User avatar
Gr33nDrag0n
Lisker
Posts: 123
Joined: Sat Mar 26, 2016 8:22 pm
Location: Quebec, Canada

HowTo: Free SSL Certificate Creation and Configuration (UPDATED 2016-12-07)

Sat Apr 02, 2016 8:24 am

Hi Lisker's,

Here is my first HowTo. I hope it will help you.

This procedure worked for me using Ubuntu 14.04 and CentOS 7.2. the only difference is Ubuntu = apt-get and CentOS = yum

IMPORTANT:

This HowTo assume you already installed lisk client and it's running fine on http://<YOUR-IP>:7000/ (TestNet) or http://<YOUR-IP>:8000/ (MainNet)

I STRONGLY recommand you enable SSL on your node to encrypt HTTP communication. (Web Client and API Call)
Without encryption the passphrase sent to your node could possibly be retreive by an attacker.

Running an exposed web service as root is dangerous.

This HowTo will guide you if your Lisk Client is RUN AS USER.

If your Lisk Client is RUN AS ROOT, HowTo is different since you won't need all the permissions and ports redirections stuff.

Sadly, I couldn't make the HowTo 'RUN AS USER' easier than it currently is and you will need linux firewall modification to acheive a secure result.
Also, full automation for install and renew is not acheivable in a secure way. (for now) So I propose a fast and esay way but renewal will need to be done manually.

#---------------------------------------------------------------------------------------------------------------------------------------------------------------
# Part 1 - Domain Name

If you don't already own a domain name, you must register one. It's MANDATORY.

Depending on what domain name extension you choose (and is available) the price can go from 1$ to 50$+ per year.

Suggested Registrar:

https://www.namecheap.com/domains/registration.aspx

NameCheap offer WhoIs Guard for free, DNS DDOS Protection for about 6$, Accept BTC and Support 2FA on your account.

#---------------------------------------------------------------------------------------------------------------------------------------------------------------
# Part 2 - DNS Configuration

Now, you need to create a subdomain that will point to the IP of your host.

If your domain is myowndomain.com and your chosen sub-domain is lisk.myowndomain.com
Your A Record will be 'lisk'.

If you used NameCheap, once you bought the domain go to:

1) [Top Right] Account => Domain List
2) Click the MANAGE button next to your domain.
3) Click on the Advanced DNS button.
4) In the Host Records section, click the 'add new record' button and select 'A Record'.

In the Host section enter: lisk
In the IP section, enter the IP of your server.

5) Click the green checkbox at the right of the line to save record.

Notes:

If you plan to send e-mail from your server (monitoring,etc.), see lisk academy guide for instruction about SPF records to prevent your IP from being flag as a spam source.

Depending on the DNS you use, it can take some time before the domain resolve to the server IP, be patient.
Or learn to use dig (linux) or nslookup (windows).

If you want more infos, you can check:
https://www.namecheap.com/support/knowledgebase/article.aspx/319/78/how-can-i-setup-an-a-address-record-for-my-domain

After this part, the <YOUR-DOMAIN> tag will represent lisk.myowndomain.com

Test with your browser that you are now able to load the web client by going to:

# TestNet
http://<YOUR-DOMAIN>:7000/

# MainNet
http://<YOUR-DOMAIN>:8000/

#---------------------------------------------------------------------------------------------------------------------------------------------------------------
# Part 3 - Install letsencrypt and Generate Certificate

* In this HowTo I use default iptables firewall package for simplicity, you could have to do those part with ufw, csf, etc. depending on your firewall setup.

Good to know before you start:
- letsencrypt have to run from the server you will use the certificate.
- letsencrypt need port 443 opened in the firewall without redirection. When generating a certificate the software need to send/receive is communication on port 443 as root for security reasons.
- When Lisk Client is RUN AS USER it need to run on a port > 1024 for security reason. Because of that, the task of installing or renewing certifacte must be done manually.

