I’m just getting familiar with n8n, and am setting it up locally first with, hopefully, a Self-Signed Certificate.
Here is my docker-compose(1) file:
version: '3.8'
volumes:
n8n_storage:
services:
n8n:
container_name: n8n_node01
user: node
image: docker.n8n.io/n8nio/n8n
restart: always
environment:
- N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true
- DB_TYPE=sqlite
- N8N_SSL_CERT=/home/node/.n8n/certs/vscode.cert.pem
- N8N_SSL_KEY=/home/node/.n8n/certs/vscode.key.pem
- N8N_PROTOCOL=http # Set to: https
- N8N_SECURE_COOKIE=false # Set to: true
#- N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
ports:
- 5678:5678 #- "0.0.0.0:5678:5678"
volumes:
- n8n_storage:/home/node/.n8n
- ${HOST_CERTS_FOLDER}:/home/node/.n8n/certs # <--- PROBLEM
My problem is caused by the final statement above. As illustrated in the following, because the /certs/ sub-directory is created with root:root ownership instead of (I suppose) node:node ownership, attempts to access it leads to this:
N8N_SSL_KEY issue: EACCES: permission denied, open
user@fedora$ podman exec -it n8n_node01 ls -la /home/node/.n8n
total 396
drwxr-x--- 2 root root 4096 Nov 6 02:06 certs # <--- PROBLEM
drwxr-sr-x 2 node node 4096 Nov 13 23:05 binaryData
-rw------- 1 node node 56 Nov 13 23:05 config
-rw-r--r-- 1 node node 0 Nov 13 23:05 crash.journal
-rw-r--r-- 1 node node 368640 Nov 13 23:05 database.sqlite
drwxr-sr-x 2 node node 4096 Nov 13 23:05 git
-rw-r--r-- 1 node node 0 Nov 13 23:05 n8nEventLog.log
drwxr-sr-x 2 node node 4096 Nov 13 23:05 ssh
I’m unable to set and try the following without first resolving the above:
- N8N_PROTOCOL=https
- N8N_SECURE_COOKIE=true
Can someone help me with the workaround for this (or how to correctly do it)? I’ve tried quite a few things, but achieved no success.
As a quick but not permanent option, I had tried that already (as root) and it doesn’t work. Compare the first statement result which, although unnecessary, succeeds, with the second statement which fails. This is true when performed inside the container also.
As you are bringing in a folder you would need to manually change the permission although you can run the change as a start up command instead of doing what you are trying.
I am not sure why you are getting a permission error again when trying to run the command though it is a standard Linux command and as root should work. I would maybe try moving the cert folder out of the .n8n directory to be safe.
If you wanted to go for a more “real world” setup to get familiar with n8n I would probably set up a reverse proxy like Caddy or Traefik and load your self signed cert there instead as I don’t actually know of that many people running n8n with https directly… what are you doing should still work though.
I determined why I was having access issues, even as root. This statement in my docker-compose.yaml files (above):
- ${HOST_CERTS_FOLDER}:/home/node/.n8n/certs
maps a directory on the Docker Host to the ./certs sub-directory inside the Docker Container. As a security measure, Docker prevents modifying or even entering that sub-directory since it means also seeing/modifying something on the Host (i.e., everything should be contained and isolated). So, I simply removed that statement and successfully created everything manually from inside the container, alternating between user root and node as needed.
I really should have remembered that because I once created a multi-tenant cloud sandbox appliance with layers of nested docker and podman containers (see here), but that was a while ago and I’m rusty.
Regarding your “real world” comment, you’re absolutely correct. I would normally do so (and in the above URL you’ll notice my use of nginx (towards the bottom)). Here, I’m just quickly trying to get n8n up and running to learn its capabilities and how to orchestrate agentic AI workflows within it.
But do keep the critiques coming as I ask questions. If you notice something I can do better, or am conceptually off track, don’t hesitate to correct me (and that goes for anyone).
