I have started getting the password security warnings today which I think is a great idea and good step forwards for security. I have got this notification message:
Insecure secrets in a0d7b954_nodered
The add-on a0d7b954_nodered uses secrets which are detected as not secure, see https://www.home-assistant.io/more-info/pwned-passwords for more information.
I checked the Node RED addon documentation and it explicitly says not to change the credential_secret or it will prevent Node RED from being able to decrypt my existing credentials.
Does this mean that I am forever stuck with an insecure password in the configuration or is there something that can be done?
The add-on is the Node RED add-on in the supervisor, if you open up the supervisor on your console, select Node RED and go to the Configuration tab you will see an item in the configuration called credential_secret where you specified a password during setup, it is this that is insecure and has been found in the Have I Been Pwned database.
Thanks. This suggests that Node RED will clear existing flow credentials which also suggests to me that something will need to be re-entered, is that the case?
Iām guessing if there are outside credentials, those may need to be re-entered. The connection for node-red to homeassistant is not affected. I donāt use node-red much. I can try a flow which uses mqtt or something else.
I donāt have an instance to test it on so if you could that would be great, I have all of my automations in Node RED and I really donāt want to break them
If it just means re-entering my Mosquitto password in one configuration node then I can live with that.
Ok, I used the email node and configured that, deployed it and tested it.
I then changed the secret, restarted node-red, and can confirm that the credentials I had entered were missing after dismissing the warning. Other details about the node, smtp server etc, remained. Only the user/pass was cleared.
Great, changed credential secret got the prompt re-deployed andā¦ now I have non working Node Red. I have a ton of stuff in there using MQTT, Pushbullet etc etc and everything says disconnected. I get the MQTT data in Home Assistant so what is now broken between HA and Node Red? There is nothing in Home Assistant or on the computer I run it on that is āsensitiveā and having to jump through all these hoops and breaking my setup is worth keeping someone from seeing the temperature of my fish tank or status of my sprinklers. Christ.
I see now that I have to go into each node in Node Red and setup a new server connection to HA.
Ouch! I didnāt make the change on my system last night as it was about 10 p.m. here and I never make big changes at that time of day as I value my sleep!
Checking in my Configuration Nodes in Node RED I have 664 nodes using the connection to HA so Iām definitely going to hold off until I see if there is a better way to do this.
So I span up a test VM this afternoon and created a limited test version of my HA instance. I set it up as follows:
Home Assistant OS 5.12
Home Assistant Core 2021.3.2
Node Red add-on from Add-on store
Mosquitto add-on from Add-on store
HACS
Node Red Integration installed via HACS
My connection from HA to Node Red is configured as follows:
I changed the credential_secret in the Node Red add-on Configuration tab and restarted the add-on.
I then opened the Node Red console and got this message:
At this point all of my HA nodes were still working but the MQTT nodes had disconnected.
I opened the mqtt-broker node and re-entered the user name and password for Mosquitto and then hit the update button.
Once I had done that everything was back to normal.
I think that the Home Assistant nodes were unaffected by the credential_secret change because they do not have credentials stored in the Node Red config due to the way that the add on is built (see 1st screenshot above).
I canāt guarantee that anyone elseās experience will be the same but hopefully this will help someone with a similar config.
Are you not using the node-red addon? The connection between node-red and HA should be fine if āI use the node-red addonā is checked, which is the default.
The issue with mqtt and pushbullet etc line up with what I described above.
I had to go into each of the Node Red nodes that connected to HA and set a new server connection. Everything is back up and working and no more pwned nags. Was a chore but done.
