Part 6 - Procure and Configure Certificate
Generate and install certificate using certbot
Update root certificates
Validate certificate installation with zend
Description | Command | |
|---|---|---|
| 1 | Verify your environmental variables are set correctly from Part 3, steps 1 and 2 before continuing, if not you need to go back and re-do those steps before continuing
Echo needs to output your FQDN
The last line of .bashrc needs to read: export FQDN=<your FQDN here> | echo $FQDN
sed -e 1b -e '$!d' $HOME/.bashrc |
| 2 | Install a certificate (required for end-to-end TLS encryption for the Super Node network) certbot will be used to generate and validate your certificate NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate | Disable apache2 (if enabled, see note) sudo systemctl disable apache2
sudo systemctl stop apache2Execute the certbot command to obtain an SSL certificate for your FQDN sudo certbot certonly --preferred-chain "ISRG Root X1" --key-type rsa -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN
|
| 3 | Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the sudo group, which the non-root user has been added to) | Modify ownership sudo chown -R root:sudo /etc/letsencrypt/
Modify permissions sudo chmod -R 750 /etc/letsencrypt/ |
| 4 | Split the chain.pem file into individual intermediate certificates. | Copy and paste this entire block of text sudo csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%02d.crt' |
| 5 | Update the certificate store with the root CA copied in the previous step |
sudo update-ca-certificates --fresh |
| 6 | Add the certificate and key locations to zen.conf NOTE: only run these commands once | Certificate echo "tlscertpath=/etc/letsencrypt/live/$FQDN/cert.pem" >> ~/.zen/zen.confPrivate key echo "tlskeypath=/etc/letsencrypt/live/$FQDN/privkey.pem" >> ~/.zen/zen.conf |
| 7 | Now stop and start zend to pick up the new configuration, certificate and private key | zen-cli stop && sleep 30 && zend && sleep 30 |
| 8 | Check that the certificate is installed and configured correctly
If the row displays false, verify the steps above have been completed successfully and refer to the troubleshooting guide | zen-cli getnetworkinfo
|