Login/Register
Running node-red-start after trying to create HTTPS "Error 140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small"
Asked Answered
Solved sslhttpsraspberry-pi3node-red
R

3

10

Hi everybody I have been setting up remote access to node-red for my raspberry Pi. I have amended the settings.js and installed node-red-admin but when I go to start node-red I get the following error:

Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
at Object.createSecureContext (_tls_common.js:131:17)
at Server.setSecureContext (_tls_wrap.js:1152:27)
at Server (_tls_wrap.js:1030:8)
at new Server (https.js:65:14)
at Object.createServer (https.js:89:10)
at Object.<anonymous> (/usr/lib/node_modules/node-red/red.js:141:20)
at Module._compile (internal/modules/cjs/loader.js:945:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:962:10)
at Module.load (internal/modules/cjs/loader.js:798:32)
at Function.Module._load (internal/modules/cjs/loader.js:711:12) {
library: 'SSL routines',
  function: 'SSL_CTX_use_certificate',
  reason: 'ee key too small',
  code: 'ERR_SSL_EE_KEY_TOO_SMALL'
}
nodered.service: Main process exited, code=exited, status=1/FAILURE
nodered.service: Failed with result 'exit-code'.
nodered.service: Service RestartSec=100ms expired, scheduling restart.
nodered.service: Scheduled restart job, restart counter is at 1.
Stopped Node-RED graphical event wiring tool.
Started Node-RED graphical event wiring tool.
_tls_common.js:131
  c.context.setCert(cert);

This happened after I successfully created privatekey.pem and certificate.pem. To create these files I used:

openssl genrsa -out privatekey.pem 1024

then used 

openssl req -new -key privatekey.pem -out private-csr.pem

after which I put in relevant info and then recieved verification "signature is ok" with

openssl x509 -req -days 365 -in private-csr.pem -signkey privatekey.pem -out certificate.pem

As the above returned privatekey.pem and certificate.pem files under ls -la I moved onto uncommented the following:

// The `https` setting requires the `fs` module. Uncomment the 
following
// to make it available:
var fs = require("fs");
module.exports = {
// the tcp port that the Node-RED web server is listening on
uiPort: process.env.PORT || 1880,

and also

adminAuth: {
type: "credentials",
users: [
    {
username: "admin",
password: "$2a$08$9Miva2AQEFlXQ3S7emXlIuLkLzNzi9yzgqxGYMY5dzK4FzNQa7dCu",
permissions: "*" 
    }
]
},

with loading fs module

https: {
key: fs.readFileSync('/home/pi/.node-red/privatekey.pem'),
cert: fs.readFileSync('/home/pi/.node-red/certificate.pem')
},

After doing this configuration I get the error message stated at the beginning. Update: I did delete the contents of .node-red/settings.js and replaced with https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js and node-red starts! woohoo! However when try to reconfigure the settings.js file again it runs into the same error.. FYI I am carefully uncommenting lines however could the problem reside in the hash-pw i receive from node-red-admin? Because when I try to install node-red-admin with "npm install -g node-red-admin" after logging in as root via "su" it comes up with the following:

pi@padrejuan:~ $ su
Password: 
root@padrejuan:/home/pi# npm install -g node-red-admin
/usr/local/bin/node-red-admin -> /usr/local/lib/node_modules/node-red- 
admin/node-red-admin.js

> [email protected] install /usr/local/lib/node_modules/node-red- 
admin/node_modules/bcrypt
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download 
node-pre-gyp WARN Pre-built binaries not installable for [email protected] 
and [email protected] (node-v72 ABI, glibc) (falling back to source compile 
with node-gyp) 
node-pre-gyp WARN Hit error EACCES: permission denied, mkdir 
'/usr/local/lib/node_modules/node-red-admin/node_modules/bcrypt/lib' 
gyp WARN EACCES user "nobody" does not have permission to access the 
dev dir "/root/.cache/node-gyp/12.11.1"
gyp WARN EACCES attempting to reinstall using temporary dev dir 
"/usr/local/lib/node_modules/node-red-admin/node_modules/bcrypt/.node- 
gyp"
gyp WARN install got an error, rolling back install
gyp WARN install got an error, rolling back install
gyp ERR! configure error

and so on.

Any help would be greatly appreciated

Roeser answered 7/10, 2019 at 3:17 Comment(0)
C
19

The problem is that the latest versions of openssl now considers keys with a bit length of 1024 to be insecure.

Re-generate the private key with a size of 2048 and then recreate the certificate.

openssl genrsa -out privatekey.pem 2048
Covetous answered 8/10, 2019 at 6:30 Comment(0)
G
1

https://github.com/debauchee/barrier/issues/126#issuecomment-505933083

It is just a matter of editing file /etc/ssl/openssl.cnf changing last line
from:
CipherString = DEFAULT@SECLEVEL=2
to
CipherString = DEFAULT@SECLEVEL=1
Gradation answered 20/5, 2022 at 17:53 Comment(1)
Do not make this change unless you full understand how it degrades the security of your whole systemCovetous
F
0

If you are using RHEL 8 & above, these are the steps to resolve:

update-crypto-policies --show

update-crypto-policies --set DEFAULT

reboot
Floreated answered 27/6, 2022 at 12:44 Comment(1)
Again much better to create a new stronger private key than degrade the security of your whole systemCovetous

© 2022 - 2024 — McMap. All rights reserved.