# Open the port 443 in the firewall.

Code: Select all

sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT


# Note to people that work with iptables for the first time See Iptables Tips at the end of this HowTo.

Normally SSL certificate cost at least 10$-20$ depending on the authority you use. (GeoTrust is good and cheap) Instead, we will use a FREE certificate from one project of the linux foundation call letsencrypt.com. Their certifcates are valid for 2 months only (instead of 1 year) but the generation of a new free certificate is easy enough without impacting the functionnality of the node. In part 6, I cover the renewal process.

Code: Select all

sudo -i
apt-get install git
cd /opt
git clone https://github.com/certbot/certbot.git
/opt/certbot/certbot-auto certonly --standalone -d <YOUR-DOMAIN> --email <YOUR-EMAIL> --agree-tos
chmod 755 /etc/letsencrypt/archive/
chmod 755 /etc/letsencrypt/live/
exit


#---------------------------------------------------------------------------------------------------------------------------------------------------------------
# Part 4 - Configure Secure Sockets Layer (SSL) in Lisk Client

Since a pre-requisite to run lisk client as a user is the fact the port must be > 1024 and that the SSL port is 443, firewall tweaking must be done. The idea is to open 443 in the firewall and redirect it's traffic to a port over 1024 (2443) so internally lisk client will run on a port > 1024.

# Close Port 443

Code: Select all

sudo iptables -D INPUT -p tcp -m tcp --dport 443 -j ACCEPT


# Open 2443 and Redirect 443 to 2443

Note: In the next example, use your own network interface name instead of "eth0". To verify the name of your interface, use:

Code: Select all

ifconfig


Code: Select all

sudo iptables -A INPUT -p tcp -m tcp --dport 2443 -j ACCEPT
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 2443


# Modify config.json:

Code: Select all

nano config.json
#--------------------------------------------------------------------------------------------------------------------
"ssl": {
  "enabled": true,
  "options": {
    "port": 2443,
    "address": "0.0.0.0",
    "key": "/etc/letsencrypt/live/<YOUR-DOMAIN>/privkey.pem",
    "cert": "/etc/letsencrypt/live/<YOUR-DOMAIN>/fullchain.pem"
  }
}
#--------------------------------------------------------------------------------------------------------------------

# Restart Client

Code: Select all

bash lisk.sh reload


# Check opened port

Code: Select all

netstat -plunt


# Test with browser
https://<YOUR-DOMAIN>/

#--------------------------------------------------------------------------------------------------------------------
# Part 5 - Renewing manually certificate.

Cetificate are good for 3 months and need manual renewal.

Note: In the next example, for the PREROUTING commands, use your own network interface name instead of "eth0". To verify the name of your interface, use:

Code: Select all

ifconfig


# Close Port 2443 and Remove Port Redirect 443 to 2443

Code: Select all

sudo iptables -D INPUT -p tcp -m tcp --dport 2443 -j ACCEPT
sudo iptables -D PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 2443


# Open Port 443

Code: Select all

sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT


# Renew Cetificate

Code: Select all

sudo /opt/certbot/certbot-auto renew --agree-tos


# Close Port 443

Code: Select all

sudo iptables -D INPUT -p tcp -m tcp --dport 443 -j ACCEPT


# Open 2443 and Redirect 443 to 2443

Code: Select all

sudo iptables -A INPUT -p tcp -m tcp --dport 2443 -j ACCEPT
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 2443


# Go to your lisk directory and restart Lisk Client to load new certificate

Code: Select all

sudo bash lisk.sh reload


#--------------------------------------------------------------------------------------------------------------------
# Firewall and Ports Configuration (Addendum 2016-12-03)

Important note: UFW and CSF are iptables wrapper that manage iptables rules for you. When using these softwares, you should always manage the iptables configuration trought them.

