Hi guys,
I have the same problem as described in this entry: Node-RED integration with Keycloak gives Error self signed certificate
I used the environment variable (process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0") as work-around in my dev-system, but I need a solution for the productive system.
Both, Node-RED (V 4.0.9) and Keycloak (V. 26.1.4) are installed on Windows Server 2022. We have an own certificate-environment even based on Windows Server. (The only one "self-signed" is the root-ca.)
passport-openidconnect and passport-oauth2 were tested. But both deliver the same result.
I don't find any error in the chain. Other systems and other apps works without any problems. Must I separate trust the root-ca in the settings.js or in the passport-section?
Thanks for your ideas and help.
Markus
I think that I gave the various options in that original thread.
On a production system, you should use a publicly signed certificate somewhere in the certificate chain.
It might be possible to get round that by adding your self-signed root to the Windows trusted root certificates in the Windows Cert Store. You might also need to put the end certificate in the appropriate part of the cert store as well, I've never had much luck with self-signed certs under Windows. So I can't say it would work or not.
Personally, I would never use Node-RED's built-in security feature for actual production use. I would always use something more specifically designed for the purpose such as a battle tested proxy such as NGINX or HA Proxy, etc.
1 Like
You can use the NODE_EXTRA_CA_CERTS env var to have the NodeJS runtime add extra CA certificates to it's internal CA list (by default NodeJS will not use the system CA list).
You need a PEM encoded file that concaternates any CA certs with any intermediate certs first, before the root certificate.
1 Like
Hi guys,
thanks for your fast input.
Yes, the root certificates are already installed in the windows trusted cert store but the error still exists.
In the production system I have an IIS reverse-proxy but I try to use even all security features from node-red additionally.
I will try the environment variable and give you feedback.
Thanks,
Markus
In that case, rely on IIS security which is fully integrated with Active Directory, not on the separate Node-RED security. It will give far better and more robust protection. Just make sure to set Windows Firewall to disallow any access to port 1880 outside of localhost so that users can only use IIS ports 80/443.
Hi guys,
I have tried the environment variable with the PEM file but the error still exists.
Yes, you are right. I will use the proxy server for the SSL security check.
(The firewall already blocked the 1880 and uses the 443).
The topic is solved.
Thanks for your support.
Markus
