| Description | Command |
---|
1 | Follow the PM2 / Monit - Migration to systemd guide first | |
2 | Add the repository for certbot
NOTE: Skip this step for Debian 9 | Ubuntu only Code Block |
---|
sudo add-apt-repository ppa:certbot/certbot -y |
|
3 | Add the stretch-backports repository, update the package cache and install certbot directly from stretch-backports
NOTE: Skip this step for Ubuntu
| Debian 9 only Code Block |
---|
echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backport.list
sudo apt-get update
sudo apt-get -t stretch-backports install certbot -y |
|
4 | Update the package cache |
Code Block |
---|
sudo apt-get update |
|
5 | Install certbot |
Code Block |
---|
sudo apt-get install certbot -y |
|
6 | Stop zend and zentracker |
Code Block |
---|
sudo systemctl stop zend zentracker |
|
7 | Set an environment variable to match the Fully-Qualified Domain Name of the node - you will need to type this command and change 'FQDN' (the value between the quotes ' ') to the value used in the domain registration for your node | DO NOT USE CAPITAL LETTERS IN PLACE OF 'FQDN' REPLACE ONLY WITH LOWER CASE! use only lower case letters like the example Panel |
---|
borderColor | grey |
---|
bgColor | black |
---|
titleColor | white |
---|
borderWidth | 2 |
---|
titleBGColor | black |
---|
borderStyle | solid |
---|
title | Example Output |
---|
| zenops@node01:~$ FQDN='node01.zentest.win' |
|
8 | Add the FQDN variable to the .bashrc file, for the user you created, this will ensure it is persistent |
Code Block |
---|
echo "export FQDN=$FQDN" >> $HOME/.bashrc |
|
9 | Verify your environmental variables are set correctly from step 7 and 8 above before continuing, if not you need to go back and re-do those steps before continuing
Echo needs to output your FQDN
The last line of .bashrc needs to read: export FQDN=<your FQDN here> |
Panel |
---|
borderColor | grey |
---|
bgColor | black |
---|
titleColor | white |
---|
borderWidth | 2 |
---|
titleBGColor | black |
---|
borderStyle | solid |
---|
title | Example Output |
---|
| zenops@node01:~$ echo $FQDN node01.zentest.win |
Code Block |
---|
sed -e 1b -e '$!d' $HOME/.bashrc |
Panel |
---|
borderColor | grey |
---|
bgColor | black |
---|
titleColor | white |
---|
borderWidth | 2 |
---|
titleBGColor | black |
---|
borderStyle | solid |
---|
title | Example Output |
---|
| zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc # ~/.bashrc: executed by bash(1) for non-login shells. export FQDN=node01.zentest.win |
|
10 | Install a certificate (required for end-to-end TLS encryption for the Secure/Super Node network) certbot will be used to generate and validate your certificate - You can safely pass the --register-unsafely-without-email flag as (1) a new certificate can be requested at any time (2) the guide will configure automated certificate renewal in step 22
NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate | Disable apache2 (if enabled, see note) Code Block |
---|
sudo systemctl disable apache2
sudo systemctl stop apache2 |
Code Block |
---|
sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN |
Panel |
---|
borderColor | grey |
---|
bgColor | black |
---|
titleColor | white |
---|
borderWidth | 2 |
---|
titleBGColor | black |
---|
borderStyle | solid |
---|
title | Example Output |
---|
| zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN Saving debug log to.../var/log/letsencrypt/letsencrypt.log Registering without email! Obtaining a new certificate Performing the following challenges: http-01 challenge for node01.zentest.win Waiting for verification... Cleaning up challenges IMPORTANT NOTES: ....-...Congratulations! Your certificate and chain have been saved at: ........./etc/letsencrypt/live/node01.zentest.win/fullchain.pem .........Your key file has been saved at: ........./etc/letsencrypt/live/node01.zentest.win/privkey.pem .........Your cert will expire on 2018-09-05. To obtain a new or tweaked .........version of this certificate in the future, simply run certbot .........again. To non-interactively renew *all* of your certificates, run ........."certbot renew" ....-...If you like Certbot, please consider supporting our work by: Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate Donating to EFF:..........................................................https://eff.org/donate-le |
|
