Part 6 - Procure and Configure Certificate
- ultimateblockage
- Johncarlo Maddalena
- Nathan Bode (Unlicensed)
- Generate and install certificate using certbot
- Update root certificates
- Validate certificate installation with zend
| Description | Command | |
|---|---|---|
| 1 | Verify your environmental variables are set correctly from Part 3, steps 1 and 2 before continuing, if not you need to go back and re-do those steps before continuing Echo needs to output your FQDN The last line of .bashrc needs to read: export FQDN=<your FQDN here> | echo $FQDN Example Output zenops@node01:~$ echo $FQDN sed -e 1b -e '$!d' $HOME/.bashrc Example Output zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc |
| 2 | Install a certificate (required for end-to-end TLS encryption for the Super Node network) certbot will be used to generate and validate your certificate
NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate | Disable apache2 (if enabled, see note) sudo systemctl disable apache2 sudo systemctl stop apache2 Execute the certbot command to obtain an SSL certificate for your FQDN sudo certbot certonly --preferred-chain "ISRG Root X1" --key-type rsa -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN Example Output zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN Saving debug log to.../var/log/letsencrypt/letsencrypt.log Registering without email! Obtaining a new certificate Performing the following challenges: IMPORTANT NOTES: Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate |
| 3 | Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the sudo group, which the non-root user has been added to) | Modify ownership sudo chown -R root:sudo /etc/letsencrypt/ Modify permissions sudo chmod -R 750 /etc/letsencrypt/ |
| 4 | Split the chain.pem file into individual intermediate certificates. | Copy and paste this entire block of text sudo csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%02d.crt'
|
| 5 | Update the certificate store with the root CA copied in the previous step | sudo update-ca-certificates --fresh Example Output zenops@node01:~$ sudo update-ca-certificates --fresh |
| 6 | Add the certificate and key locations to zen.conf NOTE: only run these commands once | Certificate echo "tlscertpath=/etc/letsencrypt/live/$FQDN/cert.pem" >> ~/.zen/zen.conf Private key echo "tlskeypath=/etc/letsencrypt/live/$FQDN/privkey.pem" >> ~/.zen/zen.conf |
| 7 | Now stop and start zend to pick up the new configuration, certificate and private key | zen-cli stop && sleep 30 && zend && sleep 30 |
| 8 | Check that the certificate is installed and configured correctly
If the row displays false, verify the steps above have been completed successfully and refer to the troubleshooting guide | zen-cli getnetworkinfo Example Output zenops@node01:~$ zen-cli getnetworkinfo |
© 2020 Horizen. All rights reserved.