Tech vortex

How to Set Up or Configure SSL (HTTPS) for n8n

Introduction

In today’s internet landscape, protecting data during transmission is essential. When you access websites or applications, you want assurance that your information is safe from interception or tampering. This is where SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) come in. They encrypt data between your browser and the server, ensuring confidentiality, integrity, and authenticity.

If you are self-hosting n8n, an open-source workflow automation tool that helps you connect apps and automate repetitive tasks, enabling SSL is one of the best ways to secure your setup. Running n8n over HTTPS means all data exchanges happen over a secure channel, which is especially important if your workflows handle sensitive information, API keys, or personal data.

Beyond security, HTTPS is now a web standard. Google and other search engines favor HTTPS sites, improving your site’s SEO ranking. Browsers also display warnings when visiting non-HTTPS sites, which can reduce user trust.

This guide is aimed at people who self-host n8n — whether on a VPS, a dedicated server, or via Docker containers. We’ll cover multiple methods to set up SSL, explain the pros and cons of each, and provide step-by-step instructions. By the end, you’ll have a clear path to securing your n8n instance with HTTPS.

Prerequisites

Before diving into SSL setup, make sure you have the following in place:

  • A server or VPS with n8n installed.

    This could be a cloud VPS from providers like DigitalOcean, Linode, AWS EC2, or even a local server. The server should have n8n running, either directly or in Docker containers.

  • A domain name pointed to your server’s IP address.

    SSL certificates are issued to domain names, not raw IP addresses. Ensure your DNS A record points to your server’s public IP. For example, if your domain is yourdomain.com, it should resolve to your server’s IP address.

  • Basic command line knowledge.

    You will need to run commands on the server terminal, edit configuration files, and manage services.

  • A reverse proxy or SSL solution.

    Most production setups use a reverse proxy like Nginx or Traefik to handle SSL termination. You can also opt for Let’s Encrypt as your certificate authority, which offers free, automated SSL certificates.

If any of these are new to you, don’t worry. We’ll explain the concepts along the way and provide detailed instructions.

Choose Your Setup Method

Setting up SSL for n8n can be done in different ways. Let’s look at the two main approaches and why one might suit your use case better than the other.

Option 1: Use a Reverse Proxy (Recommended)

A reverse proxy is a server that sits between the internet and your backend application (n8n). It accepts incoming client requests, manages SSL encryption, and forwards the requests to n8n over HTTP.

Why use a reverse proxy?

  • Flexibility: You can run multiple services on the same server, each accessible on different domains or subdomains, all secured with SSL.
  • Security: The reverse proxy handles SSL, isolating certificate management and reducing complexity for the backend app.
  • Performance: Nginx and Traefik are lightweight and optimized to efficiently handle SSL termination and proxying.
  • Ease of renewal: Tools like Certbot or Traefik automatically renew SSL certificates without downtime.
  • Scalability: If your infrastructure grows, reverse proxies simplify routing and load balancing.

For these reasons, reverse proxies are the industry standard for securing web apps, including n8n. This method works perfectly whether you run n8n natively on the server or in Docker containers.

Option 2: Use n8n’s Built-in SSL Support

n8n allows you to configure SSL directly by specifying the SSL certificate and key files through environment variables (N8N_SSL_KEY and N8N_SSL_CERT). This is simpler and faster to set up for local or test environments where security is less critical.

However, drawbacks include:

  • No automatic certificate renewal.
  • Limited certificate management.
  • Less flexibility for scaling or running multiple services.
  • Not recommended for production environments where uptime and security are critical.

If you just want to test SSL locally or within a controlled environment, this approach may be fine temporarily.

Setting Up SSL with Nginx + Let’s Encrypt (Certbot)

Using Nginx as a reverse proxy with Let’s Encrypt SSL certificates is the most popular and reliable way to secure n8n. Let’s Encrypt provides free, trusted SSL certificates, and Certbot automates obtaining and renewing them.

Step 1: Install Nginx

Nginx is a fast, stable web server that doubles as a reverse proxy.

On Ubuntu or Debian-based systems, install Nginx using:

Bash
sudo apt update
sudo apt install nginx

Once installed, Nginx will listen on port 80 (HTTP) by default.

Step 2: Install Certbot

Certbot is the recommended tool to obtain SSL certificates from Let’s Encrypt and configure Nginx automatically.

Install Certbot and the Nginx plugin with:

Bash
sudo apt install certbot python3-certbot-nginx

Step 3: Obtain SSL Certificate

Run Certbot with the Nginx plugin and your domain:

Bash
sudo certbot --nginx -d yourdomain.com

Certbot will:

  • Verify domain ownership.
  • Obtain the SSL certificate.
  • Edit Nginx configuration to enable SSL and redirect HTTP to HTTPS.

If successful, your domain will be secured with HTTPS.

Step 4: Configure Nginx for n8n

If you want to manually configure Nginx or customize the setup, here’s an example Nginx config file:

Nginx
server {
    listen 80;
    server_name yourdomain.com;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://localhost:5678/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Save this file as /etc/nginx/sites-available/n8n and enable it:

Bash
sudo ln -s /etc/nginx/sites-available/n8n /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

This setup:

  • Redirects all HTTP traffic to HTTPS.
  • Handles SSL encryption.
  • Proxies requests to n8n running on port 5678 (the default n8n port).
  • Supports WebSocket connections, which n8n uses for some operations.

Step 5: Restart Services

Make sure both Nginx and n8n are running:

Bash
sudo systemctl restart nginx

If you run n8n as a service, verify its status or restart if necessary.

Step 6: Verify HTTPS is Working

Visit https://yourdomain.com in your browser. Look for the padlock icon near the URL, which indicates SSL is active and valid. You can also use online tools like SSL Labs to check your certificate’s security grade.