11 | Copy the root CA as required for your distribution - this example is proven for Debian and Ubuntu
NOTE: If you type this command, be sure to rename the certificate with a '.crt' extension, this is required for the next command to identify the certificate and add it to the certificate store. It is recommended to copy and paste, unless instructed otherwise where things may need replacing | For Debian / Ubuntu Code Block |
---|
sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt |
|
12 | Update the certificate store with the root CA copied in the previous step
| For Debian / Ubuntu Code Block |
---|
sudo update-ca-certificates |
Panel |
---|
borderColor | grey |
---|
bgColor | black |
---|
titleColor | white |
---|
borderWidth | 2 |
---|
titleBGColor | black |
---|
borderStyle | solid |
---|
title | Example Output |
---|
| zenops@node01:~$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate ca.pem WARNING: Skipping duplicate certificate ca.pem 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. |
|
13 | Replace the old certificate and key locations in zen.conf and add "rpcworkqueue=512" |
Code Block |
---|
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.cer|/etc/letsencrypt/live/$FQDN/cert.pem|g" ~/.zen/zen.conf
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.key|/etc/letsencrypt/live/$FQDN/privkey.pem|g" ~/.zen/zen.conf
echo "rpcworkqueue=512" >> ~/.zen/zen.conf |
|
14 | Add the non-root user to the 'adm' and 'systemd-journal' groups |
Code Block |
---|
sudo adduser $USER adm
sudo adduser $USER systemd-journal |
|
15 | Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the ssl-cert group, which the non-root user has been added to) | Modify ownership Code Block |
---|
sudo chown -R root:sudo /etc/letsencrypt/
|
Modify permissions Code Block |
---|
sudo chmod -R 750 /etc/letsencrypt/ |
|
16 | Apply ownership to the non-root user of all files in home and start zend |
Code Block |
---|
sudo chown -R $USER:$USER ~/ && sudo systemctl start zend && sleep 30 |
|
17 | Check if zend has verified the TLS certificate |
Code Block |
---|
zen-cli getnetworkinfo | grep tls_cert_verified |
Panel |
---|
borderColor | grey |
---|
bgColor | black |
---|
titleColor | white |
---|
borderWidth | 2 |
---|
titleBGColor | black |
---|
borderStyle | solid |
---|
title | Example Output |
---|
| zenops@node01:~$ zen-cli getnetworkinfo | grep tls_cert_verified "tls_cert_verified": true, |
|
18 | Start the zentracker and follow the logs from the tracker to check that "Cert check" is true, exit with CTRL+c |
Code Block |
---|
sudo systemctl start zentracker
sudo journalctl -fu zentracker |
Panel |
---|
borderColor | grey |
---|
bgColor | black |
---|
titleColor | white |
---|
borderWidth | 2 |
---|
titleBGColor | black |
---|
borderStyle | solid |
---|
title | Example Output |
---|
| zenops@node01~$ sudo journalctl -fu zentracker -- Logs begin at Tue 2018-05-22 12:54:41 EDT. -- May 24 21:34:28 node01 node[42000]: 2018-05-25 01:34:28 GMT -- Connected to server ts1.na. Initializing... May 24 21:34:28 node01 node[42000]: XXXXX Node t_address (not for stake)=znXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX May 24 21:34:28 node01 node[42000]: Balance for challenge transactions is 0.0247 May 24 21:34:28 node01 node[42000]: Using the following address for challenges May 24 21:34:28 node01 node[42000]: zcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Authenticated May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Updated server list May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats: send initial stats. May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats received by ts1.na May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Cert check: valid=true. Hostname node01.zentest.win matches CN node01.zentest.win |
|
19 | Remove existing crontab jobs for sudo and normal user |
Code Block |
---|
sudo crontab -r
crontab -r |
|
20 | Remove .acme.sh and acme.sh directories and remove acme.sh.env from .bashrc |
Code Block |
---|
sudo rm -r ~/{.acme.sh,acme.sh}
sed -i "s|.\ \"$HOME/.acme.sh/acme.sh.env\"||g" ~/.bashrc |
|
21 | Remove socat and old repositories |
Code Block |
---|
sudo apt-get remove socat -y
sudo apt-get -y autoremove |
|
| Configure Certificate Renewal |
---|
22 | Follow Part 10 - Configure Certificate Renewal and finish the guide to completion in Part 11 |
|