Node-RED SSL using Letsencrypt & Certbot

Hey guys,
Also don't forget that we spend quite some time at the time being on this pull-request, to have automatic certificate renewal into Node-RED 1.1.0 and above... Then Node-RED will detect and load the renewed certificates automatically, without having to restart Node-RED...
Bart

3 Likes

Hi,
Thanks very much for your reply.
Anyway, as a beginner, my question was mainly related to understanding how the renewal_succes" scripts gets called (when certs are actually renewed).
This is a solution to update certs and I really appreciate your help. I'll keep it in mind in case of troubles (and probably for future projects).
Thanks!

Hi Paul,
thanks for your response.
got it. I was missing that the script is automatically called by certbot!
Thanks again for sharing this useful post.

1 Like

As @BartButenaers mentions above, don't forget about the httpsRefreshInterval which has been introduced into node-RED since v1.1.0.

A bit of background....

By default, node-RED reads in the SSL certificates only when node-RED starts, so even though you have renewed your certificates with certbot. Node-RED will not load them until it has been restarted.

To deal with this, if you use httpsRefreshInterval in your settings.js file, then the certificates will be reloaded into the running system automatically, avoiding the need to restart the system.

See Securing Node-RED : Node-RED

3 Likes

2 posts were split to a new topic: Unable to update node.js

@Paul-Reed , the docs say that, if you use httpsRefreshInterval, "..the https setting must be a Function that can be called to get the updated certificates."
I have no idea about how this function must be set...

Take a look at the https section in settings.js and it gives you 2 options. Choose the https function option.

Yes, but I can't image what to code into the function in order to get the updated certificates...

Hi Fabio,
In my setup at home I simply tell Node-RED to reload (every 6 hours) the key-pair (certificate and corresponding private key) from my Node-RED keystores:

    https: function() {
        return {
            key: require("fs").readFileSync('/home/pi/.node-red/privkey.pem'),
            cert: require("fs").readFileSync('/home/pi/.node-red/cert.pem')
        }
    },
    httpsRefreshInterval : 6,

That is all...
But you can add any kind of source code, as long as you return a key-pair ...

Of course you need to make sure that the certificate in your keystore is up-to-date.
There are multiple ways to accomplish that...
I refresh my LetsEncrypt certificates automatically with my node-red-contrib-letsencrypt node.
This node is not published on NPM, because I didn't had time yet to test all supported DNS providers.
But for DuckDNS it works fine...
Bart

1 Like

I could use your script " renewal_success" in order to do that (without restarting node). In a cronjob every 6 hours.
What do you think?

That script is from @Paul-Reed. You have to install Certbot manually, and call Certbot via that script periodically. Or you can use my node, which doesn't require Certbot.
It is competely up to you how you want to get a new certificate from LetsEncrypt. I personally like to have everything integrated into Node-RED without having to install third-party tools. That is why I developed that Node, after Paul wrote above tutorial...

1 Like

In my other installation (on a webserver) I don't need to call certbot as the installation has provided for that.

And I do it using the acme.sh shell script and CRON. Partly because I update two domains and they both have complex multi-wildcard settings. Oh, and because that node didn't exist when I started :grinning:

1 Like

Hi @Paul-Reed, is this still valid? Do I have to replace cert.pem with fullchain.pem?

Yes

Just follow the guide, it explains what certificates to use.
The fullchain.pem contains the cert.pem and the chain.pem which is needed for correct validation. See Letsencrypt chain.pem or trusted root list cert? - #10 by JuergenAuer - Help - Let's Encrypt Community Support

A post was split to a new topic: Enable https, but still access with local IP