Add Https to an NIS Node on Debian

The NEM team would like to thank Patrick (Telegram: @spizzerb) for writing this tutorial.

Introduction

This tutorial is created and tested with Debian 8. Other Linux distributions should be similar to setup. We will go through the steps to create an https node.

Texteditor

We are going to use Vim as our text editor. You can also use GNU nano if you are more familiar with it.

For a basic Vim tutorial visit: https://www.linux.com/learn/vim-101-beginners-guide-vim

You can also use nano or any other text-editor.

Prepare a domain

Before we start with the setup, buy/create a domain and create an A-Record which points to the IP of your node.

An A record maps a domain name to the IP address of the computer hosting the domain. Simply put, an A record is used to find the IP address of a computer connected to the internet from a name.

Once done, connect to the node and continue with the setup.

Firewall & Ports

To enable https, we need port 7891 (NIS) in addition to 7890 and port 7779 (WebSocket) in addition to 7778. Setup your firewall/router to allow incoming connections on port 7891 and 7779!

Install & setup dehydrated for letsencrypt SSL certs

Add "http://ftp.debian.org/debian jessie-backports main" to the sources.

cd /etc/apt/sources.list.d

Create the file "backports.list"

vim backports.list

Add following line to the file and save with Esc + :wq

deb http://ftp.debian.org/debian jessie-backports main
:wq

Now that the source is added, we continue with the installation.

apt-get update
apt-get install dehydrated
cd /etc/dehydrated
vim domains.txt

Add your domain from the first step to the txt-file and save with Esc + :wq

your.domain.com
:wq

Edit the config and save with Esc + :wq

cd conf.d
vim config.sh

Add following lines to the config.sh file:
(E-Mail can be from a different domain then the SSL Cert)

BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt"
CONTACT_EMAIL="youremail@domain.com"

Save & quit

:wq

After the config is done, we create a hook for dehydrated

cd ..
vim hook.sh

Add following lines to the file hook.sh and save it with Esc + :wq

#!/bin/bash

function deploy_challenge {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    echo "Please add the following record to the DNS zone:"
    echo "_acme-challenge.$DOMAIN IN TXT \"$TOKEN_VALUE\""
    echo "Press enter when installed!"
    read
}

function clean_challenge {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
}

function deploy_cert {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" CHAINFILE="${4}"
}

HANDLER=$1; shift; $HANDLER $@
:wq

Make hook.sh executable

chmod +x hook.sh

Create an SSL certificate with dehydrated

Once everything is setup, you can create a certificate by executing following line:

/usr/bin/dehydrated --cron --challenge dns-01 --domain nis.example.com --hook /etc/dehydrated/hook.sh

The output should look like:
create certificate
Now go back to your domain and create a DNS TXT record with the shown string.
create dns txt record
Once done, press enter and if everything worked, the output should be looking similar to:
(if you receive an error it is most likely a problem with the TXT-record)
output
Now that we have the SSL cert we continue with the setup of stunnel.

Install & setup stunnel

cd
apt-get install stunnel4 -y

Create the file stunnel.conf

vim /etc/stunnel/stunnel.conf

Add following lines to stunnel.conf and save with Esc + :wq

[nis]
accept = 7891
connect = 127.0.0.1:7890
cert = /var/lib/dehydrated/certs/your.domain.com/fullchain.pem
key = /var/lib/dehydrated/certs/your.domain.com/privkey.pem

[websocket]
accept = 7779
connect = 127.0.0.1:7778
cert = /var/lib/dehydrated/certs/your.domain.com/fullchain.pem
key = /var/lib/dehydrated/certs/your.domain.com/privkey.pem
:wq

Set stunnel ENABLED to "1" and save with Esc + :wq

vim /etc/default/stunnel4

stunnel

:wq
reboot

To test if everything works, go to a browser and access https://your.domain.com:7891/node/extended-info and https://your.domain.com:7779/.

Automatic renewal

Letsencrypt certificates are valid for three months, thus we setup a cronjob to automatically renew the certificate.

crontab -e

Add following lines to the file

0 2 * * 6 /usr/bin/dehydrated --cron
2 2 * * 6 /etc/init.d/stunnel4 reload

Quit & save the config.

© NEM.io Foundation Ltd (Singapore) 2014 - 2018 | All Rights Reserved | NEM ™