SSL certificate

Hi, I would like to ask how to install an SSL certificate for Node-RED, which I have issued for my domain, when Node-RED is running in a Docker container. Thanks.

The 2 files (certificate and private key) need only be in a place accessible to Node-RED as it starts up. You configure this in the settings.js file.

Note that the files should be in a place where Node-RED only has READ-ONLY access to them. Otherwise, someone could write a flow that changed them. Indeed, they should be read-only to the user/group that runs Node-RED. Also note that the private key file MUST be kept private.

For these reasons, I don't recommend using TLS within Node-RED itself. It is more secure to use a reverse proxy to terminate TLS requests and to configure Node-RED to be only accessible via the proxy.

1 Like

I know that it would be better to keep the SSL offloading in a reverse proxy separate from Node-RED, but let's suppose that is not the case for some reason. So Node-RED needs to get access to both files, via the settings.js file:

  1. Suppose the Node-RED user has permissions to overwrite those files. If someone gains access to your flows, he can replace both files. Why would they that, if they already see all the decrypted data from your connections anyway?

  2. You say that the private key must be private, which is obvious to me. But of course it won't be private to the Node-RED flows, if the Node-RED user has (read-only) permissions to read those files. Suppose someone gained access to your flows, that means he can read your private key. Is that of any use to a hacker, because he has access to your decrypted data anyway?

Just asking, so that I become aware of the riscs when applying permissions to those files.

Thanks for sharing your knowledge!!!

Well a legitimate user probably would not wish to mess with them - assuming they knew what they were and what they meant. And assuming they didn't make a mistake.

But as we've seen, sometimes illegitimate users can also gain access to systems. Then all bets are off.

Yes, which is why it is best not done in Node-RED.

It certainly is of use yes. Because a hacker can now gain access to all communications, they can do man-in-the-middle attacks, make changes to incoming comms as well as outgoing. And, if that certificate is shared across multiple services (not unusual in home and SME uses), they have access to those as well.

Is any of this a REAL risk to a home user - perhaps not. But systems tend to grow over time and become more important and something learned in one context can often unthinkingly be applied in others. So it is generally best to understand at least the risks and the mitigations even if you choose not to apply them.

I daily see ongoing targeted attacks and so I tend to be rather more paranoid than most, something I'm sure those of you who have been around this forum for a while understand and certainly I'm not suggesting that you need to take every precaution. But it is a truth that humans are actually very poor at assessing actual risk. Take that as you will. :slight_smile:

As is often the case, the question raised here gives no context as to the actual use-case involved. It might be a home user or it might be a giant corporation - maybe it involves critical national infrastructure - I have no context to go on. So it is important to share the risks just in case.

1 Like

This is settings.js file:

folder with certificate:

but browser says this alert:

The error is pretty clear.

The common name in the cert is

But the name appearing in the browser is:

They do not match and therefore, the certificate is invalid.

Even if I put the whole address there it doesn't work

Could you please either translate that or post the text so we can translate it?

1 Like