Setup SSL/HTTPS on self-hosted instance

LucBerge · March 20, 2024, 3:47pm

Describe the problem/error/question

I have setup a n8n self-hosted instance on a raspberrypi. The UI is accessible via http://mydomain.com. I need it to be accessible via httpS://mydomain.com in order to add Oauth credentials.

I know I have to set the N8N_SSL_KEY and N8N_SSL_CERT in order to do it but not sure what to set.

Current values in container:

N8N_SSL_KEY: -----BEGIN CERTIFICATE----- xxxxxxxxxx -----END CERTIFICATE-----
N8N_SSL_CERT: -----BEGIN PRIVATE KEY----- xxxxxxxxxx -----ENDPRIVATE KEY-----

Here is how I start my container:

N8N_SSL_CERT=$(cat /home/pi/n8n/certificates/cert.pem)
N8N_SSL_KEY=$(cat /home/pi/n8n/certificates/privkey.pem)

sudo docker pull n8nio/n8n:latest
sudo docker stop n8n
sudo docker rm n8n
sudo docker run -itd \
 --name n8n \
 --restart always \
 -p 5678:5678 \
 -e GENERIC_TIMEZONE="Europe/Paris" \
 -e TZ="Europe/Paris" \
 -e NODE_FUNCTION_ALLOW_EXTERNAL="axios,cheerio" \
 -e N8N_SSL_CERT="$N8N_SSL_CERT" \
 -e N8N_SSL_KEY="$N8N_SSL_KEY" \
 -v n8n_data:/home/node/.n8n \
 n8nio/n8n:latest

What am I doing wrong?

Information setup

n8n version: 1.26.0
Database: default: SQLite
Running n8n via Docker

n8n · March 20, 2024, 3:48pm

It looks like your topic is missing some important information. Could you provide the following if applicable.

n8n version:
Database (default: SQLite):
n8n EXECUTIONS_PROCESS setting (default: own, main):
Running n8n via (Docker, npm, n8n cloud, desktop app):
Operating system:

barn4k · March 21, 2024, 1:57pm

hello @LucBerge

You have forgotten to specify the protocol to use:
N8N_PROTOCOL = https

and usually https uses 443 port instead of 5678

Jon · March 21, 2024, 2:39pm

I would probably also handle this with a reverse proxy like Caddy or Traefik which can automate the certificate process so you don’t need to worry about it.

barn4k · March 21, 2024, 2:43pm

I think the use of reverse proxy on RaspberryPi is quite overengineering

LucBerge · March 22, 2024, 11:06am

When I start my docker with

sudo docker run -itd \
 --name n8n \
 --restart always \
 -p 5678:5678 \
 -p 443:443\
 -e GENERIC_TIMEZONE="Europe/Paris" \
 -e TZ="Europe/Paris" \
 -e NODE_FUNCTION_ALLOW_EXTERNAL="axios,cheerio" \
 -e N8N_SSL_CERT="$N8N_SSL_CERT" \
 -e N8N_SSL_KEY="$N8N_SSL_KEY" \
 -e N8N_PROTOCOL="https" \
 -v n8n_data:/home/node/.n8n \
 n8nio/n8n:1.26.0

https://192.168.0.21/ is not working (not expected)
http://192.168.0.21:5678/ is not working (expected ?)
https://192.168.0.21:5678/ is not working (expected ?)

Should I expose the port 443 to 443 ?
Should I expose the port 443 to 5678 ?

LucBerge · March 22, 2024, 11:09am

Not working with

sudo docker run -itd \
 --name n8n \
 --restart always \
 -p 443:5678 \
 -e GENERIC_TIMEZONE="Europe/Paris" \
 -e TZ="Europe/Paris" \
 -e NODE_FUNCTION_ALLOW_EXTERNAL="axios,cheerio" \
 -e N8N_SSL_CERT="$N8N_SSL_CERT" \
 -e N8N_SSL_KEY="$N8N_SSL_KEY" \
 -e N8N_PROTOCOL="https" \
 -v n8n_data:/home/node/.n8n \
 n8nio/n8n:1.26.0

barn4k · March 22, 2024, 12:34pm

That one works

docker run -itd \
 --name n8n \
 --restart always \
 -p 443:443 \
 -e GENERIC_TIMEZONE="Europe/Paris" \
 -e TZ="Europe/Paris" \
 -e NODE_FUNCTION_ALLOW_EXTERNAL="axios,cheerio" \
 -e N8N_SSL_CERT=/home/node/.n8n/n8n_public.pem \
 -e N8N_SSL_KEY=/home/node/.n8n/n8n_private.pem \
 -e N8N_PROTOCOL="https" \
 -e N8N_PORT=443 \
 -v n8n_data:/home/node/.n8n \
 n8nio/n8n:latest

but you need to place ssl certs into the n8n_data volume

LucBerge · March 22, 2024, 12:53pm

Alright, so the N8N_SSL_CERT and N8N_SSL_KEY must point to a file containing the cert and the key ?
The documentation is not clear about it :

“The SSL key for HTTPS protocol.” → “Absolute path to the file containing the SSL key for HTTPS protocol.”
“The SSL certificate for HTTPS protocol.” → “Absolute path to the file containing the SSL certificate for HTTPS protocol.”

barn4k · March 22, 2024, 1:01pm

Yes, the docs are not very clear

@bartv who can add more clarity to the docs?

Jon · March 22, 2024, 9:20pm

Interesting to me it seemed clear but it is a quick change we can make.

When I was running n8n on a Pi I used a reverse proxy as Caddy and Traefik are pretty lightweight on the resources and it makes life a lot easier.

jan · March 23, 2024, 9:46am

Actually wonder if we should rather do the opposite and deprecate those options instead in future. Every proper setup should probably have a reverse proxy in front anyway. Or is there a good reason not to do that which I miss right now?

barn4k · March 23, 2024, 12:06pm

A reverse proxy is not always needed. E.g. we have a setup in AWS without any Load Balancers because we are accessing it via a private network and a Transit gateway (we have a corporate VPN tunnel to AWS). In that case, the Reverse proxy is not needed. It is only required in setups with public access and if there are webhooks/OAuth involved

Jon · March 23, 2024, 5:28pm

@barn4k are you also running with https in that configuration? In theory a reverse proxy could also be deployed in the same environment.

I use a reverse proxy in my local dev setup with a self signed certificate so that I can still control access on my local network.

barn4k · March 23, 2024, 6:52pm

Yes, we configured the HTTPS. It can be run with reverse proxy, but why do we need an additional link in a chain?

Plus we are planning to move it into Terraform, so there will be no issues with reissuing certs either

Yash_Kumar · March 24, 2024, 11:52am

why don’t you use free ssl by cloudflare?

that’s easy to set up, just do some dns settings

barn4k · March 24, 2024, 12:00pm

Our infra is hosted in AWS, not in Cloudflare
And we have a corporate CA, so we don’t need it anyway.

system · March 31, 2024, 12:00pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.