connection to local encrypted Minio session not possible

aperiodicchain commented 1 year ago

Hi, I am having a local Minio installation with TLS/SSL enabled on https://192.168.1.1:9000 This certificate is self signed, so I get the below error message from the "Put Object" node.

In Minio there is a --insecure flag that bypasses verification of the certificate against a thrust store. Is there a way to achieve the same here, without having to revert the whole Minio deployment to plain http?

Error: self signed certificate

rristov60 commented 1 year ago

Thanks for opening this issue @aperiodicchain, we are investigating if this is possible. I don't see a reason why it shouldn't be, but I haven't found anything specific yet. I will get back to you once we have something useful.

trajche commented 1 year ago

I am not sure if this should be set on Node-RED level or on the S3 library/node itself?

rristov60 commented 12 months ago

@aperiodicchain, @trajche after a thorough investigation, it turns out that it is not that simple to implement this, at least from the resources I found and tried out. I will keep this issue open, since I'll further research this topic, but I think we all agree that it is not a wise idea to trust these kind of certificates. However, you can make it work for now is with two approaches. I would highly recommend AVOIDING the FIRST one and USING the SECOND apporach.

1. `NODE_TLS_REJECT_UNAUTHORIZED=0`

This is a node.js variable which will tell everything that uses the built-in http(s) node-modules to ignore the invalid/untrusted/self-signed certificates, and this is node.js wide, which means this will be applied to every node application that you might have running alongside Node-RED. This env variable can be set regularly with export NODE_TLS_REJECT_UNAUTHORIZED=0 for UNIX based systems, and set NODE_TLS_REJECT_UNAUTHORIZED "0" for Windows systems. Other way is to specify this envVar before running Node-RED in the following manner NODE_TLS_REJECT_UNAUTHORIZED=0 node-red or as alternative this can be set in the settings.js by inserting process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; before the module.exports line. More details on this approach can be found here

2. `NODE_EXTRA_CA_CERTS=/path/to/minio/public.crt` (RECOMMENDED)

This is also node.js environment variable which allows you to specify certificates that you want node to trust. This also follows the same rule as above that it is node wide. It is much better practice security wise to use this variable instead of the first one because only the specified certificates would be trusted and requests won't be rejected. Unfortunately this variable is read only on start-up, thus it can't be set programmatically in settings.js or via Node-RED itself. It has to be set before running Node-RED. It can be set in the same manner as before, by exporting it for the sessionexport NODE_EXTRA_CA_CERTS=/path/to/minio/public.crt / set NODE_EXTRA_CA_CERTS "/path/to/minio/public.crt" or by setting it before running Node-RED NODE_EXTRA_CA_CERTS=/path/to/minio/public.crt node-red. More info for this variable can be found here. If you have multiple certificates that you want to trust, they can be concatenated into one .pem. For more information on this please see this explanation and the link referenced by it.

aperiodicchain commented 10 months ago

@rristov60 Thanks for your thorough investigation! Since I am also using public endpoints I clearly opted for the recommended 2nd suggestion to add my local self signed cert.

I simply had to add this to my node-red Dockerfile:

USER root
ADD .secrets/public_mesh.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

I can successfully connect now.

digitalnodecom / node-red-contrib-generic-s3