TLS Config Node: CA Certificate

General
,
1

Hello everyone,
when setting "Verify server certificate" und Uploading a Custom CA Cert in a TLS config, where is that cert actually stored?
I need work behind a corporate firewall, if I set its certificate in the TLS config node "Upload", everything works as expected. I experimented with running Node-Red with Docker, but I fail to carry over this custom CA Certificate.
I tried providing the CA .pem file in the /data mount, but as far as I can tell, the TLS config node does not point to a filepath, but only holds the cert name. So I figured the cert must be stored somewhere in the node modules when "uploaded"?
I also tried adding the cert path to the settings file with NODE_EXTRA_CERTS and adding it with npm config set cafile, but no success.

TLDR, does anybody know where the pem file is stored when using the "upload" function in the TLS Config node?

2

How do you intend to run Node-RED in the end, using Docker or natively ?
Normally you can just specify a file path which is relative to the directory where you started Node-RED. When using Docker you would need to copy that file in the container either in the dockerFile, by mounting it as a bind mount or by using docker cp.

3

This should be NODE_EXTRA_CA_CERTS and when set as an environment variable it does work correctly.

4

Hello and thank you for your response. I will deploy using Docker.
I keep the CA Cert in the directory that I mount at /data in the container.
As far as I can tell, the TLS node does not store a filepath, but only the filename.
For a test I placed the CA Cert in a different directory and used the "Upload" Button, but it only ever stores the name, no path (neither relative nor absolute)

{
        "id": "c25ae3eaa4cf0941",
        "type": "tls-config",
        "name": "TheNodeName",
        "cert": "",
        "key": "",
        "ca": "",
        "certname": "",
        "keyname": "",
        "caname": "xxxxRootCertificate-2048-SHA256.pem",
        "servername": "",
        "verifyservercert": true,
        "alpnprotocol": ""
    },
5

Hello, sorry, you are right, I typed it from memory and that was incomplete. I edited the original post.

6

Hello everyone!
I have solved my issue and I was gravely mistaken so I want to document my solution to help others. I am now using the Environment Variable "NODE_EXTRA_CA_CERTS" to provide our custom CA to Node.js for validating server connections.
My mistake was not understanding that "NODE_EXTRA_CA_CERTS" is supposed to be an OS environment variable, not a Node.js "process.env".
All thats necessary to make it work is to add it to the environment variables + the path to the cert, under windows or linux, or use the parameter -e/-env to pass it to a Docker container.

My original question, what exactly happens when you use the "Upload" function within a TLS configuration node, remains unanswered and I am still very interested in understanding it.
Additionally, if I run the node function tls.rootCertificates I never see the "EXTRA_CA_CERT" it does not get appended to that list. It would be nice to somehow confirm that the extra ca Cert was added to the certificate store.

7

process.env is just a method for accessing the OS environment variables.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.