确保以非root用户身份运行zend和节点跟踪器

PM2 / Monit - 迁移到systemd
安装certbot
停止zend和zentracker
创建独立证书
将根CA证书添加到证书库
更新zen.conf证书位置
将非root用户添加到组中
启动zend并检查证书状态
启动zentracker并检查证书状态
从acme.sh清理文件
配置证书续订



sudo add-apt-repository ppa:certbot/certbot -y
echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backport.list
sudo apt-get update
sudo apt-get -t stretch-backports install certbot -y
sudo apt-get update
sudo apt-get install certbot -y
sudo systemctl stop zend zentracker
FQDN='FQDN'
echo "export FQDN=$FQDN" >> $HOME/.bashrc
echo $FQDN
sudo systemctl disable apache2
sudo systemctl stop apache2
sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt
sudo update-ca-certificates
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.cer|/etc/letsencrypt/live/$FQDN/cert.pem|g" ~/.zen/zen.conf
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.key|/etc/letsencrypt/live/$FQDN/privkey.pem|g" ~/.zen/zen.conf
echo "rpcworkqueue=512" >> ~/.zen/zen.conf
sudo adduser $USER adm
sudo adduser $USER systemd-journal
sudo chown -R root:sudo /etc/letsencrypt/
sudo chown -R $USER:$USER ~/ && sudo systemctl start zend && sleep 30
zen-cli getnetworkinfo | grep tls_cert_verified
sudo systemctl start zentracker
sudo journalctl -fu zentracker
sudo crontab -r
crontab -r
sudo rm -r ~/{.acme.sh,acme.sh}
sed -i "s|.\ \"$HOME/.acme.sh/acme.sh.env\"||g" ~/.bashrc
sudo apt-get remove socat -y
sudo apt-get -y autoremove



