So now that I knew that there is official solution, I came up with the following unofficial solution
For everyone who might be reading this: it only makes sense if you’re running n8n WITHOUT docker, i.e. installed it on a dedicated server.
The problem is, Telegram is very strict when it comes to security, so even if one has an SSL certificate installed, Telegram requires the whole certificate chain to be valid. This results in a situation when some services (and browsers) work with n8n no problem (trust it enough), while Telegram doesn’t.
n8n (without traefic outside of docker) can’t serve the whole certificate chain so we’d need something that can. I decided to use Caddy. It will serve certificates automatically with no need to even bother with certificate files. I believe it’s so good, it should be the default way.
The overall idea is for n8n to work in http mode on a port 9000 while Caddy will listen to port 443, pretend it’s https, forward all requests to n8n etc.
-
Download and install Caddy as described here: Install — Caddy Documentation
-
Ensure that n8n is configured as http and on some higher port. It is very important for WEBHOOK_TUNNEL_URL to be set. Here’s a quick minimal set up that I store in /etc/environments on my server:
N8N_BASIC_AUTH_ACTIVE=true
N8N_BASIC_AUTH_USER=your_user_name
N8N_BASIC_AUTH_PASSWORD=your_pass
N8N_HOST=example.com
N8N_PORT=9000
N8N_LISTEN_ADDRESS=your_ip_address
WEBHOOK_TUNNEL_URL=“https://example.com/”
It’s very important to add https:// to the example.com in the last line and not omit the final slash (/).
-
Create a file called Caddyfile anywhere you like and populate it with two strings:
example.com
reverse_proxy your_ip_address:9000
Now if you go to the directory with Caddyfile you created and execute ‘sudo caddy run’ everything should work: example.com should be available via https, all webhooks should work and Telegram should work.
Now the only trouble left is to start Caddy automatically. Several steps to do that.
-
Find out path to your caddy installation via ‘which caddy’. In my case it’s /usr/bin/caddy so I’ll keep using this as example.
-
Let’s give Caddy rights to use port 443 (https) without the need to be launched as root:
sudo setcap cap_net_bind_service=+ep /usr/bin/caddy
-
Now let’s create a service. Say ‘sudo nano /etc/systemd/system/caddy.service’ and paste the following
[Unit]
Description=Caddy webserver
Documentation=https://caddyserver.com/
After=network.target
[Service]
User=your_user_name
WorkingDirectory=/home/your_user_name
LimitNOFILE=4096
PIDFile=/var/run/caddy/caddy.pid
ExecStart=/usr/bin/caddy run -config=“path_to_your_caddy_file”
Restart=on-failure
StartLimitInterval=600
[Install]
WantedBy=multi-user.target
- Now let’s active the startup service we just created
sudo systemctl enable caddy
sudo service caddy start
Now Caddy will start on boot. If you’re using pm2 to start n8n, as described here, you can configure it to automatically start n8n by ussuing ‘pm2 startup’, doing what it says, then ‘pm2 start n8n’, then ‘pm2 save’.