I am getting error when trying to give trusted ssl cert path to n8n node, since i am adding credentials for jira but it gives error -
self-signed certificate in certificate chain
So I looked in the documentation and tried doing following
in n8n docker-compose file i have added following env variables to n8n -
…
- N8N_SSL_CERT=/opt/custom-certificates/cert.pem
volumes:
- n8n_storage:/home/node/.n8n
- /etc/ssl:/opt/custom-certificates
…
Describe the problem/error/question
Even after adding the above config i could see in n8n container logs -
podman logs --follow 4a7807a2e9a5
Trusting custom certificates from /opt/custom-certificates.
ERROR: Access denied ‘/opt/custom-certificates’
Last session crashed
Initializing n8n process
n8n ready on ::, port 5678
n8n Task Broker ready on 0.0.0.0, port 5679
What is the error message (if any)?
Please share your workflow
(Select the nodes on your canvas and use the keyboard shortcuts CMD+C/CTRL+C and CMD+V/CTRL+V to copy and paste the workflow.)
Share the output returned by the last node
podman logs --follow 4a7807a2e9a5
Trusting custom certificates from /opt/custom-certificates.
ERROR: Access denied ‘/opt/custom-certificates’
Last session crashed
Initializing n8n process
n8n ready on ::, port 5678
n8n Task Broker ready on 0.0.0.0, port 5679
Maybe it was because of my /etc/ssl/ path, I moved the .pem file in ./pki folder and now when i restart, at least the warning of permission denied is gone but i now see -
podman logs --follow withpostgresandworker-n8n-1
Trusting custom certificates from /opt/custom-certificates.
WARNING: allCAbundle.pem does not contain exactly one certificate or CRL: skipping
Last session crashed
Initializing n8n process
n8n ready on ::, port 5678
n8n Task Broker ready on 0.0.0.0, port 5679
[license SDK] Skipping renewal on init: license cert is not initialized
[Recovery] Logs available, amended execution
Editor is now accessible via:
http://localhost:5678
Registered runner "launcher-python" (b8dec9901b0eac31)
Registered runner "launcher-javascript" (b01c8d69d85484fa)
(node:2) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
self-signed certificate in certificate chain
Even replace the bundle pem with single pem file , this warning disappears but still
podman logs --follow withpostgresandworker-n8n-1
Trusting custom certificates from /opt/custom-certificates.
Last session crashed
Initializing n8n process
n8n ready on ::, port 5678
n8n Task Broker ready on 0.0.0.0, port 5679
[license SDK] Skipping renewal on init: license cert is not initialized
Editor is now accessible via:
http://localhost:5678
Registered runner "launcher-python" (dfc9e1615b32a3c5)
Registered runner "launcher-javascript" (9e6936666ad9509d)
(node:2) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
self-signed certificate in certificate chain
self-signed certificate in certificate chain
Hi @nnahal, welcome to the n8n comunnity ! From what I can see, n8n is able to read the certificate path, but it is skipping the file because it does not contain a single trusted CA certificate. To resolve this, I would extract the correct CA that signed the Jira certificate, usually the root and sometimes the intermediate, and provide it as a single PEM file with read permissions.
Once that correct CA file is mounted in the container, the self signed certificate error should be resolved. Hope this work.
would extract the correct CA that signed the Jira certificate, usually the root and sometimes the intermediate, and provide it as a single PEM file with read permissions.
I replaced the file and restarted the setup, Jira connection works now
! From what I can see, n8n is able to read the certificate path, but it is skipping the file because it does not contain a single trusted CA certificate. To resolve this, I would extract the correct CA that signed the Jira certificate, usually the root and sometimes the intermediate, and provide it as a single PEM file with read permissions.
