Versions Compared

Old Version 53

changes.mady.by.user Johncarlo Maddalena

Saved on

compared with

New Version Current

changes.mady.by.user Johncarlo Maddalena

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Tree
expandCollapseAlltrue
rootSuper Nodes


Panel
borderColorgrey
bgColorwhite
titleColorblack
borderWidth1
titleBGColorwhite
borderStylesolid
titleLanguages


  • Generate and install certificate using certbot
  • Update root certificates
  • Validate certificate installation with zend




DescriptionCommand
1

Verify your environmental variables are set correctly from Part 3, steps 1 and 2 before continuing, if not you need to go back and re-do those steps before continuing


Echo needs to output your FQDN








The last line of .bashrc needs to read: export FQDN=<your FQDN here>


Code Block
echo $FQDN


Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ echo $FQDN
node01.zentest.win


Code Block
sed -e 1b -e '$!d' $HOME/.bashrc


Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc

# ~/.bashrc: executed by bash(1) for non-login shells.

export FQDN=node01.zentest.win


2

Install a certificate (required for end-to-end TLS encryption for the Secure/ Super Node network) certbot will be used to generate and validate your certificate

    • You can safely pass the --register-unsafely-without-email flag as (1) a new certificate can be requested at any time (2) the guide will configure automated certificate renewal in part 10

NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate

Disable apache2 (if enabled, see note)

Code Block
sudo systemctl disable apache2
sudo systemctl stop apache2


Execute the certbot command to obtain an SSL certificate for your FQDN

Code Block
sudo certbot certonly --preferred-chain "ISRG Root X1" --key-type rsa -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN


Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

Saving debug log to.../var/log/letsencrypt/letsencrypt.log

Registering without email!

Obtaining a new certificate

Performing the following challenges:
http-01 challenge for node01.zentest.win
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
....-...Congratulations! Your certificate and chain have been saved at:
........./etc/letsencrypt/live/node01.zentest.win/fullchain.pem
.........Your key file has been saved at:
........./etc/letsencrypt/live/node01.zentest.win/privkey.pem
.........Your cert will expire on 2018-09-05. To obtain a new or tweaked
.........version of this certificate in the future, simply run certbot
.........again. To non-interactively renew *all* of your certificates, run
........."certbot renew"
....-...If you like Certbot, please consider supporting our work by:

Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate
Donating to EFF:..........................................................https://eff.org/donate-le





3Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the sudo group, which the non-root user has been added to)

Modify ownership

Code Block
sudo chown -R root:sudo /etc/letsencrypt/

Modify permissions

Code Block
sudo chmod -R 750 /etc/letsencrypt/


4Split the chain.pem file into individual intermediate certificates.

Copy and paste this entire block of text


Code Block
languagebash
sudo csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%02d.crt'


5

Update the certificate store with the root CA copied in the previous step


Code Block
sudo update-ca-certificates --fresh


Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
139 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.


6

Anchor
part6.5
part6.5
Add the certificate and key locations to zen.conf

NOTE: only run these commands once

Certificate

Code Block
echo "tlscertpath=/etc/letsencrypt/live/$FQDN/cert.pem" >> ~/.zen/zen.conf

Private key

Code Block
echo "tlskeypath=/etc/letsencrypt/live/$FQDN/privkey.pem" >> ~/.zen/zen.conf


7Now stop and start zend to pick up the new configuration, certificate and private key


Code Block
zen-cli stop && sleep 30 && zend && sleep 30


8

Check that the certificate is installed and configured correctly

  • Run the command shown and verify true is returned in this row - "tls_cert_verified": true


If the row displays false, verify the steps above have been completed successfully and refer to the troubleshooting guide


Code Block
zen-cli getnetworkinfo



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ zen-cli getnetworkinfo
{
"version": 2001751,
"subversion": "/zen:2.0.17-1/",
"protocolversion": 170002,
"localservices": "0000000000000001",
"timeoffset": 0,
"connections": 8,
"tls_cert_verified": true,



Part 5

Part 6 of 11 - Procure and Configure Certificate

Part 7

Insert excerpt
Social Links
Social Links
nopaneltrue