Moving cred files from one env to other

Hi Nick,

This is in discussion to the suggestion in the post

We did the changes - and kept the cred file common across envs. Now the slave environments - fail on being able to decrypt the cred file.

Is there some key or something else which also should be kept common across environments ? I checked settings file but unable to find any such setting. So not sure.

If you had not set credentialSecret in your settings file, then Node-RED will have been displaying this warning every time it started up:


---------------------------------------------------------------------
Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.
---------------------------------------------------------------------

If you have not yet set that key, then Node-RED will be using a system generated key. As the warning says, you should provide your own key via credentialSecret in the settings file, restart Node-RED, then deploy a change - that will cause it to reencrypt the credentials file using your key.

You can then copy the files to another device and as long as you have credentialSecret set, it will be able to read the file.

Noted. Will come back. Thanks Nick for the super prompt response.

Net-Net as i understoood crendentialSecret across all envs in my case needs to be same right ?

You need to use the same key on any device you want to decrypt the flows encrypted with that key.

Noted Nick. Once again Thank You.

Hi Nick,

  1. We checked this. One of colleagues is running his NR using projects with project credentials set up. He is able to export cred file and flows.json to all other envs (including the ones without projects) ... without any challanges. He doesnt have any credentialSecret. Nor he gets any messages. I specifcially checked if his flows run and Yes.

Does this make sense ?

  1. Also in our case NR GUI itself doesnt come up. NR keeps crashing with error messages in #4.

  2. We are running NR via. kubernetes. How can we set the SAFE mode. I checked online. Found this link

https://nodered.org/docs/getting-started/docker

Can i set NODE_RED_ENABLE_SAFE_MODE in the env. Will env read it from there ..against cmd line ?

#4) @Steve-Mcl ...

Adding you to this discussion .
Background :- Per the discussion for keeping MSSQL credentials - we stored {MY_USER} and {MY_PASS} in cred file and have moved it other env. Problem is NR doesnt even come up.
On startup - we see below MSSQL node errors by the process :-

14 Jun 05:44:38 - [info] [MSSQL-CN:APPNAME] Error connecting to server : xxxx-appname-pet-sqlsvr.database.windows.net, database : APPNAME_DB, port : 1433, user :
ConnectionError: Connection is closed.
at Request._query (/usr/src/node-red/node_modules/mssql/lib/base/request.js:497:37)
at Request._query (/usr/src/node-red/node_modules/mssql/lib/tedious/request.js:367:11)
at /usr/src/node-red/node_modules/mssql/lib/base/request.js:461:12
at new Promise ()
at Request.query (/usr/src/node-red/node_modules/mssql/lib/base/request.js:460:12)
at dynatraceRegularInvoke (/opt/dynatrace/oneagent/agent/bin/1.239.226.20220509-150249/any/nodejs/nodejsagent.js:2918:20)
at Object.b.safeInvoke (/opt/dynatrace/oneagent/agent/bin/1.239.226.20220509-150249/any/nodejs/nodejsagent.js:2990:41)
at Request.query (/opt/dynatrace/oneagent/agent/bin/1.239.226.20220509-150249/any/nodejs/nodejsagent.js:12178:15)
at connection.node.execSql (/usr/src/node-red/node_modules/node-red-contrib-mssql-plus/src/mssql.js:423:40)
at doSQL (/usr/src/node-red/node_modules/node-red-contrib-mssql-plus/src/mssql.js:779:25) {
code: 'ECONNCLOSED'

Will this result in NR crashing ?

Any luck on this ? Esp #1 ? So that we can at least bring the system up.

It depends. When you create a project, it asks if you want to encrypt credentials, and if so, what key to use. You don't have to set credentialSecret in your settings for for that - it is stored in project settings by the runtime.

Without know how they have set things up, it's hard to say what's happening.

It should be ${MY_USER}

Yes, if Node-RED finds the env var NODE_RED_ENABLE_SAFE_MODE set to a value (other than false) it will start in safe mode.

Noted. Thanks. Will continue checking once i get NR up.

I meant user and password are being stored as ${MY_USER} and ${MY_PASSWORD}

Great. Already set it up. That should at least get NR up.

Will update.

We managed to get NR up for few seconds. Then again the pod went down. We are in docker env via. kubernetes.

Below is the message on start up.

`16 Jun 04:51:44 - [warn]


Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.

16 Jun 04:51:44 - [warn] Error loading credentials: SyntaxError: Unexpected token W in JSON at position 1
16 Jun 04:51:44 - [warn] Error loading flows: Error: Failed to decrypt credentials
16 Jun 04:51:44 - [info] *****************************************************************
16 Jun 04:51:44 - [info] Flows stopped in safe mode. Deploy to start.
16 Jun 04:51:44 - [info] *****************************************************************
`

The SyntaxError messges towards the end - not clear. I would assume it uses its own key so should be oik. Or i should ignore it?