Telos: https configuration
The intent of this document is to detail how to configure your Telos “node” (henceforth referred to as an “instance”) to provide secure communications using signed certificates and SSL/TLS, and thereby help secure the Telos network. This is intended for a technical audience, such as system administrators, as a certain level of experience, and fundamental understanding of the concepts described herein is expected.
- EOSIO http_plugin reference: https://developers.eos.io/eosio-nodeos/docs/http_plugin
- Ubuntu 16.04 LTS or Ubuntu 18.04 LTS.
- Pre-existing fully functional Telos instance.
- Path to nodeos binary is in your path (usr/local/bin/nodeos)
- nodeos is being run as the user "ubuntu".
- Best practices dictate offloading SSL to a proxy (such as haproxy), and not publicly expose nodeos instances.
- https uses TCP port 443 by default. While obscurity is not security, best practices dictate moving services away from their default ports. We're using port 9999 here as an example.
- All commands to be executed and/or command line output look
1: Get an SSL certificate
We can use the Lets Encrypt certbot to generate a free SSL certificate for you domain, directly from the command line:
Note: may require sudo privs:
apt-get install certbot -y
Get the certificate:
Note: in order for certbot to be able to to fetch the certificate, DNS must resolve to your host, and port 80 must be open on the firewall (you can close port 80 once the cert has been installed):
sudo certbot certonly --standalone --preferred-challenges http -d bp.blockproducer.com
If successful, you should see the following:
- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/bp.blockproducer.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/bp.blockproducer.com/privkey.pem
Copy the certs to your config directory:
sudo mkdir -p /telosdata/certs
sudo cp /etc/letsencrypt/live/bp.blockproducer.com/fullchain.pem /telosdata/certs
sudo cp /etc/letsencrypt/live/bp.blockproducer.com/privkey.pem /telosdata/certs
Change the ownership on the directory to the "ubuntu" user :
sudo chown -R ubuntu:ubuntu /telosdata/certs
2: Add the SSL parameters to config.ini:
Add the following lines to your instance's
config.ini file, customizing the values to reflect your environment (replace EXTERNAL_IP with your public facing IP, DNS_HOSTNAME with your instance's hostname, replace 9999 with your https port):
https-server-address = 0.0.0.0:9999 # the http-alias value can be specified to provide alternative hosts (ie: DNS hostnames). Ensure your public facing IPs/URLs are listed as aliases. http-alias = EXTERNAL_IP:9999 http-alias = DNS_HOSTNAME:9999 # Filename with the certificate chain to present on https connections. PEM format. Required for https. (eosio::http_plugin) https-certificate-chain-file = /telosdata/certs/fullchain.pem # Filename with https private key in PEM format. Required for https (eosio::http_plugin) https-private-key-file = /telosdata/certs/privkey.pem
3: Stop, then restart nodeos:
nodeos can be gracefully stopped with:
start nodeos (ideally via a start script):
nodeos --data-dir /telosdata/data --config-dir /telosdata/data "$@" > /telosdata/data/stdout.txt 2> /telosdata/data/stderr.txt &
4: Verify nodeos is running without issue; look for the https entries:
tail -f /telosdata/data/stderr.txt
... http_plugin.cpp:530 plugin_startup ] start listening for https requests
5: Verify you can query the node directly via https:
teclos -u https://bp.blockproducer.com:9999 get info
Using a web browser: