Skip to content

配置 n8n 使用你自己的证书颁发机构或自签名证书#

¥Configure n8n to use your own certificate authority or self-signed certificate

你可以将自己的证书颁发机构 (CA) 或自签名证书添加到 n8n。这意味着你可以信任特定的 SSL 证书,而不是信任所有无效证书,后者存在潜在的安全风险。

¥You can add your own certificate authority (CA) or self-signed certificate to n8n. This means you are able to trust a certain SSL certificate instead of trusting all invalid certificates, which is a potential security risk.

Added in version 1.42.0

此功能适用于 1.42.0 及更高版本。

¥This feature is available in version 1.42.0 and above.

要使用此功能,你需要将证书放在一个文件夹中,并将该文件夹挂载到容器中的 /opt/custom-certificates。映射到 /opt/custom-certificates 的外部路径必须对容器可写。

¥To use this feature you need to place your certificates in a folder and mount the folder to /opt/custom-certificates in the container. The external path that you map to /opt/custom-certificates must be writable by the container.

Docker#

以下示例假设你有一个名为 pki 的文件夹,其中包含你的证书,该文件夹位于你运行命令的目录或 Docker Compose 文件所在的目录下。

¥The examples below assume you have a folder called pki that contains your certificates in either the directory you run the command from or next to your docker compose file.

Docker CLI#

使用 CLI 时,可以从命令行使用 -v 标志:

¥When using the CLI you can use the -v flag from the command line:

1
2
3
4
5
docker run -it --rm \
 --name n8n \
 -p 5678:5678 \
 -v ./pki:/opt/custom-certificates \
 docker.n8n.io/n8nio/n8n

Docker Compose#

1
2
3
4
5
6
7
8
9
name: n8n
services:
    n8n:
        volumes:
            - ./pki:/opt/custom-certificates
        container_name: n8n
        ports:
            - 5678:5678
        image: docker.n8n.io/n8nio/n8n

你还应该为导入的证书授予正确的权限。容器运行后(假设容器名称为 n8n),你可以执行以下操作:

¥You should also give the right permissions to the imported certs. You can do this once the container is running (assuming n8n as the container name):

1
docker exec --user 0 n8n chown -R 1000:1000 /opt/custom-certificates

自定义信任库的证书要求#

¥Certificate requirements for Custom Trust Store

支持的证书类型:

¥Supported certificate types:

  • 根 CA 证书:这些是证书颁发机构颁发的证书,用于签署其他证书。信任这些设备,使其接受由该 CA 签名的所有证书。

¥Root CA Certificates: these are certificates from Certificate Authorities that sign other certificates. Trust these to accept all certificates signed by that CA.

  • 自签名证书:服务器创建并自行签名的证书。信任这些设备,使其仅接受与该特定服务器的连接。

¥Self-Signed Certificates: certificates that servers create and sign themselves. Trust these to accept connections to that specific server only.

你必须使用 PEM 格式。

¥You must use PEM format:

  • 带有 BEGIN/END 标记的文本格式

¥Text-based format with BEGIN/END markers

  • 支持的文件扩展名:.pem, .crt, .cer

¥Supported file extensions: .pem, .crt, .cer

  • 包含公钥证书(无需私钥)。

¥Contains the public certificate (no private key needed)

例如:

¥For example:

1
2
3
4
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKoK/heBjcOuMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
[base64 encoded data]
-----END CERTIFICATE-----

系统不接受:

¥The system doesn't accept:

  • DER/二进制格式文件

¥DER/binary format files

  • PKCS#7 (.p7b) 文件

¥PKCS#7 (.p7b) files

  • PKCS#12 (.pfx, .p12) 文件

¥PKCS#12 (.pfx, .p12) files

  • 私钥文件

¥Private key files

  • 使用前将这些格式转换为 PEM 格式

¥Convert these formats to PEM before use.