EDIT 20/05/2020: Since there was a lot of confusion about the name, this node has been renamed from node-red-contrib-acme-client to node-red-contrib-letsencrypt. So the links below won't work anymore. The new repository is available here.
A week ago I announced the alpha version of this node. I was completely stuck, but thanks to @VinistoisR and @TotallyInformation I realized that I should use a dns01 challenge instead of a https01 challenge, both for private and public accessible Node-RED systems. Thanks to their knowledge sharing, I managed to create this beta version. And that works much better!
CAUTION: like Vinistois has explained nicely in another discussion, it is much safer to use a reverse proxy in combination with containers (e.g. Docker). So I have also highlighted that in my readme page! And I have also added that LetsEncrypt certificates can be requested in all kind of places outside of your Node-RED environment. So would like to not discuss those alternatives here!
Instead this node is for all our users that have a simple Node-RED setup (due to lack of time, limited technical knowledge, or whatever reason...). We should assist these users in adding minimal security to their Node-RED system. I hope that this node might be a first aid, since it allows users to request and renew trusted LetsEncrypt certificates simply by injecting a message.
How it works in a nutshell:
Enter all your settings in the config screen (https - DNS provider - LetsEncrypt account):
Inject a message every time you need to renew the certificate (which will be valid for 3 months):
If everything went well, your Node-RED keystore should contain your renewed certificate.
If you want to test this beta version, please make a temporary copy first of your privkey.pem and cert.pem file first. Just to make sure I don't corrupt your system.
Currently you will need to restart your Node-RED to activate the renewed certificate. I still need to finish my pull request proposal for automatic certificate renewal.
This node supports a number of DNS providers, but I have only tested DuckDns yet!
It would help a lot if anybody could test some of these other providers ...
I have added a introduction about security to my readme page, but now it perhaps has become too long to read. Should I move that part to my wiki pages perhaps?
Currently the privatekey.pem and cert.pem file should already exist, otherwise I give an error. But I could also:
- Create those pem files automatically when they don't exist yet.
- Only create them whe a checkbox 'create unexisting pem files' is selected, e.g. in case you want to use existing pem files, and you want to get an error if they don't exist yet...
- Allow extra input messages with topics like "create_new_keypair", "renew_certificate", "create_new_key_file". Or is that perhaps too dangerous and too technical?
Not sure which way too go...
The logging should be updated a bit, because it contains lot of blancs instead of values.
I need to add a troubleshooting section, e.g. use https://dnslookup.online/txt.html to check whether the (temporary) TXT record for ACME has been published by your DNS provider on your domain (where LetsEncrypt can search for his DNS validation token). For example:
As usual all "constructive" feedback is more than welcome!!
Have fun with it!