Node-RED

SSL certification with acme-sh and node-red

General
#1

Hello everyone,

I'm trying to get SSL certificates for my node-red app. What I have done already:

Configuring a domain name for my app -> my-super-app.com

Redirect the http port (80) to the port of my app.
So when I enter "my-super-app.com" on my browser, it launches my app.

Great.

I downloaded acme-sh to generate SSL certs.
Then I typed:

./acme.sh --issue -d my-super-app.com --standalone


[Thu Oct 15 15:25:06 EEST 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Oct 15 15:25:06 EEST 2020] Standalone mode.
[Thu Oct 15 15:25:06 EEST 2020] Creating domain key
[Thu Oct 15 15:25:06 EEST 2020] The domain key is here: /home/ubuntu/.acme.sh/my-super-app.com /my-super-app.com.key
[Thu Oct 15 15:25:06 EEST 2020] Single domain='my-super-app.com'
[Thu Oct 15 15:25:07 EEST 2020] Getting domain auth token for each domain
[Thu Oct 15 15:25:10 EEST 2020] Getting webroot for domain='my-super-app.com '
[Thu Oct 15 15:25:10 EEST 2020] Verifying: my-super-app.com
[Thu Oct 15 15:25:10 EEST 2020] Standalone mode server
[Thu Oct 15 15:25:16 EEST 2020] my-super-app.com :Verify error:Invalid response from http://my-super-app.com/.well-known/acme-challenge/QW9Fks1_X2X40ziJncI3Z3zuNohWYmO0qfqLsZVgI

with --debug :

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /.well-known/acme-challenge/neZQDDMFZ8vgprfo9rr4YSLEK5fXl60UqCEzWPvyA</pre>
</body>
</html>

What am I doing wrong ? Where does the folder well-known is supposed to be? How to create it if it doesn't exist?

Thanks for help

#2

Hi @seeQuayah, welcome to the forum.

There is a contrib node written by a colleague @BartButenaers which automates the issue/renewal of certs using Acme. Sadly, it was never quite finished :wink: and never made it to npm.
However, it can be installed from https://github.com/bartbutenaers/node-red-contrib-letsencrypt and even if you don't use it, the readme is worth reading.

It is required however that your domain registrar allows API access, so that you can prove that you actually own the domain. I found that not many (here in the UK) allow API access, but you can always direct your domain nameservers to Cloudflare, who do expose their api.

Namecheap => Cloudflare => myserver

I am using the node & cloudflare on one of my servers, and it has worked fine since May, renewing the certificate every month without fail.
If you delve into the logs, you will probably see an Acme error or two, but that does not cause the renewal to fail, it's just a timing issue caused by Cloudflare's speed of propagation, and nothing to worry about.

cert

#3

Yes, if I only had more spare time...
The only problem with this node that it supports a number of dns providers, but I only know for sure that it works for duckdns. Paul had issues to use it with cloudflare, and nobody has ever given feedback for the other dns providers in my dropdown list...
But I have used it with duckdns, and I know some other people use it also.
Bart

#4

I fixed my problem by using Nginx and redirecting the domain name to my node-red app with this tutorial Node-red server with nginx reverse proxy howto guide

problem solved

#5

Not wishing to take this thread off-topic...

@BartButenaers, maybe publish it to npm as it is, then more people would be tempted to try it and feedback. We know that it is working for Duckdns, and it's worked great for me with Cloudflare for the past 7 months (in fact I forgot that I was using it until I saw this thread - which is always a good sign)
It's a shame after all of the work that you have done, for it to get buried amongst your other unfinished projects :wink:

Cloudflare is the easy route as users can point any registrar's name servers to a free Cloudflare account, and then use their API, it's pretty painless.
It will result in a few error messages if users delve into the Acme/Letsencrypt log (because of Cloudflare not propagating quick enough) but it's never a problem and works fine.

#6

Rather than exposing your web environment to the Internet with the potential issues that can have, you can also use DNS to validate. This is what I do.

I run the acme.sh script from CRON so that the certificates are automatically updated on an appropriate schedule and my home server does not require inbound Internet access.

I also have "hairpin DNS" setup on my internal network so that local access to Node-RED (and other services) is done using the same domain names as external would be.

I can 2nd Paul's recommendation to use Cloudflare. I use them as my main DNS vendor as well and even my UK domains (which I can't currently buy through them) are assigned to them so everything is managed in one place and I get to use their DNS security features.

Any public services I run, all run via Cloudflare proxy as well because that gives them additional protection, resilience and analytics without needing something like Google Analytics (no privacy issues).

1 Like

Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy