Node-RED SSL using Letsencrypt & Certbot

It's a quick restart just once every 2 months in the middle of the night! I can live with that :wink:

2 Likes

I've just updated the first post above to use the fullchain.pem certificate instead of cert.pem on the advice of the Letsencrypt guys.

2 Likes

Urm, that's odd, I don't do that. Hmm, what am I doing that is different I wonder? Surely I'm not restarting NR that often for other reasons?

Well I won't be able to find out until January.

Julian, do you have a paid account?

No. The last change was in October.

It is possible that this year has seen me updating that system more than usual and so restarting it more often. It is even possible that I set up a CRON job and completely forgot about it :rofl:

I'll get round to checking at some point.

Just updated the first post above.

After checking the Letsencrypt log, I found that the renewal application was being made at times outside the range of the custom cron setting, and upon further checking it appears that the Pi installation package also sets up systemd to run the process twice daily at random times.
See this post.

So no need for the cron job - it has been removed, and the post-hook function has been now been moved to the shell script instead.

It appears that the configuration of Certbot varies dependent upon the OS.

@BartButenaers - for info

1 Like

Hi Paul,

I am trying to do the same steps on my PI. For some reason I have jessie which does not include certbot. I found this post and installed certbot-auto. It does not have -d parameter, so I can only run as certonly --standalone. During this I get this:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ringlo.ddns.net
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

So this is the point when letsencrypt is trying to check that it is indeed my server, right? But how will it perform the challenge if nothing is running on port 80. Or do I need to set up apache for this?

I got a bit confused.

Yes, correct.
It appears from your link, that you've chosen the version of certbot intended to be run alongside an apache server. If you are also running Apache, then as I said in my first post -

From what I've read, if you don't have any other webserver, then use the Certbot version which spins up a python server to do the verification.
If however you do have another server, then the verification needs to be run through that other webserver (apache).

OK, I understand now. So I need to find out how can I install the standalone certbot in jessie. As apt says "unable to locate package certbot".

I haven't looked what is avaialble in Jessie, but have you tried updating your sources sudo apt-get update first.

I did sudo apt-get update but it did not help. What I did instead if fired up apache2 on port 80 (it is normally nor running), got the certificate created, copied it to the "cert" folder, changed the settings.js and restarted NR. Chrome is still saying that it is "not secure". When I view the certificate, it says Issued to: ringlo.ddns.net so that is definitely my certificate. When I look at the certification path I see Let's Encrypt Authority X3, and DST Root CA X3.
So what is Chrome's problem with this certificate? It this about that the challange was on port 80 and now we are on port 1880?

And do I understand correctly, that with the process I used above the certificate renewal will not work unless the apache server is running?

Have you changed ownership of the certs, so node-RED can access them OK?
It's included it the script in the first post.

yes, I did. In fact I ran the script after the certificate got generated and it copied the files to the folder under node-red. And since it says "issued to: ringlo.ddns.net" I know it is using these certificates. Previously I had a self signed certificate which has no root CA.
Do I just need to restart my computer for Chome to forget something?

As you probably have not added the certificates to Apache, can you stop apache and then look at just your node-RED server, as http://ringlo.ddns.net/ seems to be pointing to 'Saia PCD Web Server'.
Also anything in the node-RED log?

Yes, and I would like to keep port 80 as it is, but you can reach Node red on https://ringlo.ddns.net:1880/

@Paul-Reed: this is all my bad, I am so sorry. I opened my NR as https://192.168.1.80:1880 instead of using the domain. Of course Chrome has issues as the IP does not match the domain of the certificate. Such a rookie mistake. I am so sorry.

2 Likes

I missed this post before - Nice work @Paul-Reed!

1 Like

@Paul-Reed Thank you for this post! it is great what have you done here. By the way I ask here for some helps. The explained configuration with apache goes straight but now I cannot access my node-red anymore. I'm getting this error in the browser.

# Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request

Reason:  **Error reading from remote server**

Apache/2.4.38 (Raspbian) Server at 192.168.0.38 Port 80

For sure is a config apache server problem. Anyone can explain what is wrong ?

Sorry I've not installed apache, so can't really help further with apache related errors.
Hopefully other members will be more familiar with apache, and be better placed to assist.
This guide was really intended for non-apache users for that reason.

Hi guys,

I would need a bit a help from you. I am having a Raspberry with node-red which is accessible through VPS. RPi starts automatically at boot a ssh reverse tunnel to a VPS and then I can reach RPi through VPS. Port 80 of the VPS is forwarded to port 1880 on RPi. On VPS I'm having a domain configured, so I can access node-red on RPi when I'm opening a page to http://domain.com.
My question would be - if I would like to use SSL, where should I install the certificates, on VPS or on RPi? What else should I configure? Have anyone from you implemented this? Thank you very much in advance.