Node-RED SSL using Letsencrypt & Certbot

Hi Paul,
Thanks for sharing this! Just what I was looking for... Can the crontab be replaced by e.g. the cron-plus node, to integrate it even more into Node-RED?

Yes it could. You only need to run the command certbot renew (as root) to trigger the renew process.
But note that node-RED will not read the new certificates until the NR server is restarted, and if you look at the cron entry, there's a post-hook in there that does exactly that, and furthermore only restarts node-RED if a certificate renewal has been made, otherwise it doesn't restart.

You can simulate an actual renewal to test by using sudo certbot renew --dry-run whilst tailing the log file; sudo tail -f /var/log/letsencrypt/letsencrypt.log

1 Like

Ah ok. Sorry had overlooked that you had to restart Node-RED. That is a pitty. I now see here indeed that NodeJs needs this pull-request to allow the credentials to be hot swapped, for new connections being created. Wasn't aware of that...

1 Like

It's a quick restart just once every 2 months in the middle of the night! I can live with that :wink:

2 Likes

I've just updated the first post above to use the fullchain.pem certificate instead of cert.pem on the advice of the Letsencrypt guys.

2 Likes

Urm, that's odd, I don't do that. Hmm, what am I doing that is different I wonder? Surely I'm not restarting NR that often for other reasons?

Well I won't be able to find out until January.

Julian, do you have a paid account?

No. The last change was in October.

It is possible that this year has seen me updating that system more than usual and so restarting it more often. It is even possible that I set up a CRON job and completely forgot about it :rofl:

I'll get round to checking at some point.

Just updated the first post above.

After checking the Letsencrypt log, I found that the renewal application was being made at times outside the range of the custom cron setting, and upon further checking it appears that the Pi installation package also sets up systemd to run the process twice daily at random times.
See this post.

So no need for the cron job - it has been removed, and the post-hook function has been now been moved to the shell script instead.

It appears that the configuration of Certbot varies dependent upon the OS.

@BartButenaers - for info

1 Like

Hi Paul,

I am trying to do the same steps on my PI. For some reason I have jessie which does not include certbot. I found this post and installed certbot-auto. It does not have -d parameter, so I can only run as certonly --standalone. During this I get this:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ringlo.ddns.net
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

So this is the point when letsencrypt is trying to check that it is indeed my server, right? But how will it perform the challenge if nothing is running on port 80. Or do I need to set up apache for this?

I got a bit confused.

Yes, correct.
It appears from your link, that you've chosen the version of certbot intended to be run alongside an apache server. If you are also running Apache, then as I said in my first post -

From what I've read, if you don't have any other webserver, then use the Certbot version which spins up a python server to do the verification.
If however you do have another server, then the verification needs to be run through that other webserver (apache).

OK, I understand now. So I need to find out how can I install the standalone certbot in jessie. As apt says "unable to locate package certbot".

I haven't looked what is avaialble in Jessie, but have you tried updating your sources sudo apt-get update first.

I did sudo apt-get update but it did not help. What I did instead if fired up apache2 on port 80 (it is normally nor running), got the certificate created, copied it to the "cert" folder, changed the settings.js and restarted NR. Chrome is still saying that it is "not secure". When I view the certificate, it says Issued to: ringlo.ddns.net so that is definitely my certificate. When I look at the certification path I see Let's Encrypt Authority X3, and DST Root CA X3.
So what is Chrome's problem with this certificate? It this about that the challange was on port 80 and now we are on port 1880?

And do I understand correctly, that with the process I used above the certificate renewal will not work unless the apache server is running?

Have you changed ownership of the certs, so node-RED can access them OK?
It's included it the script in the first post.

yes, I did. In fact I ran the script after the certificate got generated and it copied the files to the folder under node-red. And since it says "issued to: ringlo.ddns.net" I know it is using these certificates. Previously I had a self signed certificate which has no root CA.
Do I just need to restart my computer for Chome to forget something?

As you probably have not added the certificates to Apache, can you stop apache and then look at just your node-RED server, as http://ringlo.ddns.net/ seems to be pointing to 'Saia PCD Web Server'.
Also anything in the node-RED log?

Yes, and I would like to keep port 80 as it is, but you can reach Node red on https://ringlo.ddns.net:1880/

@Paul-Reed: this is all my bad, I am so sorry. I opened my NR as https://192.168.1.80:1880 instead of using the domain. Of course Chrome has issues as the IP does not match the domain of the certificate. Such a rookie mistake. I am so sorry.

2 Likes

I missed this post before - Nice work @Paul-Reed!

1 Like