read

The NEM team would like to thank Patrick (Telegram: @spizzerb) for writing this tutorial.

Introduction

This tutorial is created and tested with Debian 8. Other Linux distributions should be similar to setup. We will go through the steps to create an https node.

Texteditor

We are going to use Vim as our text editor. You can also use GNU nano if you are more familiar with it.

For a basic Vim tutorial visit: https://www.linux.com/learn/vim-101-beginners-guide-vim

You can also use nano or any other text-editor.

Prepare a domain

Before we start with the setup, buy/create a domain and create an A-Record which points to the IP of your node.

An A record maps a domain name to the IP address of the computer hosting the domain. Simply put, an A record is used to find the IP address of a computer connected to the internet from a name.

Once done, connect to the node and continue with the setup.

Firewall & Ports

To enable https, we need port 7891 (NIS) in addition to 7890 and port 7779 (WebSocket) in addition to 7778. Setup your firewall/router to allow incoming connections on port 7891 and 7779!

Install & setup dehydrated for letsencrypt SSL certs

Add "http://ftp.debian.org/debian jessie-backports main" to the sources.

cd /etc/apt/sources.list.d  

Create the file "backports.list"

vim backports.list  

Add following line to the file and save with Esc + :wq

deb http://ftp.debian.org/debian jessie-backports main  
:wq

Now that the source is added, we continue with the installation.

apt-get update  
apt-get install dehydrated  
cd /etc/dehydrated  
vim domains.txt  

Add your domain from the first step to the txt-file and save with Esc + :wq

your.domain.com  
:wq

Edit the config and save with Esc + :wq

cd conf.d  
vim config.sh  

Add following lines to the config.sh file:
(E-Mail can be from a different domain then the SSL Cert)

BASEDIR=/var/lib/dehydrated  
WELLKNOWN="${BASEDIR}/acme-challenges"  
DOMAINS_TXT="/etc/dehydrated/domains.txt"  
CONTACT_EMAIL="[email protected]"  

Save & quit

:wq

After the config is done, we create a hook for dehydrated

cd ..  
vim hook.sh  

Add following lines to the file hook.sh and save it with Esc + :wq

#!/bin/bash

function deploy_challenge {  
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    echo "Please add the following record to the DNS zone:"
    echo "_acme-challenge.$DOMAIN IN TXT \"$TOKEN_VALUE\""
    echo "Press enter when installed!"
    read
}

function clean_challenge {  
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
}

function deploy_cert {  
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" CHAINFILE="${4}"
}

HANDLER=$1; shift; $HANDLER [email protected]  
:wq

Make hook.sh executable

chmod +x hook.sh  

Create an SSL certificate with dehydrated

Once everything is setup, you can create a certificate by executing following line:

/usr/bin/dehydrated --cron --challenge dns-01 --domain nis.example.com --hook /etc/dehydrated/hook.sh

The output should look like:
create certificate Now go back to your domain and create a DNS TXT record with the shown string.
create dns txt record Once done, press enter and if everything worked, the output should be looking similar to:
(if you receive an error it is most likely a problem with the TXT-record) output Now that we have the SSL cert we continue with the setup of stunnel.

Install & setup stunnel

cd  
apt-get install stunnel4 -y  

Create the file stunnel.conf

vim /etc/stunnel/stunnel.conf  

Add following lines to stunnel.conf and save with Esc + :wq

[nis]
accept = 7891  
connect = 127.0.0.1:7890  
cert = /var/lib/dehydrated/certs/your.domain.com/fullchain.pem  
key = /var/lib/dehydrated/certs/your.domain.com/privkey.pem

[websocket]
accept = 7779  
connect = 127.0.0.1:7778  
cert = /var/lib/dehydrated/certs/your.domain.com/fullchain.pem  
key = /var/lib/dehydrated/certs/your.domain.com/privkey.pem  
:wq

Set stunnel ENABLED to "1" and save with Esc + :wq

vim /etc/default/stunnel4  

stunnel

:wq
reboot  

To test if everything works, go to a browser and access https://your.domain.com:7891/node/extended-info and https://your.domain.com:7779/.

Automatic renewal

Letsencrypt certificates are valid for three months, thus we setup a cronjob to automatically renew the certificate.

crontab -e  

Add following lines to the file

0 2 * * 6 /usr/bin/dehydrated --cron  
2 2 * * 6 /etc/init.d/stunnel4 reload  

Quit & save the config.

Blog Logo

A Nember


Published


Image

NEM

Official Blog of NEM/XEM

Back to Overview