N8n in docker and ssl issues

Bejing_Corn · March 14, 2026, 3:29am

Describe the problem/error/question

When mounting my Certbot let’s encrypt certificates to the docker container it can read the fullchain.pem file but not the privatekey.pem file (due to the docker container not having root access to read the files). I have tried to use a reverse proxy on the host but the docs are quite vague.

What is the error message (if any)?

permission denied to read privatekey on start

Please share your workflow

(Select the nodes on your canvas and use the keyboard shortcuts CMD+C/CTRL+C and CMD+V/CTRL+V to copy and paste the workflow.)

Share the output returned by the last node

Information on your n8n setup

n8n version: 2.9.4
Database (default: SQLite): default
n8n EXECUTIONS_PROCESS setting (default: own, main):
Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
Operating system: Debian 13

Anshul_Namdev · March 14, 2026, 4:38am

Hi @Bejing_Corn Welcome!
Have you tried using a reverse proxy like Nginx or Traefik to handle SSL termination rather than just passing certificates to the container, what i mean is that Ngnix running on Host must have root access so that it can read certbot private key , also n8n only receives plain HTTP from localHost.

Your config should be like this i think:

server {
    listen 80;
    server_name your-domain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name your-domain.com;

    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_read_timeout 3600;
        proxy_send_timeout 3600;
    }
}

And then ofc you have to set env variables like this:

environment:
  - N8N_HOST=your-domain.com
  - N8N_PORT=5678
  - N8N_PROTOCOL=https
  - WEBHOOK_URL=https://your-domain.com/
  - N8N_PROXY_HOPS=1
  - NODE_ENV=production

And that should work. Hope this helps.

Bejing_Corn · March 14, 2026, 8:24am

Yes I have tried using a reverse proxy (nginx) but I ran into some issues with the n8n client communicating with the server. It could not initiate a web socket connection running though the proxy and I just gave up on that. Il’l try again.

EDIT: Its also having issues communicating with the rest api

Jekylls · March 14, 2026, 9:00am

hi @Bejing_Corn - please share your docker compose file - likely you’ll need to map the ports or validate docker network is open to both nginx and n8n containers.

Bejing_Corn · March 15, 2026, 5:03am

I just fixed it. I set n8n to connect to the proxy though https rather than http .

Here is my config anyway:
Docker:

services:
  n8n:
    image: docker.n8n.io/n8nio/n8n
    container_name: n8n
    ports:
      - "127.0.0.1:5678:5678"
    restart: unless-stopped

    environment:
      - GENERIC_TIMEZONE=Pacific/Auckland
      - TZ=Your/Timezone
      - N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true
      - N8N_PROTOCOL=http
      - N8N_HOST=example.com
      - N8N_PORT=5678
      - WEBHOOK_URL=https://n8n.example.com/
      - N8N_PROXY_HOPS=1
      - NODE_ENV=production
    volumes:
      - n8n_data:/home/node/.n8n

volumes:
  n8n_data:

Nginx:

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_read_timeout 3600;
        proxy_send_timeout 3600;
    }
}

I also had to add:

large_client_header_buffers 8 32k;

into nginx.conf to allow google oauth with lots of scopes.

Maybe n8n could update the docs with a how-to guide for this stuff.

system · March 22, 2026, 5:03am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.