How to install SSL for node red?

Direct node red access without Apache

Oxygen is going to provide my online presence, no other webserver (such as apache) has been installed. If you do intend to also run another webserver as well as node-RED, then the Certbot installation is slightly different and not covered here, but see this tutorial 45 for the necessary changes.
It’s important at this stage that you have secured your node-RED editor by following this guide 41, then ensure that port forwarding is setup in your router for ports 1880 & 80 (port 80 is required by certbot).
You must also have a domain name, and which points to your server.
Ensure that you can access your node-RED editor via your domain name (http://mysite.com:1880 9) before going any further, otherwise Certbot will fail.

Create a folder to hold your new certs; mkdir /home/pi/.node-red/certs

Install Certbot
Most of the following commands require root privilidge, so let’s make life easier!
sudo su

Install Certbot
apt-get install certbot

Obtain a set of certificates
certbot certonly --standalone
This will take a few minutes and should ask you a number of questions, such as email address, domain name, etc (nothing complicated!!) during that process.

Lets now create a script to automatically move a copy of the certs to your node-red/certs folder, prepare them for use by node-RED, and restart node-RED so that the new certificate is applied.
This script will only run if the certificate is successfully renewed.
Create a script called renewal_success in /etc/letsencrypt/renewal-hooks/deploy/

#!/bin/bash

domain=mydomain.com
node_dir=/home/pi/.node-red/certs
node_user=pi

cp /etc/letsencrypt/live/$domain/*.pem "$node_dir"/
chown $node_user "$node_dir"/*.pem
node-red-restart      # Restart node-RED

…and make executable;
chmod u+x /etc/letsencrypt/renewal-hooks/deploy/renewal_success

Now run the script;
/etc/letsencrypt/renewal-hooks/deploy/./renewal_success
and you should find that you will now have 4 certs in your node-red/certs folder, and node-RED restarted.

The Pi installation package automatically creates a systemd timer that runs twice daily (at randomised times) to check if it is necessary to renew the certificates, and although Letsencrypt certificates have a life of 90 days, they will be renewed 30 days before expiry.
To change the timing of the renewal checks, or disable them completely, see this post 15.

So that concludes installing & setting up certbot, so now exit su privilege;
exit

Add certificate links to the node-red settings file;

    https: {
    key: fs.readFileSync('/home/pi/.node-red/certs/privkey.pem'),
    cert: fs.readFileSync('/home/pi/.node-red/certs/fullchain.pem')
           },

and enable this option to force http visitors to use https;
requireHttps: true,

…and reboot node-red to restart your SSL enabled server;
node-red-restart

Leave a Reply