How to make rpc from http to https

[kugimiya530]

Hi i just build a fullnode

and until now it's running well

it's can running on metamask (Chrome extensions)

but if i use mobile phone metamask it's require "https"

so the problem is how to make my rpc from http to https

i got sutck for at least one day :(

and i am using "nginx"

this is my nginx.conf

---

server {

listen 666;

server_name localhost;
location ^~ /w {

  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_set_header X-NginX-Proxy true;
  proxy_pass   http://127.0.0.1:9999/;

}

location ^~ /h {

  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_set_header X-NginX-Proxy true;
  proxy_pass    http://127.0.0.1:6666/;

access_log /etc/nginx/log/Maiko.access.log maiko;
}
}

[Zaczero]

I can see that you already have the HTTPS setup https://maiko.*/ domain (the screenshot you attached is poorly censored). So all you really have to do is copy the existing SSL configuration to your :666 port. SSL-related configuration begins with the ssl_, e.g., ssl_certificate and ssl_certificate_key.

You will also need to edit your listen 666; directive to listen 666 ssl; (only if you don't use ssl on;). Having completed the setup, http:// will no longer function in place of the https://. You will have to update your existing RPC client configuration on all devices.

[kugimiya530]

I can see that you already have the HTTPS setup https://maiko.*/ domain (the screenshot you attached is poorly censored). So all you really have to do is copy the existing SSL configuration to your :666 port. SSL-related configuration begins with the ssl_, e.g., ssl_certificate and ssl_certificate_key.

You will also need to edit your listen 666; directive to listen 666 ssl; (only if you don't use ssl on;). Having completed the setup, http:// will no longer function in place of the https://. You will have to update your existing RPC client configuration on all devices.

oh.... i forget to updated
i did try all what i can try

this is updated code

and then everything not work

http https both rpc are didn't work it's just show error when i connect to my rpc

did i also need to modify my geth config.toml ?

server {

listen 666 ssl;

server_name localhost;
location ^~ /w {

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:9999/;
}

location ^~ /h {

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:6666/;
access_log /etc/nginx/log/Maiko.access.log maiko;
}
}

[Zaczero]

did i also need to modify my geth config.toml ?

No.

Put your ssl_ configuration outside the location tag. A common way is to put it just the line below the listen directive.

Afterward, restart/reload nginx to apply the configuration.

[kugimiya530]

did i also need to modify my geth config.toml ?

No.

Put your ssl_ configuration outside the location tag. A common way is to put it just the line below the listen directive.

Afterward, restart/reload nginx to apply the configuration.

i am really that's there is one people can solve my problem i should paid u a coffee!

but there is some problem happen

my code now is and after nginx reload the result is

yes http > https success

but mobile metamask still have problem now is didn't match chain ID but chrome extension is ok
oh.. also tokenpocket can't use too, only for extension... don't know why

and wss or ws rpc didn't work now

server {

listen 666 ssl;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
server_name localhost;

location ^~ /w {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:9999/;
}

location ^~ /h {

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:6666/;
access_log /etc/nginx/log/Maiko.access.log maiko;
}
}

[Zaczero]

@kugimiya530

$ openssl s_client -connect <censored>:666

CONNECTED(00000003)
depth=0 CN = <censored>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = <censored>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = <censored>
   i:C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
---

Okay, so it looks like you also need to use ssl_trusted_certificate PATH directive to attach the full SSL chain to your responses. Some examples of how it will look like:

The file you are looking for is probably in the same folder as your nginx.crt and nginx.key files.

[kugimiya530]

Hi i did have ca_bundle.crt in folder ssl
but after add this code my result seems nothing change

[Zaczero]

@kugimiya530

Show your configuration.
Also, did you reload/restart nginx?

I still have not detected the ca_bundle from the openssl check.

[kugimiya530]

@kugimiya530

Show your configuration. Also, did you reload/restart nginx?

