acme.sh - Migration to certbot
Ensure you are logged in as the non-root user being used to run zend and the node tracker
Install certbot
Stop zend and zentracker
Create standalone certificate
Add root CA certificate to certificate store
Update zen.conf cert locations
Add non-root user into groups
Start zend and check cert status
Start zentracker and check cert status
Cleanup files from acme.sh
Configure certificate renewal
Description | Command | |
|---|---|---|
| 1 | Follow the PM2 / Monit - Migration to systemd guide first |
|
| 2 | Add the repository for certbot
NOTE: Skip this step for Debian 9 | Ubuntu only sudo add-apt-repository ppa:certbot/certbot -y |
| 3 | Add the stretch-backports repository, update the package cache and install certbot directly from stretch-backports
NOTE: Skip this step for Ubuntu | Debian 9 only echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backport.list
sudo apt-get update
sudo apt-get -t stretch-backports install certbot -y |
| 4 | Update the package cache | sudo apt-get update |
| 5 | Install certbot | sudo apt-get install certbot -y |
| 6 | Stop zend and zentracker | sudo systemctl stop zend zentracker |
| 7 | Set an environment variable to match the Fully-Qualified Domain Name of the node - you will need to type this command and change 'FQDN' (the value between the quotes ' ') to the value used in the domain registration for your node | DO NOT USE CAPITAL LETTERS IN PLACE OF 'FQDN' REPLACE ONLY WITH LOWER CASE! FQDN='FQDN'use only lower case letters like the example |
| 8 | Add the FQDN variable to the .bashrc file, for the user you created, this will ensure it is persistent | echo "export FQDN=$FQDN" >> $HOME/.bashrc |
| 9 | Verify your environmental variables are set correctly from step 7 and 8 above before continuing, if not you need to go back and re-do those steps before continuing
Echo needs to output your FQDN
The last line of .bashrc needs to read: export FQDN=<your FQDN here> | echo $FQDN
sed -e 1b -e '$!d' $HOME/.bashrc
|
| 10 | Install a certificate (required for end-to-end TLS encryption for the Secure/Super Node network) certbot will be used to generate and validate your certificate NOTE: Some VPS providers have apache2 enabled which locks down port 80. You will need to disable apache2 if you get a failure to bind to port 80 error when establishing your standalone certificate | Disable apache2 (if enabled, see note) sudo systemctl disable apache2
sudo systemctl stop apache2sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN |
| 11 | Copy the root CA as required for your distribution - this example is proven for Debian and Ubuntu
NOTE: If you type this command, be sure to rename the certificate with a '.crt' extension, this is required for the next command to identify the certificate and add it to the certificate store. It is recommended to copy and paste, unless instructed otherwise where things may need replacing | For Debian / Ubuntu sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt |
| 12 | Update the certificate store with the root CA copied in the previous step
| For Debian / Ubuntu sudo update-ca-certificates
|
| 13 | Replace the old certificate and key locations in zen.conf and add "rpcworkqueue=512" | sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.cer|/etc/letsencrypt/live/$FQDN/cert.pem|g" ~/.zen/zen.conf
sed -i "s|$HOME/.acme.sh/$FQDN/$FQDN.key|/etc/letsencrypt/live/$FQDN/privkey.pem|g" ~/.zen/zen.conf
echo "rpcworkqueue=512" >> ~/.zen/zen.conf |
| 14 | Add the non-root user to the 'adm' and 'systemd-journal' groups | sudo adduser $USER adm
sudo adduser $USER systemd-journal |
| 15 | Modify group ownership and permissions on the /etc/letsencrypt directory to allow the non-root user for zend access to the certificate and private key (access is granted via the ssl-cert group, which the non-root user has been added to) | Modify ownership sudo chown -R root:sudo /etc/letsencrypt/
Modify permissions sudo chmod -R 750 /etc/letsencrypt/ |
| 16 | Apply ownership to the non-root user of all files in home and start zend | sudo chown -R $USER:$USER ~/ && sudo systemctl start zend && sleep 30 |
| 17 | Check if zend has verified the TLS certificate | zen-cli getnetworkinfo | grep tls_cert_verified
|
| 18 | Start the zentracker and follow the logs from the tracker to check that "Cert check" is true, exit with CTRL+c | sudo systemctl start zentracker
sudo journalctl -fu zentracker |
| 19 | Remove existing crontab jobs for sudo and normal user | sudo crontab -r
crontab -r |
| 20 | Remove .acme.sh and acme.sh directories and remove acme.sh.env from .bashrc | sudo rm -r ~/{.acme.sh,acme.sh}
sed -i "s|.\ \"$HOME/.acme.sh/acme.sh.env\"||g" ~/.bashrc |
| 21 | Remove socat and old repositories | sudo apt-get remove socat -y
sudo apt-get -y autoremove |
| 22 | Configure Certificate Renewal | |
| 23 | Follow Part 9 - Configure Certificate Renewal and finish the guide to completion in Part 11 |
|