Https with an extern certificate

Hello.

I am testing the https of node red.

I followed the instructions to implement a selft signt certificate. Worked so far.
I created the key.pem and the cert.pem and added the path in my settings.js.

But now i have this ugly "self cert" problem, that my brower reminds me, when i first visit my dashboard, that its not secure and so on.

Is there a way to change that?

Thank you

edit: i am owning an URL. There i can request a cert. But can i use this cert to solve my problem?

You can create a Certificate Authority sign this "ugly" certificate and update your CA-certificates on your browser and it will avoid the browser error

Or if you want to use it use LetsEncrypt.

thank you for your answer.

but will the problem not remain, when someone else will login (from another browser)?

I would want a solution, that everyone can visit the dashboard without the warning from the browser and a "normal" secure look like a regular homepage.

I hope it is clear what i mean

best regards

There are two ways to fix the issue:

  1. Distribute your trusted root cert to all browsers and systems that need it
  2. Get a certificate signed by a pre-trusted root authority.

#2 is, these days, much easier than #1. However, you need a DNS (sub)domain. With that, you can use the free Let's Encrypt service. To use it, you either need a DNS that you (or your IT dept.) have control over (to add a TXT record to) or you need to open a port 80 connection to the server that will be managing the certificate updates.

Thank you for the answer.

If i understand your point 2 correct, i already tried it. I am owner of an URL. Lets say example.com. From this out i created a subdomane lets say: nodered.example.com (txt record). This subdomane is ssl secured and points to the ip of my VM where node red is running.

Problem right now: i can only point to the ip and not ports.

Not sure I understand. This was not your original question was it?

What do you mean by "point to the ip"? With what, how? You shouldn't need to deal with the IP address except in your DNS entry. With the exception that you might have some edge security which NAT's external to internal addresses. But again that is simply a router or firewall config.

Access to Ports are also controlled via your router/firewall but you can also use a proxy server to hide ports using port mapping (typically your proxy takes a request on port 443 and redirects it to the internal address and port),

if you want to expose the node-red dashboard to the outside world over a https connection, and you already own a domain, you can use the method explained on this post:

The cloudflare account that allows to do this is free (even if your register is not cloudflare).

I apologize if my previous question was not specific enough. Allow me to explain my issue once again:

I currently have a Linux virtual machine (VM) on which my NODE-RED instance is running to control my pump. The instance can be accessed via the following example URL: http://10.122.xx.xx:1880/ui. Initially, it was only accessible via HTTP.

Subsequently, I attempted to implement a self-signed SSL certificate by following this guide: https://stevesnoderedguide.com/securing-node-red-ssl. As a result, anyone (including myself) attempting to visit the instance now needs to use HTTPS.

However, all web browsers perceive the site as a potential security risk, requiring me to click through various warnings and accept the associated risks. I am seeking a solution to eliminate these warnings.

I own a domain name, let's say "test.industries," and through my hosting provider, I can configure DNS management settings for this domain. Here lies the problem: I can create a DNS record for, let's say, "nodered.test.industries" (secured with SSL), which points to the IP address of my VM (10.122.xx.xx). However, I encounter an issue where I can only specify the IP address of my VM and not the ":1880/ui" part. Consequently, the IP address (10.122.xx.xx) is SSL secured, but the specific endpoint (10.122.xx.xx:1880/ui) is not.

I apologize if my questions appear foolish; I genuinely strive to resolve this matter.

Thank you for your understanding and best regards.

No need, there are no foolish questions, only foolish answers :slight_smile:

To use a TLS certificate that is recognised by browsers with any service, you need to be using a domain NAME and not an IP ADDRESS. So you have obtained a certificate but now you need to make sure that everyone can reference the endpoints using a name. While your external DNS provider does this for public use, that does not help for local private use.

You typically have a couple of ways to enable a public DNS name to be used internally - and remember, the internal use needs to direct to the internal IP whereas the public DNS points to a public IP.

You may be able to set up your Router to provide this service. You would need to make sure all end-user devices use the Router as their DNS "provider" though. In my case, I have a Ubiquity EdgeRouter Lite which allows something called "Hairpin NAT" which allows its built-in DNS service to recognise an internal IP when using a name internally. Various routers may call that slightly differently but that is basically the approach.

The other alternative would be to manually configure every users device using the HOSTS file (I don't think that will work on mobile devices though). There are plenty of articles describing how to do that so I won't repeat it here.


For other people reading this thread who haven't obtained a certificate, I found this site which is interesting as they've created a shared certificate for anyone to use. Obviously should only ever be used for testing as it certainly isn't secure but could be useful.

Upinel/localhost.direct: localhost with public CA signed SSL certificate (github.com)

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.