I still have not detected the ca_bundle from the openssl check.

yes i did reload, the SSL Service which i use is "ZeroSSL" any possible chance from here?

server {

listen 666 ssl;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_trusted_certificate /etc/nginx/ssl/ca_bundle.crt;
#ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3 SSLv2;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#ssl_prefer_server_ciphers on;

server_name localhost;

location ^~ /w {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:9999/;
}

location ^~ /h {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:6666/;
access_log /etc/nginx/log/Maiko.access.log maiko;
}
}

[Zaczero]

@kugimiya530

One more idea, change server_name localhost; to server_name your.domain;.

[kugimiya530]

@kugimiya530

One more idea, change server_name localhost; to server_name your.domain;.

same T__T

[Zaczero]

@kugimiya530

Do you have any other configuration files containing server_name your.domain;? Make sure that any other places where you use the ssl_certificate /etc/nginx/ssl/nginx.crt; also include the ssl_trusted_certificate directive. Any warnings inside the /var/log/nginx/error.log file?

[kugimiya530]

@kugimiya530

Do you have any other configuration files containing server_name your.domain;? Make sure that any other places where you use the ssl_certificate /etc/nginx/ssl/nginx.crt; also include the ssl_trusted_certificate directive. Any warnings inside the /var/log/nginx/error.log file?

other conf didn't include ssl code, and other conf for other user i am listen other port
and
error.log
show something like *19 open socket #6 left in connection 5
index.html is not found
something like that , i think that's not a problem...?

i should choose NGINX right? let me download again

[Zaczero]

@kugimiya530

Try this (probably won't work if the bundle contains only CA certs):

ssl_certificate /etc/nginx/ssl/ca_bundle.crt; # use bundle here
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# without ssl_trusted_certificate

---

Yup, try downloading the NGINX format.

[kugimiya530]

@kugimiya530

Try this (probably won't work if the bundle contains only CA certs):

ssl_certificate /etc/nginx/ssl/ca_bundle.crt; # use bundle here
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# without ssl_trusted_certificate

Yup, try downloading the NGINX format.

i redownloaded and
try to use bundle.crt at ssl_certificate
show the error

[Zaczero]

@kugimiya530

I have just found a tutorial mentioning that you would need to merge the cert with the ca_bundle:

$ cat /etc/nginx/ssl/nginx.crt /etc/nginx/ssl/ca_bundle.crt > /etc/nginx/ssl/full.crt

(it's possible that the order matters so please try the above command as well as with the nginx.crt ca_bundle.crt files order reversed)

and then:

ssl_certificate /etc/nginx/ssl/full.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# without ssl_trusted_certificate

[kugimiya530]

@kugimiya530

I have just found a tutorial mentioning that you would need to merge the cert with the ca_bundle:

$ cat /etc/nginx/ssl/nginx.crt /etc/nginx/ssl/ca_bundle.crt > /etc/nginx/ssl/full.crt

(it's possible that the order matters so please try the above command as well as the nginx.crt ca_bundle.crt files order reversed)

and then:

ssl_certificate /etc/nginx/ssl/full.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# without ssl_trusted_certificate

you make it!!!
this my firsttime using "cat" command and it's really work!!!
omg you make my day, you should give me a change to pay u a coffee !!!!
this problem annoying me like 5days and always you answer me T___T

[Zaczero]

@kugimiya530

Nice!

Just a note, if you happen to renew your certificate in the future you would probably have to run the 'merge' again. It would be good to set up some sort of automation for it. Or maybe switch to let's encrypt and certbot (https://certbot.eff.org/instructions) as the whole process is pretty much painless in comparison to the ZeroSSL and what you have shown me :D. But I suppose this is more of a long-term plan as you should be fine for the next 3 months.

My donation address: https://bscscan.com/address/0xD155E40a77e64D6834efe827306E49Ea936d8c3F
:)

[kugimiya530]

Zaczero

send~
again thx for your help recently 2~3days

[kugimiya530]

and by the way, do you have any easy way to remote centos7 from windows11

[Zaczero]

@kugimiya530

Like remote desktop? Search for "RDP CensOS7". When selecting the desktop environment go for xfce as it's very lightweight and fast.