Setting Up SSL with Docker + Traefik (Alternative)

If you run n8n in Docker containers, Traefik is a powerful, modern reverse proxy designed for containerized environments. It automatically obtains and renews Let’s Encrypt certificates without manual intervention.

Step 1: Prepare docker-compose.yml

Create a docker-compose.yml file with both Traefik and n8n services:

YAML
version: '3'

services:
  traefik:
    image: traefik:v2.9
    command:
      - "--api.insecure=true" # Enable dashboard (optional, disable in prod)
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.le.acme.email=your-email@example.com"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080" # Dashboard port
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt

  n8n:
    image: n8nio/n8n
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=admin
      - N8N_BASIC_AUTH_PASSWORD=yourpassword
      - WEBHOOK_TUNNEL_URL=https://yourdomain.com/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.n8n.rule=Host(`yourdomain.com`)"
      - "traefik.http.routers.n8n.entrypoints=websecure"
      - "traefik.http.routers.n8n.tls.certresolver=le"
    ports:
      - "5678:5678"

Step 2: Understanding the Labels

  • traefik.enable=true enables Traefik proxying for the container.
  • traefik.http.routers.
    n8n.rule=
    Host('yourdomain.com')     defines the domain rule.
  • traefik.http.routers.
    n8n.entrypoints=
    websecure     binds the router to HTTPS entrypoint.
  • traefik.http.routers.
    n8n.tls.
    certresolver=le     tells Traefik to use Let’s Encrypt resolver.

Step 3: Start the Stack

Run:

Bash
docker-compose up -d

Traefik will:

  • Listen on ports 80 and 443.
  • Automatically request and renew SSL certificates.
  • Proxy requests securely to n8n.

Step 4: Verify SSL

Visit your domain in the browser and check the certificate. Traefik’s dashboard (usually at http://yourserver:8080) shows live routing status and certificate info.

(Optional) Enable SSL in n8n Directly

For quick testing, you can enable SSL inside n8n itself.

Steps:

  • Obtain your SSL certificate and key files (can be self-signed for testing).
  • Export environment variables:
Bash
export N8N_SSL_KEY=/path/to/privkey.pem
export N8N_SSL_CERT=/path/to/fullchain.pem
  • Start n8n so it listens on HTTPS directly (default port 443).

Drawbacks:

  • No automated renewal.
  • Complexity increases for production.
  • Does not easily support running multiple services on same server.

This method is best reserved for development or isolated environments.

Redirect HTTP to HTTPS (If Applicable)

It’s important to ensure visitors use HTTPS, not HTTP. This prevents insecure connections.

Nginx Redirect

The simplest way is to add a server block redirecting HTTP to HTTPS:

Nginx
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}

Traefik Redirect Middleware

In Docker + Traefik setups, add a redirect middleware:

YAML
labels:
  - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
  - "traefik.http.routers.http-catchall.entrypoints=web"
  - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

This will automatically redirect all HTTP requests to HTTPS.

Renewing and Managing Certificates

Let’s Encrypt Validity and Renewal

Certificates last 90 days to encourage automation. Renew early to avoid lapses.

Certbot Auto-Renew

Certbot sets up automatic renewal via cron or systemd. Check with:

Bash
sudo systemctl status certbot.timer

Test renewal without making changes:

Bash
sudo certbot renew --dry-run

Traefik Auto-Renew

Traefik handles certificate renewal seamlessly in the background.

Manual Renewal

If auto-renew fails, you can renew manually:

Bash
sudo certbot renew
sudo systemctl reload nginx

Troubleshooting Tips

Here are some common problems and how to fix them:

1. Port 443 Not Open

SSL traffic uses port 443. Ensure your server firewall (e.g., UFW, iptables) and cloud provider firewall allow inbound TCP on port 443.

Example with UFW:

Bash
sudo ufw allow 443/tcp
sudo ufw reload

2. DNS Not Pointing Correctly

Use tools like dig or nslookup to confirm your domain resolves to your server IP:

Bash
dig yourdomain.com

If the IP is wrong or missing, update your DNS records.

3. Firewall Blocking Traffic

Firewalls can block HTTP/HTTPS traffic. Check with:

Bash
sudo ufw status

Or cloud firewall settings (AWS Security Groups, DigitalOcean Firewall, etc.).

4. Invalid Certificates or Mismatched Domain

SSL certificates must match the domain accessed. If you see browser warnings:

  • Confirm the domain on the certificate matches the URL.
  • Check certificate expiration dates.
  • Review Nginx or Traefik logs for errors.

5. Logs Help Diagnose Issues

  • Nginx error logs:
Bash
sudo tail -f /var/log/nginx/error.log
  • Docker logs:
Bash
docker logs <container_id_or_name>
  • Certbot logs:
Bash
sudo tail -f /var/log/letsencrypt/letsencrypt.log

These logs provide clues on what’s failing.

Conclusion

Running n8n with SSL is no longer optional—it’s a necessity. Encrypting traffic protects your data and your users, improves SEO, and builds trust. Using tools like Nginx or Traefik with Let’s Encrypt makes it easier than ever to implement secure HTTPS, even if you’re managing your own server or containers.

If you’re new to this, start with the reverse proxy method. It’s scalable, well-supported, and widely used. Docker users will find Traefik especially convenient, while those running n8n directly on a VPS will benefit from Nginx + Certbot.

Always ensure automatic renewal is in place so your certificates stay valid without manual intervention. And don’t forget to redirect HTTP to HTTPS to make sure all traffic is secure.

By following this guide, you’ll ensure your n8n workflows are not only powerful but also secure, helping you automate with peace of mind.