Best place to keep certs ubuntu - fresh install of node red v3

Hello all! I'm in the process of installing node-red and have run the script found here: Running on Raspberry Pi : Node-RED The next step is Securing Node-Red (Securing Node-RED : Node-RED ). In order to do so, I started watching a tutorial ( Secure Node-Red with SSL,Username and Password Secure Node-Red with SSL,Username and Password - YouTube ) and am wondering where is the best place to keep certs in Ubuntu 22.04? Thank you all in advance for your time.

Somewhat depends on what you intend to do with the system, whether it is exposed to the internet and how valuable the system and its data are.

In general, if you insist on getting node-red to handle TLS, the best place is anywhere where the user id running node-red has read-only access.

Much better though is to use a reverse proxy to handle the TLS termination then node-red doesn't need any access at all. Which, as long as you put the two files (key and certificate) where node-red can't get to them, will prevent an flows from messing with them.

Handling TLS for high-value systems and data requires a lot more care however and you should always employ an expert if not to design the system, at least to do penetration and other security testing on it.


@TotallyInformation Julian I appreciate your insight. This system will be used in an apartment that I'll be (tentatively) renting to AirBnB guests. I won't be living on site, so I'm thinking it MIGHT be nice to monitor the system remotely. However, if it's going to be super costly/pose security risks, it may not be worth it. The main function of the system will be to control a hot water recirculation pump. In theory a collection of 3 motion sensors will be used to activate the pump and shut it off 30 minutes after the last motion is detected.

Also, I've been reading your articles: Safely accessing Node-RED over the Internet as well as Dashboard suddenly asks for password (Hacked Node-RED servers) and now I'm wondering, how do I verify that my device is not currently exposed to the internet. :grimacing: Thank you in advance!

Check in your modem/router whether there are any ports forwarded to your devices. If you have not done that then they won't be.

1 Like

@Colin Thank you for your suggestion and it looks like I'm using a router that does not have port forwarding. It does show (in terminal) when I run node red "server now running at"

It almost certainly does, on routers supplied by ISPs it is often hidden away somwhere to reduce the likelihood that a user will mess it up. If you wanted to do it then google will probably tell you how for your router.

1 Like

@Colin Yes, I had googled it and it had showed that the T-mobile gateway doesn't support port forwarding. It uses CG-Nat - which apparently means that end users share IP addresses.

I would use one of the remote access tools such as Cloudflare Zero Trust, etc. If you look through the forum for internet access, you will find a number of choices which will all be good enough. What they give is a virtual network connection from your remote PC into your Pi without you needing to open a hole in your firewall.

Simple enough, for a "home" network, everything from the Internet will go through the router which is also the main firewall. So as long as there are no settings in the firewall that create a "hole" through to your Pi, you should be fine.

Of course, if you are also running WiFi, you really should move any IoT and monitoring stuff onto a separate VLAN (for wired) or separate SSID (for WiFi). Ideally the SSID for guests would not allow any access to your monitoring network. That is a little more complex to set up of course and somewhat depends on what router you have.

Ah, that is annoying. CG-Nat is a pain in the neck for a variety of reasons. Technically, it is still possible to port forward, it just doesn't help you with connections from the Internet.

So the good news is that your Pi won't be exposed.

However, also good news, things like Cloudflare Zero Trust and similar remote network tools will still work because you run a client on the Pi which creates the tunnel and so is an outbound connection which isn't impacted by CG-Nat (well, assuming T-Mobile haven't messed something else up). So if you ever need remote access to your monitoring, that is still possible.

Another thing a lot of us use for simple alerting is Telegram. There is a decent telegram bot node in the library which is relatively straight-forwards to use and once set up, you can easily send alerts from Node-RED and even allow inbound messages that you can use as local commands - for example to change the lights.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.