Testing your configuration right

1. Verify lisk is running and listening on 2443.

Code: Select all

sudo netstat -plunt

2. Verify pre-routing redirection is applied by iptables.

Code: Select all

sudo iptables -t nat -L -n -v


Usefull commands

- View your adaptor name:

Code: Select all

sudo ifconfig

- View iptables current rules:

Code: Select all

sudo iptables -L -n -v

- View iptables current port redirection:

Code: Select all

sudo iptables -t nat -L -n -v

- View current listening ports:

Code: Select all

sudo netstat -plunt


Iptables only (iptables-persistent)

Firewall Rule are not persistent against reboot/reload. Lots of ways of doing that exist. You can use software like csf or ufw or use this simple way.
To use this in and effetctive way, think that this software backup your config and restrore it on boot.
It's not automatic, after you modified correctly the rules tables of your iptables, you have to save it so it can be retstored after reboot.
If you ever update your firewall and want to preserve the changes, you must save your iptables rules for them to be persistent.

Code: Select all

sudo apt-get install iptables-persistent


Save config

Code: Select all

sudo service iptables-persistent save
OR
sudo invoke-rc.d iptables-persistent save


punkrock reported the previous commands not working on Ubuntu 16. (iptables-persistent: unrecognized service) He had to use:

Code: Select all

sudo service netfilter-persistent save


Edit the template. Take note, the 'sudo iptables ' part of the command must be removed from earlier command.

Code: Select all

nano /etc/iptables/rules.v4


Reload saved config

Code: Select all

sudo iptables-restore -t /etc/iptables/rules.v4



UFW Examples (Uncomplicated Firewall)

* Note: If you whitelist your management IP you don't need to open port 22. Use this with CAUTION because and error here would force youu back to console.

- WhiteList Management IP in UFW:

Code: Select all

ufw allow from "XXX.XXX.XXX.XXX/32"


- BlackList Management IP in UFW:

Code: Select all

ufw deny from "XXX.XXX.XXX.XXX/32"


- Open Port in UFW:

Code: Select all

ufw allow 8000/tcp
ufw allow 443/tcp


- Close Port in UFW:

Code: Select all

ufw deny 8000/tcp
ufw deny 443/tcp


- Enable UFW:

Code: Select all

sudo ufw enable

- Disable UFW:

Code: Select all

sudo ufw disable

- Show current UFW config.:

Code: Select all

sudo ufw status


- Add Port redirection in UFW:

Replace ##NETWORK_ADAPTOR## with your adaptor name. Use ifconfig to confirm adaptor name.

- Edit:

Code: Select all

sudo nano /etc/ufw/before.rules

- Go to the end and you should see:

Code: Select all

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

- Modify it so it look like:

Code: Select all

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i ##NETWORK_ADAPTOR## -p tcp --dport 443 -j REDIRECT --to-port 2443

COMMIT



CSF Examples

* Note: If you whitelist your management IP you don't need to open port 22. Use this with CAUTION because and error here would force youu back to console.
* CSF is powerfull but not for beginner. If you use CSF, read documentation and disable testing mode(default).
* When you modify configuration files, reload CSF after to apply it.

- Reload CSF:

Code: Select all

sudo csf -x && sudo csf -e

- Enable CSF:

Code: Select all

sudo csf -e

- Disable CSF:

Code: Select all

sudo csf -x


- WhiteList Management IP in CSF:

Edit:

Code: Select all

sudo nano /etc/csf/csf.ignore

AND/OR
Edit:

Code: Select all

sudo nano /etc/csf/csf.allow


- Open, Close, Modify Port in CSF:

Edit:

Code: Select all

sudo nano /etc/csf/csf.conf


- Add Port redirection in CSF:

Create/Edit:

Code: Select all

sudo nano /etc/csf/csfpost.sh


Replace ##NETWORK_ADAPTOR## with your adaptor name. Use ifconfig to confirm adaptor name.

Code: Select all

!/bin/bash
iptables -A PREROUTING -t nat -i ##NETWORK_ADAPTOR## -p tcp --dport 443 -j REDIRECT --to-port 2443


#--------------------------------------------------------------------------------------------------------------------
# Final Note:

Thanxs to @cc001, @tharude, @slasheks and @punkrock for their feedback concerning issues and peer review.

