This is more of an answer than a question, but it still fit this category best.
Self Signed Certificate (Chain) Support
At the moment, the documentation here: Configure n8n to use your own certificate authority | n8n Docs leaves a few things to figure out on your own. It took a while to find the bits I was missing, so until some of this makes it into the documentation page, maybe others struggling with the same missing pieces will find what they need here.
Particularly,
- The /opt/custom-certificates directory (mapped volume) may contain .pem or .crt files (and possibly others, but no file types are specified in the docs).
- Each .pem or .crt file must contain ONLY ONE certificate
- To split up a .pem file that contains multiple certificates (e.g. an export of a full certificate chain from a browser, containing a root ca cert, intermediate ca certs, and a server cert), into separate, single-certificate files n8n can use, try…
- csplit -f cert_ ‘/-----BEGIN CERTIFICATE-----/’ ‘{*}’
- To split up a .pem file that contains multiple certificates (e.g. an export of a full certificate chain from a browser, containing a root ca cert, intermediate ca certs, and a server cert), into separate, single-certificate files n8n can use, try…
- When n8n starts up, there should be a console message saying: Trusting custom certificates from /opt/custom-certificates that confirms n8n at least found the custom certificates directory.
- More evidence that n8n has found and loaded a .pem or .crt file is the presence of a symlink (presumably created by the n8n process) along side each file in the /opt/custom-certificates directory. The symlinks have hashcode-ish names like: 27b414bf.0
Indications Things are Not Set Up Correctly
If the trusted self-signed certificates are not configured correctly…
- Attempting to connect a node (e.g. the ‘n8n’ API client node) to a host with a self-signed server certificate (from a CA that should be trusted) will still fail and display something like SELF_SIGNED_CERT_IN_CHAIN, for instance, in an error message block in a credential-setup dialog.
- Console messages (if you’re watching the console output), like the following, may appear when attempting to test a connection (in the UI) to a server with a self-signed certificate
NodeApiError: self-signed certificate in certificate chain AxiosError: self-signed certificate in certificate chain Error: self-signed certificate in certificate chain - When the certificate file content isn’t acceptable (e.g. more than one certificate per file), there will probably be a console message like: WARNING: mycertchain.pem does not contain exactly one certificate or crl: skipping which is informative, but, again, only if you happen to be watching the console output.
This applies to
- n8n version: 1.42.0 (when the self-signed certificate support was introduced), and later