Example Node-Red flow for automatic SSL certificate renewal?

Question

Example Node-Red flow for automatic SSL certificate renewal?

Closed this issue 10 months ago · 11 comments

I'm very grateful for the great work being done here. As a first time user of SSL certficates, the process presented a challenging learning curve (and that was just getting 'paid-for' certificates). While SSL certficates are not a 'core' function of the google-smarthome node, they present a crucial component to functionality.

Can anyone provide a Node-Red flow that enables Let's Encrpyt certificates to be automatically placed in a suitable path? An example flow would ideally be provided in the documentation for the Management node. I remember reading of someone already doing this, but can't find the discussion anymore.

I'm familiar with this post by @Paul-Reed -
https://discourse.nodered.org/t/node-red-ssl-using-letsencrypt-certbot/17606

I'm also not sufficiently confident in IT security that I can open up port 80 without potentially opening my system to attack.

Suffice to say that node-red-contrib-google-smarthome would be much more 'approachable' with an ancillary component dedicated to the creation and renewal of SSL certificates.

Answer 1 · 2022-02-02T06:31:58.000Z

I'm currently writing a tutorial on how to use Caddy as a reverse proxy in front of Node-RED. In my opinion this is even easier than the usual way using Certbot. Caddy handles all the encryption, decryption, certificate creation and renewal itself. This way you don't need to copy the certificate files around and you don't need to restart Node-RED after certificate renewal.

Answer 2 · 2022-02-02T09:18:50.000Z

@Caprico85

and you don't need to restart Node-RED after certificate renewal

node-RED users have not needed to do this since v1.1.0 (30th June 2020), as a function in the node-RED settings file syncs the new certificates without making a restart necessary.

It would be great if the Smarthome server could do the same.

Answer 3 · 2022-02-06T07:45:49.000Z

Oh. I never knew Node-RED can do this. Would be nice if Node-RED fires an event when it reloads the certificates so we can reload ours as well. But I guess we to do the scheduling ourselves.

Answer 4 · 2022-02-06T09:47:15.000Z

Here is the discussion and PR - node-red/node-red#2551
It was developed by a node-RED colleague - @bartbutenaers

Answer 5 · 2022-02-06T15:07:43.000Z

Hey guys,

I indeed developed that automatic certificate renewal, because having to restart Node-RED to simply reload a certificate was a bit too much for me: e.g. all recordings from ip cam streams would be interrupted. Wich was unacceptable for me.

When I started with this smarthome node, I have considered creating a pull request to implement the same mechanism here. But didn't do it, because it seems like over-engineering to me. Currently I do it like this: when my flow has requested a new certificate, it afterwards injects a msg (with "restart_server") the smarthome node to restart its webserver. When that webserver restarts, it reloads the certificate.

I don´t think there is any impact by restarting the smarthome node´s webserver, unless when you are using a voice command within those few seconds, because that one will fail. But this happens once every few months, and you will reload your certificates during the night normally.

So inmho it has not much added value to develop automatic certificate reloading here. But I might be mistaken...
Bart

Answer 6 · 2022-02-20T11:07:01.000Z

I added a guide on how to use Caddy as reverse proxy.

Answer 7 · 2022-02-20T11:26:05.000Z

You don't mention the port/ssl settings in node-RED settings.js, such as the following sections;
https: //assume it's commented out, and so uses http
requireHttps: //assume its false
uiPort: //assume 1880 (as default), or if changed, also change reverse proxy port in caddy config file to same
Just checking!

Also, in your second config;

** Node-RED behind Caddy** You can also use Caddy to deliver Node-RED. Change the config file to:

There is no mention of the smarthome port (which you described in the first example), if both configs need combining, then maybe example 2 would be better if combined in your tutorial.
Sorry, reverse proxies are a new world to me!

Answer 8 · 2022-03-01T07:07:18.000Z

Example 1 should work as is. But you are right, example 2 needs some more work. I'll fix that soon.

Answer 9 · 2022-03-06T21:21:00.000Z

I updated my instructions on Caddy.

Answer 10 · 2023-10-29T13:22:48.000Z

With v0.4.6 certificates are now automatically reloaded if they change on disk. You don't have to manually restart anymore.

Answer 11 · 2023-11-19T09:05:49.000Z

I (finally) added instructions for getting a certicate with acme.sh. I think acme.sh is a bit easier for beginners, as it has a more "direct" approach than certbot. You run a command, you see some messages and there is your certificate. Certbot ist more of the service type which does its thing "invisibly" in the background.

Suffice to say that node-red-contrib-google-smarthome would be much more 'approachable' with an ancillary component dedicated to the creation and renewal of SSL certificates.

A built-in component for creating SSL certs would be nice, but would be quite some work, both in implementing it and supporting it afterwards. I'm open for PRs, but currently I won't do it myself.