Im using the n8n for a Whatsapp Bot automation. Im using a webhook triggers to activate n8n, but theres a problem that i cant resolve…
The infracstrtures infos:
I have a domain
I have a Wildcard for SSL(.crt and .key)
The setup is runinng using docker-compose.yaml
The problem is:
The SSL to acess the website is working but when i try to use webhook without --tunel, the certificate is invalid.
As can you see with curl -k i cant get the POST to work, without them i have a problem
When it comes to ssl/tls things can get complicated, looking at your error curl appears to be unhappy which would suggest it is is getting the wrong cert, the cert is invalid or the os doesn’t trust the CA.
The first thing I would try is using the OpenSSL CLI to fetch the cert and see what is coming back.
Could also be worth running it through the SSL Labs test tool to see if it can detect anything (make sure you check the box to hide from the results).
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
56:7f:c3:b5:e6:54:54:5b:58:b1:39:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
Validity
Not Before: May 31 17:11:12 2022 GMT
Not After : Jul 2 17:11:11 2023 GMT
Subject: C = BR, ST = Distrito Federal, L = Brasilia, O = CENSURED, CN = *.CENSURED.br
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b8:c0:0b:ce:cb:8a:d5:7a:d2:61:ed:f3:89:13:
4b:56:7f:e6:73:bf:eb:fd:53:72:1d:a7:62:48:f6:
a5:f6:e0:6f:32:86:b6:87:97:d5:02:19:a5:87:05:
d3:94:17:73:c1:3a:77:96:0b:9f:79:b6:5f:1b:7c:
a0:90:f4:11:d8:04:4f:d7:43:93:d3:2b:78:db:5c:
2d:b9:db:f5:da:03:ff:6d:c8:01:b6:c1:24:4d:5b:
9a:60:ec:bb:38:16:8a:0a:2d:f3:76:af:6b:f2:b1:
d2:a4:65:da:af:fd:8c:99:ed:05:16:df:6c:9a:e2:
d2:b0:8c:64:f5:25:6f:dc:18:36:8a:09:39:b8:ab:
a3:ab:54:7c:a7:bf:82:36:5b:6c:35:fb:5b:f1:58:
db:81:53:45:b9:8d:a4:72:92:cf:55:24:20:87:d3:
29:e8:13:29:eb:ab:01:a9:5c:0d:cf:21:38:9e:af:
16:28:0a:a7:33:f0:97:3a:3f:d3:db:38:ff:ca:c8:
14:22:d6:ab:2c:f8:c0:4f:67:f2:52:d7:1c:a3:7b:
73:1f:a4:77:50:18:bf:3f:f9:82:a3:8a:87:c7:35:
c9:5e:3c:70:a0:19:e9:0c:39:de:c5:71:78:38:f5:
6d:93:d8:7c:e0:e5:c8:40:fc:86:d8:52:a2:63:f5:
18:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.4146.1.20
CPS: https://www.globalsign.com/repository/
Policy: 2.23.140.1.2.2
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:*.CENSURED.br, DNS:CENSURED.br
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB
X509v3 Subject Key Identifier:
6A:73:80:2F:C8:86:C9:C8:36:16:98:88:7D:ED:63:58:5D:D7:B4:C2
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
Timestamp : May 31 17:11:13.843 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:32:08:8B:D7:12:AA:8A:51:A4:23:25:3E:
BD:13:61:66:E5:97:8B:25:EA:3C:59:D8:BB:84:0D:31:
E8:4E:0D:E1:02:20:1E:E7:4F:D6:CE:FC:05:B9:64:E3:
A3:AA:04:19:8F:9E:D3:23:28:13:D1:8E:5D:A8:60:3E:
9F:A6:D5:B3:BF:09
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB:
B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C
Timestamp : May 31 17:11:13.846 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:A9:26:46:FB:1E:94:82:3F:CA:4C:B2:
83:06:49:89:13:70:9D:F4:B2:FE:5B:F7:FD:4A:B1:05:
00:ED:A8:8F:34:02:21:00:C0:57:87:77:83:98:80:FE:
91:A6:98:AD:18:76:5F:E4:5A:14:9F:CD:E9:CE:11:19:
CE:50:7D:16:F3:38:40:0A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09:
4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A
Timestamp : May 31 17:11:13.867 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:EE:31:05:20:75:A6:56:0C:7B:E7:CE:
E4:AA:AE:3E:6C:09:28:2D:B4:19:AB:39:84:73:D9:BC:
E8:6C:92:FD:52:02:21:00:94:96:E8:17:A4:FF:4F:3A:
94:AA:4D:EB:56:CF:B5:2B:2A:0C:4F:36:BA:E7:FB:C4:
E9:61:AA:5D:C5:54:CC:1E
Signature Algorithm: sha256WithRSAEncryption
8b:08:8d:e3:44:2a:9b:6e:44:1c:fc:09:78:cc:d4:ff:b0:e4:
33:e1:25:5c:b4:b3:8c:53:56:32:1f:92:67:0f:ec:ba:7c:5c:
ca:76:29:02:44:bb:ca:59:b8:f8:75:8c:39:fa:ec:77:bb:13:
24:08:f2:ec:04:3f:89:09:7f:5f:27:70:82:05:17:38:25:0e:
0d:aa:76:3c:1e:eb:0d:07:b4:a1:92:95:74:49:9b:f0:da:59:
ce:1f:c2:36:11:9f:83:46:ae:76:c9:e1:e6:44:f4:38:f6:90:
77:ab:88:16:39:54:66:0b:b9:3c:de:c4:b1:c9:11:a0:c8:0d:
03:88:cf:54:f4:f1:0e:45:eb:78:c6:3d:72:71:1e:8e:d1:79:
d0:92:18:0c:5a:62:1b:cb:2d:83:7d:ca:86:87:84:f9:8b:6b:
b1:bd:32:c6:b9:34:c8:9f:f4:5e:fc:83:4d:74:1d:cd:c0:d2:
d1:45:6d:ca:4d:0b:30:a5:71:df:1c:a8:f0:7a:9d:29:fb:50:
89:ea:24:7e:46:fe:17:74:a2:05:9e:3a:0d:8f:0a:b6:d1:a7:
2f:7f:10:7f:34:7a:2d:3d:7c:ed:38:1a:c3:d2:28:bb:31:70:
43:c3:e3:7a:ca:02:3c:ef:23:50:1a:1f:29:a3:42:e6:83:0c:
bb:f0:ea:60
I just tried to disable Traefik and use the certificates with n8n using the N8N_PROTOCOL,N8N_SSL_KEY,N8N_SSL_CERT variables. The same error occuers…we use this certificate to anothers services too and theres none problem with them…
Question:
Is there a way to use n8n without de HTTPS? I tried to use N8N_PROTOCOL = http but the connections is refused.
I have removed the cert you uploaded as it gave away the domain you have been hiding. I have however done a quick curl command from my machine here and I am able to connect to the site so it looks like this is going to be down to the third possible issue I listed (OS doesn’t trust the CA).
Running it through SSL Labs it looks like you did it yesterday and it shows everything is mostly good other than an incomplete chain.
You can run n8n without HTTPS by setting the protocol to HTTP and this is what I do with my instances as I handle the SSL/TLS from a reverse proxy like nginx / caddy / traefik. If you remove all the reverse proxy config it would then work only over HTTP which wouldn’t be great.
Hello jon
I found the problem…
Using the SSL Labs to test website, they found that my chain was incomplete. I Forgot to add the CA Root to certificate. Problem Solved! Thank you.
