Part 6 - Procure and Configure Certificate

  • Generate and install certificate using certbot
  • Update root certificates
  • Validate certificate installation with zend


Verify your environmental variables are set correctly from Part 3, steps 1 and 2 before continuing, if not you need to go back and re-do those steps before continuing

Echo needs to output your FQDN

The last line of .bashrc needs to read: export FQDN=<your FQDN here>

echo $FQDN

Example Output

zenops@node01:~$ echo $FQDN

sed -e 1b -e '$!d' $HOME/.bashrc
Example Output

zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.


Install a certificate (required for end-to-end TLS encryption for the Secure/Super Node network) certbot will be used to generate and validate your certificate

    • You can safely pass the --register-unsafely-without-email flag as (1) a new certificate can be requested at any time (2) the guide will configure automated certificate renewal in part 10

NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate

Disable apache2 (if enabled, see note)

sudo systemctl disable apache2
sudo systemctl stop apache2

Execute the certbot command to obtain an SSL certificate for your FQDN

sudo certbot certonly --preferred-chain "ISRG Root X1" --key-type rsa -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN
Example Output

zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

Saving debug log to.../var/log/letsencrypt/letsencrypt.log

Registering without email!

Obtaining a new certificate

Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges

....-...Congratulations! Your certificate and chain have been saved at:
.........Your key file has been saved at:
.........Your cert will expire on 2018-09-05. To obtain a new or tweaked
.........version of this certificate in the future, simply run certbot
.........again. To non-interactively renew *all* of your certificates, run
........."certbot renew"
....-...If you like Certbot, please consider supporting our work by:

Donating to ISRG /............Let's Encrypt:..............
Donating to EFF:..........................................................

3Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the sudo group, which the non-root user has been added to)

Modify ownership

sudo chown -R root:sudo /etc/letsencrypt/

Modify permissions

sudo chmod -R 750 /etc/letsencrypt/
4Split the chain.pem file into individual intermediate certificates.

Copy and paste this entire block of text

sudo csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%02d.crt' 

Update the certificate store with the root CA copied in the previous step

sudo update-ca-certificates --fresh
Example Output

zenops@node01:~$ sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
Updating certificates in /etc/ssl/certs...
139 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...


Add the certificate and key locations to zen.conf

NOTE: only run these commands once


echo "tlscertpath=/etc/letsencrypt/live/$FQDN/cert.pem" >> ~/.zen/zen.conf

Private key

echo "tlskeypath=/etc/letsencrypt/live/$FQDN/privkey.pem" >> ~/.zen/zen.conf
7Now stop and start zend to pick up the new configuration, certificate and private key
zen-cli stop && sleep 30 && zend && sleep 30

Check that the certificate is installed and configured correctly

  • Run the command shown and verify true is returned in this row - "tls_cert_verified": true

If the row displays false, verify the steps above have been completed successfully and refer to the troubleshooting guide

zen-cli getnetworkinfo

Example Output

zenops@node01:~$ zen-cli getnetworkinfo
"version": 2001751,
"subversion": "/zen:2.0.17-1/",
"protocolversion": 170002,
"localservices": "0000000000000001",
"timeoffset": 0,
"connections": 8,
"tls_cert_verified": true,

Part 6 of 11 - Procure and Configure Certificate

© 2020 Horizen. All rights reserved.