acme.sh - Migration to certbot

Ensure you are logged in as the non-root user being used to run zend and the node tracker

  • PM2 / Monit - Migration to systemd
  • Install certbot
  • Stop zend and zentracker
  • Create standalone certificate
  • Add root CA certificate to certificate store
  • Update zen.conf cert locations
  • Add non-root user into groups
  • Start zend and check cert status
  • Start zentracker and check cert status
  • Cleanup files from acme.sh
  • Configure certificate renewal


DescriptionCommand
1Follow the PM2 / Monit - Migration to systemd guide first


2

Add the repository for certbot


NOTE: Skip this step for Debian 9

Ubuntu only

sudo add-apt-repository ppa:certbot/certbot -y
3

Add the stretch-backports repository, update the package cache and install certbot directly from stretch-backports


NOTE: Skip this step for Ubuntu

Debian 9 only

echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backport.list
sudo apt-get update
sudo apt-get -t stretch-backports install certbot -y
4Update the package cache
sudo apt-get update
5Install certbot
sudo apt-get install certbot -y
6Stop zend and zentracker
sudo systemctl stop zend zentracker
7

Set an environment variable to match the Fully-Qualified Domain Name of the node - you will need to type this command and change 'FQDN' (the value between the quotes ' ') to the value used in the domain registration for your node

DO NOT USE CAPITAL LETTERS IN PLACE OF 'FQDN' REPLACE ONLY WITH LOWER CASE!

FQDN='FQDN'

use only lower case letters like the example

Example Output

zenops@node01:~$ FQDN='node01.zentest.win'

8Add the FQDN variable to the .bashrc file, for the user you created, this will ensure it is persistent
echo "export FQDN=$FQDN" >> $HOME/.bashrc
9

Verify your environmental variables are set correctly from step 7 and 8 above before continuing, if not you need to go back and re-do those steps before continuing


Echo needs to output your FQDN










The last line of .bashrc needs to read: export FQDN=<your FQDN here>

echo $FQDN


Example Output

zenops@node01:~$ echo $FQDN
node01.zentest.win


sed -e 1b -e '$!d' $HOME/.bashrc


Example Output

zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
export FQDN=node01.zentest.win

10

Install a certificate (required for end-to-end TLS encryption for the Secure/Super Node network) certbot will be used to generate and validate your certificate

    • You can safely pass the --register-unsafely-without-email flag as (1) a new certificate can be requested at any time (2) the guide will configure automated certificate renewal in step 22

NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate

Disable apache2 (if enabled, see note)

sudo systemctl disable apache2
sudo systemctl stop apache2
sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN
Example Output

zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

Saving debug log to.../var/log/letsencrypt/letsencrypt.log

Registering without email!

Obtaining a new certificate

Performing the following challenges:
http-01 challenge for node01.zentest.win
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
....-...Congratulations! Your certificate and chain have been saved at:
........./etc/letsencrypt/live/node01.zentest.win/fullchain.pem
.........Your key file has been saved at:
........./etc/letsencrypt/live/node01.zentest.win/privkey.pem
.........Your cert will expire on 2018-09-05. To obtain a new or tweaked
.........version of this certificate in the future, simply run certbot
.........again. To non-interactively renew *all* of your certificates, run
........."certbot renew"
....-...If you like Certbot, please consider supporting our work by:

Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate
Donating to EFF:..........................................................https://eff.org/donate-le

11

Copy the root CA as required for your distribution - this example is proven for Debian and Ubuntu


NOTE: If you type this command, be sure to rename the certificate with a '.crt' extension, this is required for the next command to identify the certificate and add it to the certificate store. It is recommended to copy and paste, unless instructed otherwise where things may need replacing

For Debian / Ubuntu

sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt
12

Update the certificate store with the root CA copied in the previous step












For Debian / Ubuntu

sudo update-ca-certificates


Example Output

zenops@node01:~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
WARNING: Skipping duplicate certificate ca.pem
WARNING: Skipping duplicate certificate ca.pem
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

13

Replace the old certificate and key locations in zen.conf and add "rpcworkqueue=512"

sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.cer|/etc/letsencrypt/live/$FQDN/cert.pem|g" ~/.zen/zen.conf
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.key|/etc/letsencrypt/live/$FQDN/privkey.pem|g" ~/.zen/zen.conf
echo "rpcworkqueue=512" >> ~/.zen/zen.conf
14

Add the non-root user to the 'adm' and 'systemd-journal' groups

sudo adduser $USER adm
sudo adduser $USER systemd-journal
15Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the ssl-cert group, which the non-root user has been added to)

Modify ownership

sudo chown -R root:sudo /etc/letsencrypt/

Modify permissions

sudo chmod -R 750 /etc/letsencrypt/
16

Apply ownership to the non-root user of all files in home and start zend

sudo chown -R $USER:$USER ~/ && sudo systemctl start zend && sleep 30
17Check if zend has verified the TLS certificate
zen-cli getnetworkinfo | grep tls_cert_verified


Example Output

zenops@node01:~$ zen-cli getnetworkinfo | grep tls_cert_verified
"tls_cert_verified": true,

18

Start the zentracker and follow the logs from the tracker to check that "Cert check" is true,  exit with CTRL+c

sudo systemctl start zentracker
sudo journalctl -fu zentracker
Example Output

zenops@node01~$ sudo journalctl -fu zentracker
-- Logs begin at Tue 2018-05-22 12:54:41 EDT. --
May 24 21:34:28 node01 node[42000]: 2018-05-25 01:34:28 GMT -- Connected to server ts1.na. Initializing...
May 24 21:34:28 node01 node[42000]: XXXXX Node t_address (not for stake)=znXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
May 24 21:34:28 node01 node[42000]: Balance for challenge transactions is 0.0247
May 24 21:34:28 node01 node[42000]: Using the following address for challenges
May 24 21:34:28 node01 node[42000]: zcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Authenticated
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Updated server list
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats: send initial stats.
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Stats received by ts1.na
May 24 21:34:29 node01 node[42000]: 2018-05-25 01:34:29 GMT -- Cert check: valid=true. Hostname node01.zentest.win
matches CN node01.zentest.win

19Remove existing crontab jobs for sudo and normal user
sudo crontab -r
crontab -r
20

Remove .acme.sh and acme.sh directories and remove acme.sh.env from .bashrc

sudo rm -r ~/{.acme.sh,acme.sh}
sed -i "s|.\ \"$HOME/.acme.sh/acme.sh.env\"||g" ~/.bashrc
21Remove socat and old repositories
sudo apt-get remove socat -y
sudo apt-get -y autoremove

Configure Certificate Renewal
22Follow Part 9 - Configure Certificate Renewal and finish the guide to completion in Part 11



© 2020 Horizen. All rights reserved.