	Description	Command
1	首先参见 PM2 / Monit - 迁移到systemd指南
2	添加certbot存储库注意：Debian 9跳过这一步	只限Ubuntu sudo add-apt-repository ppa:certbot/certbot -y
3	添加stretch-backports存储库，更新包缓存并直接从stretch-backports安装certbot 注意: Ubuntu跳过这一步	只限Debian 9 echo "deb http://ftp.debian.org/debian stretch-backports main" \| sudo tee -a /etc/apt/sources.list.d/stretch-backport.list sudo apt-get update sudo apt-get -t stretch-backports install certbot -y
4	更新包缓存	sudo apt-get update
5	安装certbot	sudo apt-get install certbot -y
6	停止zend 和 zentracker	sudo systemctl stop zend zentracker
7	设置环境变量以匹配节点的完全限定域名 - 您需要键入此命令并将“FQDN”（引号''之间的值）更改为节点域注册中使用的值	不要在'FQDN'的位置使用大写字母，只需小写！ FQDN='FQDN' 像示例一样只使用小写字母 Example Output zenops@node01:~$ FQDN='node01.zentest.win'
8	将FQDN变量添加到.bashrc文件中，对于您创建的用户，这将确保它是持久的	echo "export FQDN=$FQDN" >> $HOME/.bashrc
9	在继续之前验证您的环境变量是否已从上面的步骤7和8正确设置，如果不是，您需要返回并重新执行这些步骤，然后再继续 Echo需要输出您的FQDN .bashrc的最后一行需要读取：export FQDN = <您的FQDN here>	echo $FQDN Example Output zenops@node01:~$ echo $FQDN node01.zentest.win sed -e 1b -e '$!d' $HOME/.bashrc Example Output zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc # ~/.bashrc: executed by bash(1) for non-login shells. export FQDN=node01.zentest.win
10	安装证书（安全/超级节点网络的端到端TLS加密所需）certbot将用于生成和验证您的证书您可以安全地传递--register-unsafely-without-email标志，因为（1）可以随时请求新证书（2）指南将在步骤22中配置自动证书续订注意：某些VPS提供程序启用了apache2，这会锁定端口80.如果在建立独立证书时无法绑定到端口80错误，则需要禁用apache2	禁用apache2（如果已启用，请参阅注释） sudo systemctl disable apache2 sudo systemctl stop apache2 sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN Example Output zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN Saving debug log to.../var/log/letsencrypt/letsencrypt.log Registering without email! Obtaining a new certificate Performing the following challenges: http-01 challenge for node01.zentest.win Waiting for verification... Cleaning up challenges IMPORTANT NOTES: ....-...Congratulations! Your certificate and chain have been saved at: ........./etc/letsencrypt/live/node01.zentest.win/fullchain.pem .........Your key file has been saved at: ........./etc/letsencrypt/live/node01.zentest.win/privkey.pem .........Your cert will expire on 2018-09-05. To obtain a new or tweaked .........version of this certificate in the future, simply run certbot .........again. To non-interactively renew all of your certificates, run ........."certbot renew" ....-...If you like Certbot, please consider supporting our work by: Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate Donating to EFF:..........................................................https://eff.org/donate-le
11	根据您的发行版所需复制根CA - 这个示例已经过Debian和Ubuntu的验证 NOTE: If you type this command, be sure to rename the certificate with a '.crt' extension, this is required for the next command to identify the certificate and add it to the certificate store. It is recommended to copy and paste, unless instructed otherwise where things may need replacing	Debian / Ubuntu系统 sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt
12	使用在上一步中复制的根CA更新证书存储	Debian / Ubuntu系统 sudo update-ca-certificates Example Output zenops@node01:~$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate ca.pem WARNING: Skipping duplicate certificate ca.pem 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
13	替换zen.conf中的旧证书和密钥位置并添加“rpcworkqueue = 512”	sed -i "s\|$HOME/.acme.sh/$FQDN/$FQDN.cer\|/etc/letsencrypt/live/$FQDN/cert.pem\|g" ~/.zen/zen.conf sed -i "s\|$HOME/.acme.sh/$FQDN/$FQDN.key\|/etc/letsencrypt/live/$FQDN/privkey.pem\|g" ~/.zen/zen.conf echo "rpcworkqueue=512" >> ~/.zen/zen.conf
14	将非root用户添加到'adm'和'systemd-journal'组	sudo adduser $USER adm sudo adduser $USER systemd-journal
15	修改/ etc / letsencrypt目录中的组所有权和权限，以允许非root用户对证书和私钥进行zend访问（通过ssl-cert组授予访问权限，非root用户已添加到该组）	修改所有权 sudo chown -R root:sudo /etc/letsencrypt/ 修改权限 sudo chmod -R 750 /etc/letsencrypt/
16	将所有权应用于home中所有文件的非root用户并启动zend	sudo chown -R $USER:$USER ~/ && sudo systemctl start zend && sleep 30
17	检查zend是否已验证TLS证书	zen-cli getnetworkinfo \| grep tls_cert_verified Example Output zenops@node01:~$ zen-cli getnetworkinfo \| grep tls_cert_verified "tls_cert_verified": true,
18	启动zentracker并按照跟踪器中的日志检查“Cert check”是否为true，按CTRL + c退出	sudo systemctl start zentracker sudo journalctl -fu zentracker Example Output zenops@node01~$ sudo journalctl -fu zentracker -- Logs begin at Tue 2018-05-22 12:54:41 EDT. -- May 24 21:34:28 node01 node[42000]: 2018-05-25 01:34:28 GMT -- Connected to server ts1.na. Initializing... May 24 21:34:28 node01 node[42000]: XXXXX Node t_address (not for stake)=znXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX May 24 21:34:28 node01 node[42000]: Balance for challenge transactions is 0.0247 May 24 21:34:28 node01 node[42000]: Using the following address for challenges May 24 21:34:28 node01 node[42000]: zcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Authenticated May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Updated server list May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats: send initial stats. May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats received by ts1.na May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Cert check: valid=true. Hostname node01.zentest.win matches CN node01.zentest.win
19	删除sudo和普通用户的现有crontab作业	sudo crontab -r crontab -r
20	删除.acme.sh和acme.sh目录并从.bashrc中删除acme.sh.env	sudo rm -r ~/{.acme.sh,acme.sh} sed -i "s\|.\ \"$HOME/.acme.sh/acme.sh.env\"\|\|g" ~/.bashrc
21	删除socat和旧存储库	sudo apt-get remove socat -y sudo apt-get -y autoremove
	配置证书续订
22	按照第10部分 - 配置证书续订，完成第11部分中的安装指南

Horizen Chinese

acme.sh - 迁移到certbot

确保以非root用户身份运行zend和节点跟踪器