
res.end("Hello, Encrypted World!");
});
// Serves on 80 and 443
// Get's SSL certificates magically!
server.serveApp(app);
}
```
### Documentation
* HTTP / Express Docs: <https://git.coolaj86.com/coolaj86/greenlock-express.js>.
* API Integration / TCP Docs: <https://git.coolaj86.com/coolaj86/greenlock.js>.
* Screencast Series: [Greenlock for node.js: QuickStart, Config, and Security](
)
The video section specifically pertaining to configuration for dynamic domain loading: [2:26 Greenlock for node.js Part 2: Configuration](
)
Important Side Note: Security Considerations
====
Greenlock already mitigates these security issues, but if you're implementing by hand there are some things you should know to stay safe:
In particular, it's *really* important to be aware that you can [make yourself vulnerable](
[To see links please register here]
) to SQL injection and/or timing attacks when you are dynamically loading ssl certs with code you write yourself.
Though you expect valid bytes like `example.com` to come through node's `tls.SNICallback(sni, cb)` and `req.socket.servername`, you can actually get a visit from `Robert'); DROP TABLE Students;` (or little [Bobby Tables](
[To see links please register here]
) as we like to call him).
If you're interested in seeing how that exploit could work, I've documented it here in [Greenlock for node.js Part 3: Security Concerns](
) and <https://github.com/nodejs/node/issues/22389>
You can also become vulnerable to [Domain Fronting](
[To see links please register here]
), which is a fairly low-risk attack/side-channel, but is important to know and understand.