@TotallyInformation it can be if you don't already have a web server set-up to expose the ACME challenges.
Nope, not any more. As long as you have a domain and can control the DNS to some degree it is easy and you no longer have to expose anything. Please read the post.
@TotallyInformation Touche, but I would say that having to use a DNS provider that supports DNS01 isn't a cakewalk either, especially if you already have many DNS entries.
Not trying to take away from your post, I just think it's more trouble than it's worth if the only thing you're going to expose is Node-RED. Just do a self-signed cert and ignore the security warnings or make the exception rules so you don't see the warning. The warnings are meaningless when it's hardware you control and you're the only one using it. Otherwise if it were a public server not in your possession and other people are using it, by all means, Let's Encrypt.
Thank you all , I'm planning to move like Paul suggest me 'cos for me it's much easy,using one raspberry like proxy reversed with nginx , and another raspberry with node-red running .
For me , it's the very first time that i run into security access problem ...
Well, it was actually very easy. I put all my DNS entries through the free tier of CloudFlare which supports Lets Encrypt. You don't have to mess with any of the DNS entries at all. In addition, Let's Encrypt now support wildcard and multi-domain certs so I bundled a big set into a single cert giving me lots of flexibility - the auto-renew runs quite happily on one of the Pi's so it all just works.
Anyway, each to their own but I wanted to make clear to others just how easy it is now to use Let's Encrypt.
I’ve been wondering about the same issue. I had port forwarding on for a year (don’t do that). I was going to check into a remote MQTT server with a dashboard. We hen send just the updates as needed. Mqtt would open the port and then close it. Correct? Wouldn’t that be the way to go on this?
Not sure that is correct, I suspect that the port would remain open. However that shouldn't be much of an issue as you are opening the port outwards, not inbound.
However, this approach really needs an authenticated connection and that requires an encrypted connection. While you can do it without encryption, it would mean sending your login details in free-text over the Internet, not ideal.
This is why I need to encrypt my traffic to and from Rasp.