I just joined the community and am currently setting up email sending with n8n.
Our internal mail server uses a certificate issued by our own internal PKI (Root CA + Sub-CA). Since these are not publicly trusted, the TLS verification inside our n8n Docker container fails.
At the moment, emails only work when we disable TLS verification using:
NODE_TLS_REJECT_UNAUTHORIZED=0
Of course we would like to avoid this and configure the certificates properly.
Our questions are:
Where should the Root CA and Sub-CA certificates be installed so that Node.js inside the container trusts them?
On the Ubuntu host, inside the Docker container, or both?
Is there a recommended way to provide the certificate chain via docker-compose?
If anyone has experience with internal PKI and Docker/n8n certificate trust, any guidance would be greatly appreciated.
internal PKI + Docker is a pain, but n8n has a clean way to handle it since version 1.42.0.
The official docs cover this exactly: check out the page on configuring a custom certificate authority here:
In short:
Put your Root CA and Sub-CA certs (PEM format, .crt/.pem files) in a folder on the host (e.g. ./pki).
Mount that folder to /opt/custom-certificates in your container via docker-compose volumes.
Make sure the folder is writable by the container user (often just run chown -R 1000:1000 ./pki on host or chown inside once).
Restart n8n, and it should automatically trust them for outbound connections (like SMTP to your mail server). No need for NODE_TLS_REJECT_UNAUTHORIZED=0.
You only need to do this inside the container no changes required on the host OS.
If you’re on an older version, upgrade if possible, or fall back to NODE_EXTRA_CA_CERTS (also mentioned in the docs).
Let me know your n8n version or any error you hit after trying, happy to troubleshoot!