Using SSL with EOS.IO nodes

in #eos3 years ago (edited)

ssleos.jpg

This is a guide on how to setup a secure HTTPS API using the built-in EOS http_plugin.
SSL support is available since 2018-04-27 release.

ssl.PNG

First of all you have to be on the DAWN-2018-04-27-ALPHA tag or newer.

If you run nodeos --version it should output 2594537369. Otherwise you have to update.

To update please run on your eos repo clone:

$ cd [EOSIO_DIR]
$ git pull
$ git checkout DAWN-2018-04-27-ALPHA
$ git submodule update --recursive
$ ./eosio_build.sh
$ cd build
$ sudo make install

Obtaining a SSL certificate for your domain with Certbot / Let's Encrypt

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Certbot will need to listen on port 80 for the certificate generation challenge.
If you have any service using it please stop that first. Then run:

$ sudo certbot certonly --standalone --preferred-challenges http -d your-domain

Now copy the generated files to your testnet folder:

$ cd [TESTNET_FOLDER]
$ sudo cp /etc/letsencrypt/live/your-domain/fullchain.pem .
$ sudo cp /etc/letsencrypt/live/your-domain/privkey.pem .
$ sudo chown user:user fullchain.pem privkey.pem

Configure nodeos

Edit your config.ini file and add the following lines:

https-server-address = 0.0.0.0:443
https-certificate-chain-file = /[TESTNET_FOLDER]/fullchain.pem
https-private-key-file = /[TESTNET_FOLDER]/privkey.pem

If you want to disable insecure HTTP completely just set (commenting out the line won't work)

http-server-address = 



Start nodeos and go to https://your-domain/v1/chain/get_info to check! You should have a green padlock in chrome showing a successful TLS connection.

If something went wrong please take a look on the first lines of your log file less stderr.txt

Good luck!

Sort:  

Thank you for this great howto guide!
One question: after adding https-server-address in config
do you need to disable existing http-server-address setting?

Ok just found by trying that if you keep http-server-address setting - RPC will run on both Http and Https protocols using ports specified for each.
You can not uncomment http-server-address setting but you can empty it's value to disable Http access:
http-server-address =

You can leave both protocols enabled. But if you want to disable HTTP, you have to set http-server-address = (commenting out the line will enable on default port)

Great tutorial!
I've tried it a few times and I keep getting https: Underlying Transport Error after running nodeos. Has anyone else encountered this error following these steps?

Note: When launching nodeos I successfully see configured https to listen on 0.0.0.0:443 (TLS configuration will be validated momentarily).

Thanks EOS Nation!
Can you verify if you are running on IPv6 mode on your network interface? This might be the reason for this error. Also try checking if you have ufw enable, if so please add a rule for that port.