The NEM team would like to thank Patrick (Telegram: @spizzerb) for writing this tutorial.


This tutorial is created and tested with Debian 8. Other Linux distributions should be similar to setup. We will go through the steps to create an https node.


We are going to use Vim as our text editor. You can also use GNU nano if you are more familiar with it.

For a basic Vim tutorial visit:

You can also use nano or any other text-editor.

Prepare a domain

Before we start with the setup, buy/create a domain and create an A-Record which points to the IP of your node.

An A record maps a domain name to the IP address of the computer hosting the domain. Simply put, an A record is used to find the IP address of a computer connected to the internet from a name.

Once done, connect to the node and continue with the setup.

Firewall & Ports

To enable https, we need port 7891 (NIS) in addition to 7890 and port 7779 (WebSocket) in addition to 7778. Setup your firewall/router to allow incoming connections on port 7891 and 7779!

Install & setup dehydrated for letsencrypt SSL certs

Add " jessie-backports main" to the sources.

cd /etc/apt/sources.list.d

Create the file "backports.list"

vim backports.list

Add following line to the file and save with Esc + :wq

deb jessie-backports main

Now that the source is added, we continue with the installation.

apt-get update
apt-get install dehydrated
cd /etc/dehydrated
vim domains.txt

Add your domain from the first step to the txt-file and save with Esc + :wq

Edit the config and save with Esc + :wq

cd conf.d

Add following lines to the file:
(E-Mail can be from a different domain then the SSL Cert)


Save & quit


After the config is done, we create a hook for dehydrated

cd ..

Add following lines to the file and save it with Esc + :wq


function deploy_challenge {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    echo "Please add the following record to the DNS zone:"
    echo "_acme-challenge.$DOMAIN IN TXT \"$TOKEN_VALUE\""
    echo "Press enter when installed!"

function clean_challenge {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

function deploy_cert {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" CHAINFILE="${4}"

HANDLER=$1; shift; $HANDLER $@

Make executable

chmod +x

Create an SSL certificate with dehydrated

Once everything is setup, you can create a certificate by executing following line:

/usr/bin/dehydrated --cron --challenge dns-01 --domain --hook /etc/dehydrated/

The output should look like:
create certificate
Now go back to your domain and create a DNS TXT record with the shown string.
create dns txt record
Once done, press enter and if everything worked, the output should be looking similar to:
(if you receive an error it is most likely a problem with the TXT-record)
Now that we have the SSL cert we continue with the setup of stunnel.

Install & setup stunnel

apt-get install stunnel4 -y

Create the file stunnel.conf

vim /etc/stunnel/stunnel.conf

Add following lines to stunnel.conf and save with Esc + :wq

accept = 7891
connect =
cert = /var/lib/dehydrated/certs/
key = /var/lib/dehydrated/certs/

accept = 7779
connect =
cert = /var/lib/dehydrated/certs/
key = /var/lib/dehydrated/certs/

Set stunnel ENABLED to "1" and save with Esc + :wq

vim /etc/default/stunnel4



To test if everything works, go to a browser and access and

Automatic renewal

Letsencrypt certificates are valid for three months, thus we setup a cronjob to automatically renew the certificate.

crontab -e

Add following lines to the file

0 2 * * 6 /usr/bin/dehydrated --cron
2 2 * * 6 /etc/init.d/stunnel4 reload

Quit & save the config.