Using self-signed certificates to secure Node-RED web traffic

[Julian Knight]

Hi all,

Finally got fed up with not having all the information to do this correctly in a single place. So I thought I'd create a script and some documentation that would help anyone who wants to server Node-RED over HTTPS but only using self-signed certificates to save having to get an externally validated certificate.

https://github.com/TotallyInformation/SelfSigned-Cert-Creator

It should explain everything you need and hopefully makes it all dead easy. There is far too many fudged and incorrect solutions floating around the Internet and I'm tried to make sure that all the latest and best thinking is embodied in the script and instructions.

Remember that you should NEVER, ever use an unencrypted connection when using a login or showing/entering sensitive information. Especially when running over the Internet.

1. Run the script giving the web server's IP address/domain the parameter (e.g. 192.168.1.10, myweb.mydomain.com, *.mydomain.com).
2. Move the files in the server folder to a convenient location
3. Adjust your web server configuration to use the privkey.pem & fullchain.pem files
4. Upload the client/my-private-root-ca.crt to the certificate store on any device needing access to the server to get rid of untrusted root CA warnings.

That's it! No more faffing. Have fun and stay safe out there!

[Lawrence Griffiths]

Julian, a huge thank you for this.

I've been self-signing for years but never understood the CA step.

This a must read and tool for all NR user/installs.

Thanks

Lawrence

[TJ Koury]

Julian,

Thanks for pulling all this together!  Your README.md is a great primer on the subject, with the code to back it up.

You might be interested in this project:

https://letsencrypt.org/

I've been using it recently, and it works great!

-TJ

[Julian Knight]

No problem. I've been meaning to do it all year. Honestly, I've only just worked out the full details myself - thanks go to the people I've referenced in the code as I wouldn't have worked it out otherwise.

You might also notice that it applies to a lot more than "just" Node-RED ;-)

[Julian Knight]

Hi TJ, no problem. Glad it might help.

I'm aware of Lets Encrypt though I've not personally had a lot of joy with it so far. The main issue is the short lifespan of the certificates which means that you absolutely HAVE to automate the refresh process.

With your own self-signed certs, you can set the life to whatever you want (though very long lifespans gradually introduce security issues of course over time).

Contrary to the spin put on them by many people who should know better, a self-signed certificate can be every bit as secure as a commercially signed one - indeed they can even be better in certain circumstances. In particular, they are ideal for IoT use where you may need many certs but the commercial margins are too small to warrant the cost of your own commercially cross-signed CA.

I still need to set up a mini-flow that will publish the certificate for consumption on mobile devices. Shouldn't be too hard to do using UI. That will make it easy to install the CA trusted root cert on mobile devices not just Windows. Also, if anyone has the instructions for installing trusted roots on Mac and Linux or other platforms, please raise an issue on GitHub or do a pull request & I will update the instructions or maybe create a WIKI.

Be safe! Encrypt those links.

[Peter Scargill]

Oh good man - I just got a proper one for my Amazon Alexa but it turns out after Aidan spent ages talking to them that there was a bug stopping them accepting self-signed certificates - and so I'll try this on one of my other domains....  Magic....

On Saturday, 5 November 2016 17:10:25 UTC, Julian Knight wrote:

[Peter Scargill]

Of interest how long can you make a certificate last. Security isn't the main thing here - Amazon Echo insists on HTTPS... so I'd like to make one last as long as poss.?

[Julian Knight]

Hi Peter,

I tend to put 9999 days on my self-signed certs and that certainly works. To be honest, I'm not sure if I've tried anything higher, give it a go, with the script you can simply change and rerun so it doesn't matter as long as you've not yet used the CA cert. for anything live.

Obviously, the risk is that the longer you make it, the more likely it is that you lose control of it before it expires. As you do not have a full Public Key Infrastructure (PKI) using self-signed certs, you don't have the infrastructure to be able to invalidate any of your certs such as a certificate revocation list (CRL).

That's not going to matter though in most use cases and you could simply go round and replace everything (not forgetting to remove the manually added trusted root entries from all of your client computers.

[Peter Scargill]

Thanks Julian - I think I've pretty much set this up using your script....   but then I've hit another bottleneck which is another matter altogether (set up in my place in Spain which has a Draytek 2830 router - which no matter what I do will NOT have redirection of port 443 - even after disabling remote management of the router - I can see a support call to Draytek coming on).  So I can do https://mydomain.com:1880 - and access node- red with a nice green https:  - sadly that's not good enough for Amazon who insist on using port 443 - but port redirect - which works a TREAT here in the UK on a TP-LINK router - and which works a treat in Spain - on any port except 443 - arghh....

So in short - your script is super!

[Julian Knight]

Drat! 

[Max Hadley]

Peter,

Regarding the port 443 issue on Draytek routers, I'm not sure but I think you have to change the https management port number to something else to be able to redirect port 443 on the WAN side, even if you don't enable management access from the Internet. See https://www.draytek.co.uk/support/guides/kb-forwarding-tcp443

Max

[Peter Scargill]

Di that - 4443  - and the VPN SSL - and it still won't work - yet as I also have 1880 redirected, https://xxxx.com:1880 works - even 444 redirected to 443 - just not 443. Everyone says the same - just move management out of the way - I have a setup here in the UK that works this way, the one in Spain doesn't - but I got in touch with the Spanish service provider and they insist they're not doing anything with 443.

[Toshi Bass]

I am having a little difficulty working out what the first part of the of     path.join('.', '.data', 'certs', 'server', 'privkey.pem') like what    '.',    bit means

Obviously I am trying to follow your instructions to implement self signed certificates I thought it would be simple to create what I thought would be the same file structure so I have the certs in /home/pi/.data/certs/server/ 

but after modifying the settings.js file by un-commenting //var fs = require("fs") and     //https: {    //    key: fs.read etc    section including the above am am getting the following which I assume is a problem with the path I am specifying.

Starting as a systemd service.

at Module._compile (module.js:570:32)

Stopped Node-RED graphical event wiring tool..

Starting Node-RED graphical event wiring tool....

Started Node-RED graphical event wiring tool..

Error loading settings file: /home/pi/.node-red/settings.js

ReferenceError: path is not defined

please advise thanks

[Nick O'Leary]

You'll need to add

    var path = require("path") 

below the fs require line.

--
http://nodered.org
 
Join us on Slack to continue the conversation: http://nodered.org/slack
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
To post to this group, send email to node...@googlegroups.com.
Visit this group at https://groups.google.com/group/node-red.
To view this discussion on the web, visit https://groups.google.com/d/msgid/node-red/a4d04984-20a5-438e-b0a6-b36db125d875%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Toshi Bass]

OK adding that line   var path = require("path")    solved the problem

However I still don't understand what '.', is doing, it also works fine with path.join('.data', 'certs', 'server', 'privkey.pem') which makes more sense to me. 

Now my next problem, I can connect with my iphone no problem with https://192.168.0.98.:1880/ and https://192.168.0.98.:1880/ui/#/0 but for some reason chrome on my computer does not connect, I get  Not secure https://192.168.0.98:1880/ with a line through https

When I ran the import certificate on my windows10 machine the result was "The import was successful"  I closed chrome web browser and re opened it , is there a further step I need to undertake ?

[Nick O'Leary]

In a path '.' means the current directory.

path.join is joining all of those strings into a valid path string.

path.join('.', '.data', 'certs', 'server', 'privkey.pem') results in ./.data/certs/server/privkey.pem

path.join('.data', 'certs', 'server', 'privkey.pem') results in .data/certs/server/privkey.pem

They are effectively the same path.

Nick

To unsubscribe from this group and stop receiving emails from it, send an email to node-red+unsubscribe@googlegroups.com.

To post to this group, send email to node...@googlegroups.com.
Visit this group at https://groups.google.com/group/node-red.

To view this discussion on the web, visit https://groups.google.com/d/msgid/node-red/03acf699-1348-4994-a593-6bab387a197c%40googlegroups.com.

[Toshi Bass]

aha ... If path has '.' at the beginning means the "current directory" ok got it thanks for the info NIck.

[Toshi Bass]

OK so the issue I have now is that having followed https://github.com/TotallyInformation/SelfSigned-Cert-Creator I can connect via https to node-red and node-red dashboard using Edge, Explorer,Safari & Mozilla (when I except to "Confirm Security Exception") all as per https://github.com/TotallyInformation/SelfSigned-Cert-Creator/blob/master/README.md ((caveat : after including adding var path = require("path") below the fs require line in /home/pi/.node-red/settings.js

However nothing I do allows me to connect via the chrome browser which I generally use, does anyone have a solution for this all I get is  Not secure https://192.168.0.98:1880/ with a line through https I have restarted chrome restarted my computer cleared the browser cache, there must be people out there that have cracked this problem..

please advise thanks

[Colin Law]

Are you explicitly typing https:// on front of the url? Normally that
message occurs when referencing using http. It may be getting the url
out of the history and thinking you are still using http.

Colin

> --
> http://nodered.org
>
> Join us on Slack to continue the conversation: http://nodered.org/slack
> ---
> You received this message because you are subscribed to the Google Groups
> "Node-RED" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to node-red+u...@googlegroups.com.
> To post to this group, send email to node...@googlegroups.com.
> Visit this group at https://groups.google.com/group/node-red.
> To view this discussion on the web, visit

> https://groups.google.com/d/msgid/node-red/426dea1c-69b5-484f-b714-6c998f352b84%40googlegroups.com.

[Toshi Bass]

Hi Colin

I don't think that's the problem, see attached, I've been googling this issue and it appears that Since version 58 Google Chrome requires SSL certificates to use SAN not CN 

If I understand correctly https://github.com/TotallyInformation/SelfSigned-Cert-Creator uses CN so for Chrome its now broken.

I suppose its possible to fix this but it beyond my ability.

In reality I just need https to work on my iphone / ipad and as I said Safari works ok so I guess I can live with this issue.

[Garry Hayne]

Hi, are you just using a local lan to access the server? If you are, you don't need https.

Garry

[Toshi Bass]

No, the whole idea is to implement some security as I want to be able to control stuff from outside of my lan, like when am away from home, I was using weaved for this but there changing the way it works, so I'm just about to test zero-tier vpn, as I said I only want to use my Iphone or iPad to connect so when I am home I can use Chrome by choosing to open in insecure http mode from advanced settings.

[Garry Hayne]

Toshi, when you created the certificate did you use a domain name I.e. mydomain.xxx.xxx?

Garry

[Toshi Bass]

No I don't have a domain, I just followed the following ...  adding an ip address only.

To run the script, you need to be at a BASH command prompt and you need to supply either a domain specification or an IP address. That address will be baked into the certificate and the certificate will only be valid when used on that address:

./certs.sh 192.168.1.10

[Garry Hayne]

If your router does not have a static IP address you will need a domain name to access your system from outside your local LAN (The Internet) otherwise your browser(s) will not be able to find your node-red machine using DNS.

Most internet providers assign a new IP address at regular intervals, in this case you need to use a service like No-IP (https://www.noip.com/).

Garry

[Toshi Bass]

Well I was under the impression that if I connect via a vpn connection then to all  intents and purposes its the same as being connected via my Lan, 

however I won't get a chance to test this until tomorrow when I will be away from home, so maybe your right, but I thought I had done this in the past 

before apple stopped supporting p2p vpn connections (not with https though does it make a difference)?

[Colin Law]

If you are getting into your local network using a VPN (and not
directly) then I would have thought there is no need to use https for
node red. I use a vpn and don't use https.

Colin

> --
> http://nodered.org
>
> Join us on Slack to continue the conversation: http://nodered.org/slack
> ---
> You received this message because you are subscribed to the Google Groups
> "Node-RED" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to node-red+u...@googlegroups.com.
> To post to this group, send email to node...@googlegroups.com.
> Visit this group at https://groups.google.com/group/node-red.
> To view this discussion on the web, visit

> https://groups.google.com/d/msgid/node-red/15c6ede5-eb01-4fe3-817d-eb14f0339a34%40googlegroups.com.

[Toshi Bass]

Hmmm so perhaps I am going a little overboard then, is there any overhead associated with sending https as apposed to http ?

[Colin Law]

On 3 September 2017 at 20:29, Toshi Bass <toshib...@gmail.com> wrote:
> Hmmm so perhaps I am going a little overboard then, is there any overhead associated with sending https as apposed to http ?

Not significant I don't think. A little more processor power needed as
you have to encrypt the data. With the VPN you are already encrypting
it, there is no need to do it again. No-one is going to spy on the VPN
data provided you keep your keys secure.

