Problems with webhook and Pem Certificate

Describe the issue/error/question

Im using the n8n for a Whatsapp Bot automation. Im using a webhook triggers to activate n8n, but theres a problem that i cant resolve…
The infracstrtures infos:
I have a domain
I have a Wildcard for SSL(.crt and .key)

The setup is runinng using docker-compose.yaml

The problem is:
The SSL to acess the website is working but when i try to use webhook without --tunel, the certificate is invalid.

As can you see with curl -k i cant get the POST to work, without them i have a problem

But the SSL for the website its working:

I already modify so much Traefik that i think the problem its n8n, not traefik.

This is docker-compose.yml

traefik:
  image: "traefik"
  restart: always
  healthcheck:
    test:
      - CMD
      - traefik
      - healthcheck
    interval: 10s
    timeout: 5s
    retries: 3
  ports:
    - "80:80"
    - "443:443"
    - "8080:8080"
  volumes:
    - /etc/localtime:/etc/localtime:ro
    - ${DATA_FOLDER}/traefik/:/etc/traefik
    - "${DATA_FOLDER}/cert:/certs/"
    - /var/run/docker.sock:/var/run/docker.sock:ro
n8n:
   image: n8nio/n8n
   restart: always
   ports:
    - "0.0.0.0:5678:5678"
   labels:
    - traefik.enable=true
    - traefik.http.routers.n8n.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
    - traefik.http.routers.n8n.tls=true
    - traefik.http.routers.n8n.entrypoints=web,websecure
    - traefik.http.routers.n8n.tls.certresolver=mytlschallenge
    - traefik.http.middlewares.n8n.headers.SSLRedirect=true
    - traefik.http.middlewares.n8n.headers.STSSeconds=315360000
    - traefik.http.middlewares.n8n.headers.browserXSSFilter=true
    - traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
    - traefik.http.middlewares.n8n.headers.forceSTSHeader=true
    - traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
    - traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
    - traefik.http.middlewares.n8n.headers.STSPreload=true
    - [email protected]
   environment:
    - N8N_BASIC_AUTH_ACTIVE=true
    - N8N_BASIC_AUTH_USER
    - N8N_BASIC_AUTH_PASSWORD
    - N8N_HOST:${SUBDOMAIN}.${DOMAIN_NAME}
    - N8N_PORT=5678
    - N8N_PROTOCOL=https
    - N8N_EMAIL_MODE
    - N8N_SMTP_HOST
    - N8N_SMTP_PORT
    - N8N_SMTP_SSL
    - N8N_SMTP_USER
    - N8N_SMTP_PASS
    - N8N_SMTP_SENDER
    - N8N_LOG_LEVEL
    - N8N_LOG_OUTPUT
    - N8N_LOG_FILE_LOCATION
    - N8N_LOG_FILE_MAXSIZE
    - N8N_LOG_FILE_MAXCOUNT
    - NODE_ENV=production
    - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
    - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
   volumes:
    - /etc/localtime:/etc/localtime:ro
    - ${DATA_FOLDER}/.n8n:/home/node/.n8n
    - /local-files:/files

Hey @fellipe.rocha,

Welcome to the community :tada:

When it comes to ssl/tls things can get complicated, looking at your error curl appears to be unhappy which would suggest it is is getting the wrong cert, the cert is invalid or the os doesn’t trust the CA.

The first thing I would try is using the OpenSSL CLI to fetch the cert and see what is coming back.

Could also be worth running it through the SSL Labs test tool to see if it can detect anything (make sure you check the box to hide from the results).

Heres the openssl

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            56:7f:c3:b5:e6:54:54:5b:58:b1:39:8b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
        Validity
            Not Before: May 31 17:11:12 2022 GMT
            Not After : Jul  2 17:11:11 2023 GMT
        Subject: C = BR, ST = Distrito Federal, L = Brasilia, O = CENSURED, CN = *.CENSURED.br
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b8:c0:0b:ce:cb:8a:d5:7a:d2:61:ed:f3:89:13:
                    4b:56:7f:e6:73:bf:eb:fd:53:72:1d:a7:62:48:f6:
                    a5:f6:e0:6f:32:86:b6:87:97:d5:02:19:a5:87:05:
                    d3:94:17:73:c1:3a:77:96:0b:9f:79:b6:5f:1b:7c:
                    a0:90:f4:11:d8:04:4f:d7:43:93:d3:2b:78:db:5c:
                    2d:b9:db:f5:da:03:ff:6d:c8:01:b6:c1:24:4d:5b:
                    9a:60:ec:bb:38:16:8a:0a:2d:f3:76:af:6b:f2:b1:
                    d2:a4:65:da:af:fd:8c:99:ed:05:16:df:6c:9a:e2:
                    d2:b0:8c:64:f5:25:6f:dc:18:36:8a:09:39:b8:ab:
                    a3:ab:54:7c:a7:bf:82:36:5b:6c:35:fb:5b:f1:58:
                    db:81:53:45:b9:8d:a4:72:92:cf:55:24:20:87:d3:
                    29:e8:13:29:eb:ab:01:a9:5c:0d:cf:21:38:9e:af:
                    16:28:0a:a7:33:f0:97:3a:3f:d3:db:38:ff:ca:c8:
                    14:22:d6:ab:2c:f8:c0:4f:67:f2:52:d7:1c:a3:7b:
                    73:1f:a4:77:50:18:bf:3f:f9:82:a3:8a:87:c7:35:
                    c9:5e:3c:70:a0:19:e9:0c:39:de:c5:71:78:38:f5:
                    6d:93:d8:7c:e0:e5:c8:40:fc:86:d8:52:a2:63:f5:
                    18:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            Authority Information Access:
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
                OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.4146.1.20
                  CPS: https://www.globalsign.com/repository/
                Policy: 2.23.140.1.2.2

