Support self-signed SSL certificates

[gifflet]

This PR introduces support for self-signed SSL certificates when connecting to an n8n instance. Users can now specify a certificate path using the new N8N_CERT_PATH environment variable. Key changes include:

• Extended environment configuration (.env.example) to include N8N_CERT_PATH.
• Enhanced API client to load and use a custom certificate.
• Updated Docker-related docs and compose files with instructions and examples.
• README and deployment docs now include detailed usage and troubleshooting for self-signed certs.

[codecov]

Codecov Report

❌ Patch coverage is 29.54545% with 31 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/config/n8n-api.ts	28.00%	18 Missing ⚠️
src/services/n8n-api-client.ts	31.57%	13 Missing ⚠️

📢 Thoughts on this report? Let us know!

[czlonkowski]

Thank you for this valuable contribution! 🎉

First, I want to thank you for adding self-signed SSL certificate support to n8n-mcp. This is a much-needed feature that will help users working with n8n instances using self-signed certificates. Your documentation is particularly impressive - comprehensive and well-structured across all the relevant files.

Required Changes

I've reviewed the PR and identified a few critical issues that need to be addressed before we can merge:

🚨 Critical Security Fix

File: src/services/n8n-api-client.ts (lines 55-58)

The current implementation disables SSL verification entirely with rejectUnauthorized: false. This creates a security vulnerability. Here's the fix:

// Current (insecure):
this.httpsAgent = new https.Agent({
  ca: cert,
  rejectUnauthorized: false  // ❌ Remove this line
});

// Fixed (secure):
this.httpsAgent = new https.Agent({
  ca: cert
  // rejectUnauthorized remains true by default
});

📝 Schema Validation Fix

File: src/config/n8n-api.ts (line 13)

Add the missing schema validation for N8N_CERT_PATH:

const n8nApiConfigSchema = z.object({
  N8N_API_URL: z.string().url().optional(),
  N8N_API_KEY: z.string().min(1).optional(),
  N8N_API_TIMEOUT: z.coerce.number().positive().default(30000),
  N8N_API_MAX_RETRIES: z.coerce.number().positive().default(3),
  N8N_CERT_PATH: z.string().optional(), // ✅ Add this line
});

🔧 TypeScript Interface Update

File: src/services/n8n-api-client.ts (line 34)

Update the interface to include the cert property:

export interface N8nApiClientConfig {
  baseUrl: string;
  apiKey: string;
  timeout?: number;
  maxRetries?: number;
  cert?: string; // ✅ Add this line
}

Suggested Improvements (Optional but Recommended)

Enhanced Error Handling

Consider improving the certificate loading error handling in src/config/n8n-api.ts:

if (config.N8N_CERT_PATH) {
  try {
    const certPath = path.resolve(config.N8N_CERT_PATH);
    
    // Check if file exists
    if (\!fs.existsSync(certPath)) {
      throw new Error(`Certificate file not found: ${certPath}`);
    }
    
    // Verify it's a file
    const stats = fs.statSync(certPath);
    if (\!stats.isFile()) {
      throw new Error(`Certificate path is not a file: ${certPath}`);
    }
    
    // Read certificate
    cert = fs.readFileSync(certPath, 'utf-8');
    
    // Basic PEM format validation
    if (\!cert.includes('-----BEGIN CERTIFICATE-----')) {
      throw new Error(`Invalid certificate format. Expected PEM format in: ${certPath}`);
    }
    
    logger.info(`Custom SSL certificate loaded from: ${certPath}`);
  } catch (error) {
    logger.error(`Failed to load certificate: ${error.message}`);
    throw error;
  }
}

Test Coverage

Adding tests would be valuable, especially for:

• Certificate loading success/failure scenarios
• Invalid certificate paths
• Certificate format validation
• HTTPS agent configuration

What Works Great ✅

• Documentation: Excellent, comprehensive documentation across README, Docker, and deployment guides
• Docker Integration: Well-thought-out compose examples with proper volume mounting
• Backward Compatibility: Feature is optional and doesn't break existing setups
• Path Handling: Good use of path.resolve() for cross-platform compatibility

Next Steps

Once you've made the critical fixes (especially removing rejectUnauthorized: false), this will be ready to merge. The security fix is the most important - it ensures that the certificate validation actually works as intended.

Feel free to ask if you need any clarification or help with these changes. Thanks again for your contribution! 🙏

[gifflet]

@czlonkowski, the rejectUnauthorized: false line was removed. Also, the environment variable N8N_SKIP_SSL_VERIFICATION was introduced, which allows us to connect to an n8n instance without a configured certificate in a development environment.

[PyroFilmsFX]

why do you need to handle self signed certs when a certbot / lets encrypt is 100% free and a domain is 5-10$/year... i guess local hosted instances?

[gifflet]

@PyroFilmsFX , depending on how a certificate is generated, we may need to add it to the whitelist — for example, due to a missing root certificate or certificate authority. If the user only has access to the application through a web browser, and not to the server or n8n configuration, it would be more convenient to simply add the n8n certificate to the whitelist to get the connection working.

[tchellomello]

@gifflet are you considering to extend this feature to also support mTLS?