Colin

>
> --
> http://nodered.org
>
> Join us on Slack to continue the conversation: http://nodered.org/slack
> ---
> You received this message because you are subscribed to the Google Groups "Node-RED" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.

> To post to this group, send an email to node...@googlegroups.com.

> Visit this group at https://groups.google.com/group/node-red.

> To view this discussion on the web, visit https://groups.google.com/d/msgid/node-red/1f11333d-73c8-4558-8e20-dd8d14d649bf%40googlegroups.com.

[Julian Knight]

Hmm, OK there seem to be a few issues here. I've been on hols so only just got to this.

If I've read this right, the problems are:

1. Not clear that you need to add require('path') for use in Node-RED
2. Chrome now checks SAN not CN for cert validity. I will investigate this - I've noticed that a number of nodes no longer work on Windows with Chrome because the services they connect to use wildcards in the SAN so there is some underlying issue here that I need to get to the bottom of & needs some more investigation.
   
3. Firefox needs a separate config. - I really need to expand the notes a bit for this. Chrome/Edge/IE share the same Windows certificate store. Firefox uses its own so you need to load the CA cert into that as well.
4. Access via a VPN wasn't working? Whether you are on the same logical network when using a VPN is somewhat dependent on the VPN configuration. Generally, if your local VPN endpoint is your ROUTER then you will effectively be on the same subnet with an IP address in the same network (unless the VPN configures as a different subnet). In that case, using TLS for Node-RED is less important and probably not needed unless you really need extra security (e.g. your local network is surrounded by Wi-Fi networks run by hackers or you share your home with dodgy people - like kids!)

If you need a cert that works BOTH locally and remotely then you have a number of options. In the long term, configuring things so that you always use the same IP NAME internally and externally is best, then you only need a single cert. But that takes a local DNS configuration which can be more difficult than setting up certs in the first place!

Otherwise, you will need two certs and a more complex setup. Note, however, that you should use the SAME CA cert. That's because it is the CA cert that you add to your cert store - not the individual cert. That's the main difference with my script vs doing things manually. If you want to create more certs, comment out the CA parts and simply reuse the one you've already created. It should be obvious that you MUST keep the CA private key absolutely secure.

I will work on clarifying 1 & 3 and investigating 2 as soon as I get some time. If there are other issues, please do feel free to raise them in Github so we can jointly create the most robust and secure setup possible.

[Yongnan TAN]

Hi, Julian,

My node red is running on a windows server. And after I following the README to generate the cert files, importing them to setting.js, and running node red, the following error came:

_tls_common.js:104

      c.context.setKey(options.key, options.passphrase);

                ^

Error: error:0B080074:x509 certificate routines:X509_check_private_key:key value

s mismatch

    at Object.createSecureContext (_tls_common.js:104:17)

    at Server (_tls_wrap.js:803:25)

    at new Server (https.js:54:14)

    at Object.createServer (https.js:76:10)

    at Object.<anonymous> (C:\Users\Administrator\AppData\Roaming\npm\node_modul

es\node-red\red.js:134:20)

    at Module._compile (module.js:635:30)

    at Object.Module._extensions..js (module.js:646:10)

    at Module.load (module.js:554:32)

    at tryModuleLoad (module.js:497:12)

    at Function.Module._load (module.js:489:3)

I have tried to run your script in my raspberry pi and the windows server to generate the certs and keys, but the above error will occur in both ways.

What can I do if I insist to run my node red in windows server?

[Julian Knight]

Hi there, sorry for the delay in replying, I've been busy on my day job for a while. 

Just an aside, it is generally better to raise an issue on the GitHub repository as this sends me an alert, this group is too busy for me to always be monitoring it now.

To answer your question, one simple way would be to generate the certificates on the Pi and simply import them to the correct Windows certificate store.

You will want the CA cert imported as a trusted root CA. Then you can import a server cert to the appropriate part of the cert store. Been a while since I looked at IIS with certs - if I remember rightly, IIS has its own section you should use? You can look at the cert store via the Certificates management snapin that comes with all versions of Windows. Find it via the control panel or, if using W10/WS2016, etc, you can hit the Windows key and type "cert".