tls-config node local file issue

[rmv5004]

Current Behavior

When TLS is enabled and the "Use key and cert from local files" is checked and deployed the node will error with "RequestError: unable to verify the first certificate"


This error will continue until node-red is restarted and then it will function fine. The other work around is check the box "Verify server certificate" deploy then uncheck the box "Verify server certificate" and deploy.

Using a node-red in a Docker container a restart does not fix it. The only way to get it to work is check the box "Verify server certificate" deploy then uncheck the box "Verify server certificate" and deploy. This is an issue because any restart will cause it not to work.

Curl works fine.

Expected Behavior

No response

Steps To Reproduce

No response

Example flow

paste your flow here
[
    {
        "id": "9f273657491a8522",
        "type": "http request",
        "z": "c1fc7d91625d25a8",
        "name": "",
        "method": "POST",
        "ret": "txt",
        "paytoqs": "ignore",
        "url": "https://endpoint",
        "tls": "565dd1b780a7afc0",
        "persist": false,
        "proxy": "",
        "insecureHTTPParser": false,
        "authType": "",
        "senderr": false,
        "headers": [],
        "x": 550,
        "y": 280,
        "wires": [
            [
                "1279d336e0db3dda"
            ]
        ]
    },
    {
        "id": "565dd1b780a7afc0",
        "type": "tls-config",
        "name": "",
        "cert": "",
        "key": "",
        "ca": "/home/pi/Documents/api.pem",
        "certname": "",
        "keyname": "",
        "caname": "",
        "servername": "",
        "verifyservercert": false,
        "alpnprotocol": ""
    }
]


### Environment

- Node-RED version: V3.1.0 & V3.1.5
- Node.js version: V14 & V18.19.1
- npm version: ??? & V10.2.4
- Platform/OS: Docker & Debian & Pi
- Browser: Any

[hardillb]

Please complete the final section of the template and provide all the version information.

[hardillb]

Out of interest why do you need to set a CA certificate file if you have "verify server certificate" unchecked?

With that unchecked you are saying you don't care about verifying the server cert so there is no need to provide a CA cert to check it against.

Not saying we shouldn't look at this, just trying to understand what you are trying to achieve here.

[rmv5004]

Please complete the final section of the template and provide all the version information.

Out of interest why do you need to set a CA certificate file if you have "verify server certificate" unchecked?

With that unchecked you are saying you don't care about verifying the server cert so there is no need to provide a CA cert to check it against.

Not saying we shouldn't look at this, just trying to understand what you are trying to achieve here.

It is a work around to make it function. The only reason we found the work around is because it is the only work around that works for Docker. A restart does not fix the issue with Docker.

[hardillb]

If you uncheck the "Use keys and certs from local files" and "Verify server certificate" does it work (it should because it shouldn't verify the server cert at all)

[hardillb]

Also since this is running in docker, have you actually mounted the file to /home/pi/Documents/api/pem into the container? The file needs exist in the container at that path, not on either the host or the machine running the browser.

[hardillb]

Please also include the container logs from a restart that shows the problem.

And the full docker run command you are using to start the container

[rmv5004]

If you uncheck the "Use keys and certs from local files" and "Verify server certificate" does it work (it should because it shouldn't verify the server cert at all)

I did not pick up on that in your first comment. Yes, it does work. This was done 2 or so years ago in V2.2.2 and I'm not sure how it ended up with a CA cert it did not need and unchecked "Verify server certificate". It never appeared to be an issue until the flow was used in the Docker container.

[hardillb]

It never appeared to be an issue until the flow was used in the Docker container.

Just to be clear did you change the flow at all when you moved it to the docker container?
And did you ensure that the api.pem file was accessible inside the container at the path configured in the flow?

You can't just copy/paste a flow into a Node-RED instance running in Docker if it depends on external files and expect it to just work.

[rmv5004]

It never appeared to be an issue until the flow was used in the Docker container.

Just to be clear did you change the flow at all when you moved it to the docker container? And did you ensure that the api.pem file was accessible inside the container at the path configured in the flow?

You can't just copy/paste a flow into a Node-RED instance running in Docker if it depends on external files and expect it to just work.

To be clear we changed certificates along the way (I believe we changed from self-signed to a well known CA). I no longer require api.pem. It looks like instead of deleting api.pem "Verify server certificate" was just unchecked. My project is now working fine with no check marks on "Use key and certificates from local files" & "Verify server certificate".

I can close this issue out however it seems like there may be a case where it doesn't work as designed. The certificate api.pem was being created by a flow using "Certificate Grabber" to an accessible location for the container. It was receiving and writing api.pem & it was a valid certificate.

Non-docker - With a check mark by "Use key and certificates from local files" and no check mark by "Verify server certificate" after a deploy each HTTP request would result in "RequestError: unable to verify the first certificate" then it would work with no errors after a restart.

Docker - With a check mark by "Use key and certificates from local files" and no check mark by "Verify server certificate" after a deploy each HTTP request would result in "RequestError: unable to verify the first certificate". It would continue to error even after a restart of the container. It would not error if someone checked then unchecked "Verify server certificate" and deployed.