If you like that HowTo vote for my Delegate and if you have spare votes, please consider those who helped me.
Last edited by Gr33nDrag0n on Thu Dec 08, 2016 2:00 am, edited 37 times in total.
Gr33nDrag0n | 194109334904015388L | Delegate | lisknode.io

User avatar
cc001
Lisker
Posts: 102
Joined: Sat Mar 12, 2016 12:48 pm

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 9:06 am

Nice tutorial, thanks!
My Delegate Node
My Websites:
My Scripts:
My Tutorials:
  • Secure basic setup of a delegate server
  • how to set up 'lisk-rake' (outdated)

Freemind
Lisker
Posts: 49
Joined: Wed Mar 23, 2016 9:28 am

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 10:40 am

Good guide Gr33nDrag0n, it is very useful. Thank you!

User avatar
max
CEO
Posts: 303
Joined: Wed Jan 20, 2016 7:59 pm
Location: Berlin
Contact: Website Twitter

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 11:31 am

Gr33nDrag0n,

Can we add it to the Lisk Academy?

Thank you! :)
Please take a look at the Community Fund. It's an important project!

User avatar
Grumlin
Lisker
Posts: 122
Joined: Sat Mar 26, 2016 7:15 pm

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 12:01 pm

so, just if I haven't domain, how i can with my public ip?

User avatar
techbytes
Lisker
Posts: 31
Joined: Thu Mar 24, 2016 11:49 pm
Contact: Website

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 12:23 pm

I'm trying this on one of my nodes but getting this error:

fatal 2016-04-02 08:18:02 Domain master { message: 'EACCES, permission denied \'/etc/letsencrypt/live/lisk.lisknode.info/privkey.pem\'',

Any ideas why? My domain is on Godaddy.


-tb-
"May the Forge Be With You"

User avatar
Gr33nDrag0n
Lisker
Posts: 123
Joined: Sat Mar 26, 2016 8:22 pm
Location: Quebec, Canada

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 3:18 pm

max wrote:Gr33nDrag0n,

Can we add it to the Lisk Academy?

Thank you! :)


Sure !

Can you let a reference to the author and the original thread I created ? I will update the thread with answers to questions ask by other liskers and maybe add howto to renew your certificate automatically using a cronjob.

BY the way, I'm very impressed with the smoothness of installation and configuration of your software
Gr33nDrag0n | 194109334904015388L | Delegate | lisknode.io

User avatar
Gr33nDrag0n
Lisker
Posts: 123
Joined: Sat Mar 26, 2016 8:22 pm
Location: Quebec, Canada

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 3:21 pm

Grumlin wrote:so, just if I haven't domain, how i can with my public ip?


as far as I know, you can't
SSL certificate are bound to a doamin
GoDaddy or places like that sell domain for as low as 10$ per year
I recommand you buy one and after create sub-domain for each of your projects
That way you also will be able to use domain instead of IP to configure your SSH, SFTP, mail, etc
I just checkked and grumlin.com is available for 15$ per year
https://ca.godaddy.com/domains/searchre ... ck=grumlin
Gr33nDrag0n | 194109334904015388L | Delegate | lisknode.io

User avatar
Gr33nDrag0n
Lisker
Posts: 123
Joined: Sat Mar 26, 2016 8:22 pm
Location: Quebec, Canada

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 3:23 pm

techbytes wrote:I'm trying this on one of my nodes but getting this error:

fatal 2016-04-02 08:18:02 Domain master { message: 'EACCES, permission denied \'/etc/letsencrypt/live/lisk.lisknode.info/privkey.pem\'',

Any ideas why? My domain is on Godaddy.
-tb-


I can try to help you. Were exactly do you have the problem. CReatin certificate or when launching lisk client after modification of the configuration ?
Gr33nDrag0n | 194109334904015388L | Delegate | lisknode.io

User avatar
redsn0w
Global Moderator
Posts: 201
Joined: Sat Apr 02, 2016 8:41 am
Contact: Website

Re: HowTo: Free SSL Certificate Creation and Configuration

Sat Apr 02, 2016 3:40 pm

Where can I buy a cheap domain with bitcoin ?

Return to “Guides”

Who is online

Users browsing this forum: No registered users and 2 guests