I've written this up in case it helps other who may wish to secure their node-RED online presence, by using SSL certificates.
The installation uses Letsencrypt to issue the certificates and also Certbot to fully automate and handle renewals - so it's a fit & forget solution.
I've started with a RPi3b+ and a fresh 'Buster' operating system, with node-RED installed via the official script.
Because node-RED is going to provide my online presence, no other webserver (such as apache) has been installed. If you do intend to also run another webserver as well as node-RED, then the Certbot installation is slightly different and not covered here, but see this tutorial for the necessary changes.
It's important at this stage that you have secured your node-RED editor by following this guide, then ensure that port forwarding is setup in your router for ports 1880 & 80 (port 80 is required by certbot).
You must also have a domain name, and which points to your server.
Ensure that you can access your node-RED editor via your domain name (http://mysite.com:1880) before going any further, otherwise Certbot will fail.
Create a folder to hold your new certs;
Most of the following commands require root privilidge, so let's make life easier!
apt-get install certbot
Obtain a set of certificates
certbot certonly --standalone
This will take a few minutes and should ask you a number of questions, such as email address, domain name, etc (nothing complicated!!) during that process.
Lets now create a script to automatically move a copy of the certs to your
node-red/certs folder, prepare them for use by node-RED, and restart node-RED so that the new certificate is applied.
This script will only run if the certificate is successfully renewed.
Create a script called renewal_success in
cp /etc/letsencrypt/live/$domain/*.pem "$node_dir"/
chown $node_user "$node_dir"/*.pem
...and make executable;
chmod u+x /etc/letsencrypt/renewal-hooks/deploy/renewal_success
Now run the script;
and you should find that you will now have 4 certs in your node-red/certs folder, and node-RED restarted.
The Pi installation package automatically creates a systemd timer that runs twice daily (at randomised times) to check if it is necessary to renew the certificates, and although Letsencrypt certificates have a life of 90 days, they will be renewed 30 days before expiry.
To change the timing of the renewal checks, or disable them completely, see this post.
So that concludes installing & setting up certbot, so now exit su privilege;
Add certificate links to the node-red settings file;
To ensure that node-RED loads the new certificates when they have been renewed, enable
httpsRefreshInterval in the settings file.
and enable this option to force http visitors to use https;
...then reboot node-red to restart your SSL enabled server;
Many thanks to @recursivecodes for writing the Oracle cloud tutorial on which this is based.