Node-red dashboard and user certificate

I have my node-red secured with mutual TLS authentication, upon navigating to I am requested to present a user certificate and all works as expected. However, if I first navigate to the node-red powered dashboard at https://mydomain:1880/ui there is no prompt to request the user certificate and the screen remains blank, no errors are displayed. If I navigate to node-red control UI first (it asks for user cert), and then navigate to the dashboard URL it works fine.

My settings.js is something like this:

    https: {
        ca: fs.readFileSync('ca-chain.crt.pem'),
        cert: fs.readFileSync('tld.crt.pem'),
        key: fs.readFileSync('private.key.pem'),
        requestCert: true,
        rejectUnauthorized: true,

Looking at the console output:

/ui/ Connection error: net::ERR_SSL_CLIENT_AUTH_CERT_NEEDED

Any tips to get this to work properly e.g. upon navigating to /ui it should prompt for user certificate?

Interesting. Exactly the same applies to nginx as a proxy in front of my nodered docker stack, while nodered still runs (in the back) via http.

The same effect is observable for https in node , so I suspect the issue is more generic, probably not "dashboard" specific problem.
My guess is that https nodes do not respect the settings.js requestCert: true

Hi Martin, it's good to see you here in the node-RED forum, it's been a while since I've heard from you (although I don't spend much time doing emoncms work now).

I hope you are going to sprinkle some of your programming magic here. :+1:

1 Like

This seems to imply that the requestCert setting is also being applied to the Socket.IO connection but the client isn't configured to provide it?

As you may know, a websocket connection firstly happens over http (https in this case) and is then "upgraded" to ws(s).

There appear to be a couple of clues here:

Possibly needs a tweak to the Dashboard code to allow this to work? @dceejay, do you know?

Hi Martin,
Would like to help you, but I don't have enough knowledge about the Node-RED architecture...
For example for the HttpIn node, I "think" this flow is being followed at startup:

  1. Node-RED is started on Node
  2. An express webserver is started
  3. The settings.js file is executed
  4. Your https settings are passed to the https module, so from now I would expect these settings would be applied to both the flow editor and the dashboard?
  5. The runtime (available as the RED variable) is initialized. It seems to me that two new Express servers are started? But not sure...
  6. The runtime is started, so all nodes of your flows are loaded (also your Http-in nodes).
  7. The Http-in node starts listening to requests on the Express called RED.httpNode, which is the nodeApp variable in the runtime (index.js).

Hopefully anybody can explain this a bit more in detail to us, so we can start brainstorming about why your https settings are not applied to the Http-In nodes...

At the moment it is not clear to me how the https module and all the express modules are related to each other...


This seems to be where the socket connection is made on the client side.

You could try perhaps amending the start to include the client certificate request. Trouble is that you would also have to do a re-build as well.

Thanks for the pointers.
I spent the last couple hours in futile attempts to fix it using the above suggestions but obviously fiddling with node-red internals is too much of a challenge at this point.

A simple workaround: creating a "dash.html" in "~/.node-red/node_modules/node-red-dashboard/dist" that only contains a meta tag redirect to https://mydomain:1880/ui and pointing my browser to https://mydomain:1880/ui/dash.html causes Chrome to require me to present a client certificate and the dashboard loads. Not a complete "Feng Shui", but it does the job until the issue is fixed eventually.

OK I have tried to follow along - and have pushed a small fix to the dashboard master branch on github for you all to try - it attempts to set the socket to use secure:true when using https protocol (which it should have done automatically - but...)

1 Like

It works perfectly for me - thank you!


Great - I'll probably push it out later this week after some other testing.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.