Personally, I wouldn't really recommend setting up RDP on your server (if you REALLY don't need it). It's just one more headache and SSH is very powerful on its own.

[kugimiya530]

@kugimiya530

Like remote desktop? Search for "RDP CensOS7". When selecting the desktop environment go for xfce as it's very lightweight and fast.

Personally, I wouldn't really recommend setting up RDP on your server (if you REALLY don't need it). It's just one more headache and SSH is very powerful on its own.

yep... i think i really need remote desktop

cuz website remote it's so slow

i used GNOME Desktop already will any change for my system if i change to xfce?

[Zaczero]

@kugimiya530

GNOME is one of the most-demanding desktop environments to run. XFCE is quite the opposite of that - it's not as 'pretty' though. Check out some screenshots and compare.

[kugimiya530]

@kugimiya530

GNOME is one of the most-demanding desktop environments to run. XFCE is quite the opposite of that - it's not as 'pretty' though. Check out some screenshots and compare.

alright... i'd do research to know how to change to XFCE
and yes.. i have 2 domain except which one u know i have other 1
can i add another more ssl.crt and key to one conf?

[Zaczero]

@kugimiya530

Basically, keep one SSL configuration per server { ... }. So if you have 2 domains with 2 server { ... } configs then you can set up 2 different SSLs.

[kugimiya530]

@kugimiya530

Basically, keep one SSL configuration per server { ... }. So if you have 2 domains with 2 server { ... } configs then you can set up 2 different SSLs.

okay i will try later
if any question i will ask help thx

[kugimiya530]

@kugimiya530

I have just found a tutorial mentioning that you would need to merge the cert with the ca_bundle:

$ cat /etc/nginx/ssl/nginx.crt /etc/nginx/ssl/ca_bundle.crt > /etc/nginx/ssl/full.crt

(it's possible that the order matters so please try the above command as well as with the nginx.crt ca_bundle.crt files order reversed)

and then:

ssl_certificate /etc/nginx/ssl/full.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# without ssl_trusted_certificate

Hi it's me again

i am trying to using second domain but fail

nginx.conf

include /etc/nginx/A.conf <= for domain A it's ok
include /etc/nginx/B.conf <=for domain B it's fail
the error message above pic.

i also cat certificate.crt and ca_bundle

for A .conf

ssl_certificate /etc/nginx/ssl/full.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
#ssl_trusted_certificate /etc/nginx/ssl/ca_bundle.crt;
#ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3 SSLv2;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#ssl_prefer_server_ciphers on;
add_header Access-Control-Allow-Origin $http_origin;
add_header 'Access-Control-Allow-Credentials' true;
add_header 'Access-Control-Allow-Headers' 'CJCX,cjcx,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Auth-Token';
add_header 'Access-Control-Max-Age' 1728000;

server_name domainA;

---

for B.conf

ssl_certificate /etc/nginx/ssl2/full.crt;
ssl_certificate_key /etc/nginx/ssl2/private.key;
#ssl_trusted_certificate /etc/nginx/ssl/ca_bundle.crt;
#ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3 SSLv2;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#ssl_prefer_server_ciphers on;
add_header Access-Control-Allow-Origin $http_origin;
add_header 'Access-Control-Allow-Credentials' true;
add_header 'Access-Control-Allow-Headers' 'CJCX,cjcx,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Auth-Token';
add_header 'Access-Control-Max-Age' 1728000;

server_name DomainB;

---

I couldn't find the problem Q_Q

[Zaczero]

Check whether your cat on the 2nd domain uses ssl2/ and not ssl/ files. Also, according to this: https://stackoverflow.com/a/52261299 make sure that your cat starts with the certificate first and the bundle second.

[kugimiya530]

Check whether your cat on the 2nd domain uses ssl2/ and not ssl/ files. Also, according to this: https://stackoverflow.com/a/52261299 make sure that your cat starts with the certificate first and the bundle second.

yes...the problem is i always cat ca_bundle first

no i change the priority it's work !