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:*.CENSURED.br, DNS:CENSURED.br
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier:
                keyid:F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB

            X509v3 Subject Key Identifier:
                6A:73:80:2F:C8:86:C9:C8:36:16:98:88:7D:ED:63:58:5D:D7:B4:C2
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                    Timestamp : May 31 17:11:13.843 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:32:08:8B:D7:12:AA:8A:51:A4:23:25:3E:
                                BD:13:61:66:E5:97:8B:25:EA:3C:59:D8:BB:84:0D:31:
                                E8:4E:0D:E1:02:20:1E:E7:4F:D6:CE:FC:05:B9:64:E3:
                                A3:AA:04:19:8F:9E:D3:23:28:13:D1:8E:5D:A8:60:3E:
                                9F:A6:D5:B3:BF:09
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB:
                                B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C
                    Timestamp : May 31 17:11:13.846 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:A9:26:46:FB:1E:94:82:3F:CA:4C:B2:
                                83:06:49:89:13:70:9D:F4:B2:FE:5B:F7:FD:4A:B1:05:
                                00:ED:A8:8F:34:02:21:00:C0:57:87:77:83:98:80:FE:
                                91:A6:98:AD:18:76:5F:E4:5A:14:9F:CD:E9:CE:11:19:
                                CE:50:7D:16:F3:38:40:0A
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09:
                                4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A
                    Timestamp : May 31 17:11:13.867 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:EE:31:05:20:75:A6:56:0C:7B:E7:CE:
                                E4:AA:AE:3E:6C:09:28:2D:B4:19:AB:39:84:73:D9:BC:
                                E8:6C:92:FD:52:02:21:00:94:96:E8:17:A4:FF:4F:3A:
                                94:AA:4D:EB:56:CF:B5:2B:2A:0C:4F:36:BA:E7:FB:C4:
                                E9:61:AA:5D:C5:54:CC:1E
    Signature Algorithm: sha256WithRSAEncryption
         8b:08:8d:e3:44:2a:9b:6e:44:1c:fc:09:78:cc:d4:ff:b0:e4:
         33:e1:25:5c:b4:b3:8c:53:56:32:1f:92:67:0f:ec:ba:7c:5c:
         ca:76:29:02:44:bb:ca:59:b8:f8:75:8c:39:fa:ec:77:bb:13:
         24:08:f2:ec:04:3f:89:09:7f:5f:27:70:82:05:17:38:25:0e:
         0d:aa:76:3c:1e:eb:0d:07:b4:a1:92:95:74:49:9b:f0:da:59:
         ce:1f:c2:36:11:9f:83:46:ae:76:c9:e1:e6:44:f4:38:f6:90:
         77:ab:88:16:39:54:66:0b:b9:3c:de:c4:b1:c9:11:a0:c8:0d:
         03:88:cf:54:f4:f1:0e:45:eb:78:c6:3d:72:71:1e:8e:d1:79:
         d0:92:18:0c:5a:62:1b:cb:2d:83:7d:ca:86:87:84:f9:8b:6b:
         b1:bd:32:c6:b9:34:c8:9f:f4:5e:fc:83:4d:74:1d:cd:c0:d2:
         d1:45:6d:ca:4d:0b:30:a5:71:df:1c:a8:f0:7a:9d:29:fb:50:
         89:ea:24:7e:46:fe:17:74:a2:05:9e:3a:0d:8f:0a:b6:d1:a7:
         2f:7f:10:7f:34:7a:2d:3d:7c:ed:38:1a:c3:d2:28:bb:31:70:
         43:c3:e3:7a:ca:02:3c:ef:23:50:1a:1f:29:a3:42:e6:83:0c:
         bb:f0:ea:60

I just tried to disable Traefik and use the certificates with n8n using the N8N_PROTOCOL,N8N_SSL_KEY,N8N_SSL_CERT variables. The same error occuers…we use this certificate to anothers services too and theres none problem with them…

Question:
Is there a way to use n8n without de HTTPS? I tried to use N8N_PROTOCOL = http but the connections is refused.

Hi @fellipe.rocha , Did you upgrade ca certificates on the host that you run curl?

1 Like

Hey @fellipe.rocha,

I have removed the cert you uploaded as it gave away the domain you have been hiding. I have however done a quick curl command from my machine here and I am able to connect to the site so it looks like this is going to be down to the third possible issue I listed (OS doesn’t trust the CA).

Running it through SSL Labs it looks like you did it yesterday and it shows everything is mostly good other than an incomplete chain.

You can run n8n without HTTPS by setting the protocol to HTTP and this is what I do with my instances as I handle the SSL/TLS from a reverse proxy like nginx / caddy / traefik. If you remove all the reverse proxy config it would then work only over HTTP which wouldn’t be great.

Hello jon
I found the problem…
Using the SSL Labs to test website, they found that my chain was incomplete. I Forgot to add the CA Root to certificate. Problem Solved! Thank you.

1 Like