Versions Compared

Old Version 24

changes.mady.by.user Nathan Bode

Saved on

compared with

New Version Current

changes.mady.by.user Nathan Bode

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Tree
expandCollapseAlltrue
rootSecure and Super Nodes


Panel
borderColorgrey
bgColorwhite
titleColorblack
borderWidth1
titleBGColorwhite
borderStylesolid
titleLanguages


Ensure you are logged in as the non-root user being used to run zend and the node tracker

  • PM2 / Monit - Migration to systemd
  • Install certbot
  • Stop zend and zentracker
  • Create standalone certificate
  • Add root CA certificate to certificate store
  • Update zen.conf cert locations
  • Add non-root user into groups
  • Start zend and check cert status
  • Start zentracker and check cert status
  • Cleanup files from acme.sh
  • Configure certificate renewal



DescriptionCommand
1Follow the PM2 / Monit - Migration to systemd guide first


2

Add the repository for certbot


NOTE: Skip this step for Debian 9

Ubuntu only

Code Block
sudo add-apt-repository ppa:certbot/certbot -y


3

Add the stretch-backports repository, update the package cache and install certbot directly from stretch-backports


NOTE: Skip this step for Ubuntu

Debian 9 only

Code Block
echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backport.list
sudo apt-get update
sudo apt-get -t stretch-backports install certbot -y


4Update the package cache


Code Block
sudo apt-get update


5Install certbot


Code Block
sudo apt-get install certbot -y


6Stop zend and zentracker


Code Block
sudo systemctl stop zend zentracker


7

Set an environment variable to match the Fully-Qualified Domain Name of the node - you will need to type this command and change 'FQDN' (the value between the quotes ' ') to the value used in the domain registration for your node

DO NOT USE CAPITAL LETTERS IN PLACE OF 'FQDN' REPLACE ONLY WITH LOWER CASE!

Code Block
FQDN='FQDN'

use only lower case letters like the example

Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ FQDN='node01.zentest.win'


8Add the FQDN variable to the .bashrc file, for the user you created, this will ensure it is persistent


Code Block
echo "export FQDN=$FQDN" >> $HOME/.bashrc


9

Verify your environmental variables are set correctly from step 7 and 8 above before continuing, if not you need to go back and re-do those steps before continuing


Echo needs to output your FQDN










The last line of .bashrc needs to read: export FQDN=<your FQDN here>


Code Block
echo $FQDN



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ echo $FQDN
node01.zentest.win



Code Block
sed -e 1b -e '$!d' $HOME/.bashrc



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
export FQDN=node01.zentest.win


10

Install a certificate (required for end-to-end TLS encryption for the Secure/Super Node network) certbot will be used to generate and validate your certificate

    • You can safely pass the --register-unsafely-without-email flag as (1) a new certificate can be requested at any time (2) the guide will configure automated certificate renewal in step 22

NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate

Disable apache2 (if enabled, see note)

Code Block
sudo systemctl disable apache2
sudo systemctl stop apache2



Code Block
sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

Saving debug log to.../var/log/letsencrypt/letsencrypt.log

Registering without email!

Obtaining a new certificate

Performing the following challenges:
http-01 challenge for node01.zentest.win
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
....-...Congratulations! Your certificate and chain have been saved at:
........./etc/letsencrypt/live/node01.zentest.win/fullchain.pem
.........Your key file has been saved at:
........./etc/letsencrypt/live/node01.zentest.win/privkey.pem
.........Your cert will expire on 2018-09-05. To obtain a new or tweaked
.........version of this certificate in the future, simply run certbot
.........again. To non-interactively renew *all* of your certificates, run
........."certbot renew"
....-...If you like Certbot, please consider supporting our work by:

Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate
Donating to EFF:..........................................................https://eff.org/donate-le


11

Copy the root CA as required for your distribution - this example is proven for Debian and Ubuntu


NOTE: If you type this command, be sure to rename the certificate with a '.crt' extension, this is required for the next command to identify the certificate and add it to the certificate store. It is recommended to copy and paste, unless instructed otherwise where things may need replacing

For Debian / Ubuntu

Code Block
sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt


12

Update the certificate store with the root CA copied in the previous step












Anchor
m.12
m.12

For Debian / Ubuntu

Code Block
sudo update-ca-certificates



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
WARNING: Skipping duplicate certificate ca.pem
WARNING: Skipping duplicate certificate ca.pem
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.


13

Replace the old certificate and key locations in zen.conf and add "rpcworkqueue=512"


Code Block
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.cer|/etc/letsencrypt/live/$FQDN/cert.pem|g" ~/.zen/zen.conf
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.key|/etc/letsencrypt/live/$FQDN/privkey.pem|g" ~/.zen/zen.conf
echo "rpcworkqueue=512" >> ~/.zen/zen.conf


14

Add the non-root user to the 'adm' and 'systemd-journal' groups


Code Block
sudo adduser $USER adm
sudo adduser $USER systemd-journal


15Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the ssl-cert group, which the non-root user has been added to)

Modify ownership

Code Block
sudo chown -R root:sudo /etc/letsencrypt/

Modify permissions

Code Block
sudo chmod -R 750 /etc/letsencrypt/


16

Apply ownership to the non-root user of all files in home and start zend


Code Block
sudo chown -R $USER:$USER ~/ && sudo systemctl start zend && sleep 30


17Check if zend has verified the TLS certificate


Code Block
zen-cli getnetworkinfo | grep tls_cert_verified



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ zen-cli getnetworkinfo | grep tls_cert_verified
"tls_cert_verified": true,


18

Start the zentracker and follow the logs from the tracker to check that "Cert check" is true,  exit with CTRL+c


Code Block
sudo systemctl start zentracker
sudo journalctl -fu zentracker




Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01~$ sudo journalctl -fu zentracker
-- Logs begin at Tue 2018-05-22 12:54:41 EDT. --
May 24 21:34:28 node01 node[42000]: 2018-05-25 01:34:28 GMT -- Connected to server ts1.na. Initializing...
May 24 21:34:28 node01 node[42000]: XXXXX Node t_address (not for stake)=znXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
May 24 21:34:28 node01 node[42000]: Balance for challenge transactions is 0.0247
May 24 21:34:28 node01 node[42000]: Using the following address for challenges
May 24 21:34:28 node01 node[42000]: zcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Authenticated
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Updated server list
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats: send initial stats.
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats received by ts1.na
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Cert check: valid=true. Hostname node01.zentest.win
matches CN node01.zentest.win


19Remove existing crontab jobs for sudo and normal user


Code Block
sudo crontab -r
crontab -r


20

Remove .acme.sh and acme.sh directories and remove acme.sh.env from .bashrc


Code Block
sudo rm -r ~/{.acme.sh,acme.sh}
sed -i "s|.\ \"$HOME/.acme.sh/acme.sh.env\"||g" ~/.bashrc


21Remove socat and old repositories


Code Block
sudo apt-get remove socat -y
sudo apt-get -y autoremove



Configure Certificate Renewal
22Follow Part 10 9 - Configure Certificate Renewal and finish the guide to completion in Part 11


Insert excerpt
Social Links
Social Links
nopaneltrue