Skip to content

Telos: https configuration

mark-cohen edited this page Nov 25, 2018 · 11 revisions

Intent

The intent of this document is to detail how to configure your Telos “node” (henceforth referred to as an “instance”) to provide secure communications using signed certificates and SSL/TLS, and thereby help secure the Telos network. This is intended for a technical audience, such as system administrators, as a certain level of experience, and fundamental understanding of the concepts described herein is expected.

Resources:

Assumptions

  • Ubuntu 16.04 LTS or Ubuntu 18.04 LTS.
  • Pre-existing fully functional Telos instance.
  • Path to nodeos binary is in your path (usr/local/bin/nodeos)
  • nodeos is being run as the user "ubuntu".

Notes

  • Best practices dictate offloading SSL to a proxy (such as haproxy), and not publicly expose nodeos instances.
  • https uses TCP port 443 by default. While obscurity is not security, best practices dictate moving services away from their default ports. We're using port 9999 here as an example.
  • All commands to be executed and/or command line output look like this.

1: Get an SSL certificate

We can use the Lets Encrypt certbot to generate a free SSL certificate for you domain, directly from the command line:

Install certbot:

Note: may require sudo privs:

add-apt-repository ppa:certbot/certbot

apt-get update

apt-get install certbot -y

Get the certificate:

Note: in order for certbot to be able to to fetch the certificate, DNS must resolve to your host, and port 80 must be open on the firewall (you can close port 80 once the cert has been installed):

sudo certbot certonly --standalone --preferred-challenges http -d bp.blockproducer.com

If successful, you should see the following:

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/bp.blockproducer.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/bp.blockproducer.com/privkey.pem

Copy the certs to your config directory:

sudo mkdir -p /telosdata/certs

sudo cp /etc/letsencrypt/live/bp.blockproducer.com/fullchain.pem /telosdata/certs

sudo cp /etc/letsencrypt/live/bp.blockproducer.com/privkey.pem /telosdata/certs

Change the ownership on the directory to the "ubuntu" user :

sudo chown -R ubuntu:ubuntu /telosdata/certs

2: Add the SSL parameters to config.ini:

Add the following lines to your instance's config.ini file, customizing the values to reflect your environment (replace EXTERNAL_IP with your public facing IP, DNS_HOSTNAME with your instance's hostname, replace 9999 with your https port):

https-server-address = 0.0.0.0:9999

# the http-alias value can be specified to provide alternative hosts (ie: DNS hostnames). Ensure your public facing IPs/URLs are listed as aliases.
http-alias = EXTERNAL_IP:9999
http-alias = DNS_HOSTNAME:9999

# Filename with the certificate chain to present on https connections. PEM format. Required for https. (eosio::http_plugin)
https-certificate-chain-file = /telosdata/certs/fullchain.pem

# Filename with https private key in PEM format. Required for https (eosio::http_plugin)
https-private-key-file = /telosdata/certs/privkey.pem

3: Stop, then restart nodeos:

nodeos can be gracefully stopped with:

pkill nodeos

start nodeos (ideally via a start script):

nodeos --data-dir /telosdata/data --config-dir /telosdata/data "$@" > /telosdata/data/stdout.txt 2> /telosdata/data/stderr.txt &

4: Verify nodeos is running without issue; look for the https entries:

tail -f /telosdata/data/stderr.txt

... http_plugin.cpp:530	 plugin_startup  ] start listening for https requests

5: Verify you can query the node directly via https:

Using teclos:

teclos -u https://bp.blockproducer.com:9999 get info

Using a web browser:

https://bp.blockproducer.com:9999/v1/chain/get_info

You can’t perform that action at this time.