Node-RED SSL using Letsencrypt & Certbot

Hi Paul,
thanks for sharing this usefull post!
Anyway I have a question for anyone who can clarify me the following.
I'm missing if (and when) the "renewal_success" script will be run in order to copy the new generated certificates.
In my understanding there was, in an earlier version, a cron job to do that. Now according to latest instructions the cron job is no longer needed (certbot setup by itself) thus I can't figure out who will call that script and when.
Thanks in advance.

I can't remember where all this started now. I can only give you my working setup and it has been rock-solid since I set it up in 2018.

I use the acme.sh shell script that runs on a CRON script as a user not root:

28 0 * * * "/home/home/.acme.sh"/acme.sh --cron --home "/home/home/.acme.sh" > /dev/null

I actually have 2 domains that I fetch certificates for, each cert having wildcard sub-domains specified so that I can use the certs for multiple uses (my needs aren't for too much security, if I were using this for internet facing services, I'd probably have separate certs for each service).

All of the resulting files are owned by the user that runs the CRON, not by root. That also isn't as secure and if I needed that security, I would run as root but then at the end of each run, have a script that changes ownership of the public key to allow it to be copied. But then you also have to allow the user running Node-RED and any other services to have read access to the private key or make copies of that as well. Can be done either way.

Because I'm running as the same user as NR and because I don't need lots of security, I simply point NR at the folder containing the certs/keys.

If you are copying things around, best to have separate certs for each use.

If you look at the first post in this thread, you'll see this section;

There we create a script which certbot will automatically run, IF new certificates have been created (as it's in the renewal-hooks directory). That script will copy across the certs to your node-RED directory.

Correct when installed on a Pi, as the Certbot installation will create it's own time schedule as part of the installation.

Hey guys,
Also don't forget that we spend quite some time at the time being on this pull-request, to have automatic certificate renewal into Node-RED 1.1.0 and above... Then Node-RED will detect and load the renewed certificates automatically, without having to restart Node-RED...
Bart

3 Likes

Hi,
Thanks very much for your reply.
Anyway, as a beginner, my question was mainly related to understanding how the renewal_succes" scripts gets called (when certs are actually renewed).
This is a solution to update certs and I really appreciate your help. I'll keep it in mind in case of troubles (and probably for future projects).
Thanks!

Hi Paul,
thanks for your response.
got it. I was missing that the script is automatically called by certbot!
Thanks again for sharing this useful post.

1 Like

As @BartButenaers mentions above, don't forget about the httpsRefreshInterval which has been introduced into node-RED since v1.1.0.

A bit of background....

By default, node-RED reads in the SSL certificates only when node-RED starts, so even though you have renewed your certificates with certbot. Node-RED will not load them until it has been restarted.

To deal with this, if you use httpsRefreshInterval in your settings.js file, then the certificates will be reloaded into the running system automatically, avoiding the need to restart the system.

See Securing Node-RED : Node-RED

2 Likes

2 posts were split to a new topic: Unable to update node.js

@Paul-Reed , the docs say that, if you use httpsRefreshInterval, "..the https setting must be a Function that can be called to get the updated certificates."
I have no idea about how this function must be set...

Take a look at the https section in settings.js and it gives you 2 options. Choose the https function option.

Yes, but I can't image what to code into the function in order to get the updated certificates...

Hi Fabio,
In my setup at home I simply tell Node-RED to reload (every 6 hours) the key-pair (certificate and corresponding private key) from my Node-RED keystores:

    https: function() {
        return {
            key: require("fs").readFileSync('/home/pi/.node-red/privkey.pem'),
            cert: require("fs").readFileSync('/home/pi/.node-red/cert.pem')
        }
    },
    httpsRefreshInterval : 6,

That is all...
But you can add any kind of source code, as long as you return a key-pair ...

Of course you need to make sure that the certificate in your keystore is up-to-date.
There are multiple ways to accomplish that...
I refresh my LetsEncrypt certificates automatically with my node-red-contrib-letsencrypt node.
This node is not published on NPM, because I didn't had time yet to test all supported DNS providers.
But for DuckDNS it works fine...
Bart

1 Like

I could use your script " renewal_success" in order to do that (without restarting node). In a cronjob every 6 hours.
What do you think?

That script is from @Paul-Reed. You have to install Certbot manually, and call Certbot via that script periodically. Or you can use my node, which doesn't require Certbot.
It is competely up to you how you want to get a new certificate from LetsEncrypt. I personally like to have everything integrated into Node-RED without having to install third-party tools. That is why I developed that Node, after Paul wrote above tutorial...

1 Like

In my other installation (on a webserver) I don't need to call certbot as the installation has provided for that.

And I do it using the acme.sh shell script and CRON. Partly because I update two domains and they both have complex multi-wildcard settings. Oh, and because that node didn't exist when I started :grinning:

1 Like

Hi @Paul-Reed, is this still valid? Do I have to replace cert.pem with fullchain.pem?

Yes

Just follow the guide, it explains what certificates to use.
The fullchain.pem contains the cert.pem and the chain.pem which is needed for correct validation. See Letsencrypt chain.pem or trusted root list cert? - #10 by JuergenAuer - Help - Let's Encrypt Community Support

A post was split to a new topic: Enable https, but still access with local IP