Crashes because of self signed certs

My n8n instance is using self signed certs for https. After a while (I think when I activate the workflow) the n8n server dies and the web front loses the connection. Node crashes with:

  Version: 0.33.0

   ================================
     Start Active Workflows:
   ================================
     - test
  ADD ID (active): 1
  events.js:187
        throw er; // Unhandled 'error' event
        ^

  Error: self signed certificate
      at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
      at TLSSocket.emit (events.js:210:5)
      at TLSSocket._finishInit (_tls_wrap.js:794:8)
      at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)
      at Socket.ondata (internal/js_stream_socket.js:64:22)
      at Socket.emit (events.js:210:5)
      at addChunk (_stream_readable.js:308:12)
      at readableAddChunk (_stream_readable.js:289:11)
      at Socket.Readable.push (_stream_readable.js:223:10)
      at TCP.onStreamRead (internal/stream_base_commons.js:182:23)
  Emitted 'error' event on Connection instance at:
      at TLSSocket._onError (/usr/local/lib/node_modules/n8n/node_modules/imap/lib/Connection.js:151:10)
      at TLSSocket.emit (events.js:210:5)
      at emitErrorNT (internal/streams/destroy.js:92:8)
      at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
      at processTicksAndRejections (internal/process/task_queues.js:80:21) {
    code: 'DEPTH_ZERO_SELF_SIGNED_CERT',
    source: 'socket'
  }

Restarting (or even recreating the docker container) does no longer work unfortunately. It seems I need to wipe the settings.

Any idea what’s going on?

The root CA is trusted and the browser is happy with the server cert.
Maybe the client cert auth is a problem?

Same problem without the client cert auth. I cannot bring n8n back up without wiping the data (or maybe changing something in the sqlite db)

Sadly never saw that problem before and do also not have the slightest idea what would cause that.

Anyhow published yesterday a guide on how to set up n8n with docker-compose which also includes the certificate creation with Lets Encrypt. You can find it here:

If activating the workflow caused the problem you will have to manually disable it in the database. As it will always activate it again on startup.

Thanks for the link - but I don’t think I can combine that with self signed client certs.

And as said before - basic auth is just not an option. Not with all those credentials in one place.

Do you use Docker? If so the base image uses Alpine Linux which causes quite often issues with the SSL certificates. You can try to use the Ubuntu image (simply add “-ubuntu”). Maybe you have more luck there.

Apart from that I sadly have no idea how to solve that.

Back in business :slight_smile:
I added

environment:
  - NODE_TLS_REJECT_UNAUTHORIZED=0

to my docker compose file.

I am using the n8nio/n8n image at the moment.

As for accessing the sqlite db that gave me a

Unable to open database "database.sqlite": file is encrypted or is not a database

I guess the encryption key is right next to it? :wink:
…but still no idea how access an encrypted db.

That is very strange. The database should not be encrypted. The only thing that gets encrypted is the credentials before they get saved to the database.

Odd. This is on Debian 10

$ sqlite -version
2.8.17
$ sqlite database.sqlite 
Unable to open database "database.sqlite": file is encrypted or is not a database

It looks like you are using a very old version of SQLite. The current stable is 3.30.1

If you update it, it will maybe work.

My bad - sqlite apparently was version 2. sqlite3 is the correct package. Now that works too.

But getting back to the self signed certs. I just realized that this isn’t really an option either because of the webhooks. sigh

It would be sooooooo good if the admin UI could live on a different port than the hooks. This would make things so much easier.

No idea how your setup is but if you use Nginx or similar it should be possible to use totally different directories, domains, ports and then simply route it in Nginx to webhooks or UI. And so you could also have different certificates.

Aaaaah - I can just adjust the webhook URL accordingly. Sure!
(I am using nginx)

I also added now documentation for the environment variables WEBHOOK_TUNNEL_URL and VUE_APP_URL_BASE_API which are important for that. You can find it here:

Also here contributions on how to improve the documentation are very welcome. It is definitely not my strong suit and are as a native german speaker additionally not the perfect candidate anyway.

1 Like