Last active
November 7, 2018 21:10
-
-
Save movitto/87cfa1b463b4dc586509cdb538404b4b to your computer and use it in GitHub Desktop.
Commands to setup a rippled validator on CentOS with a letsencrypt certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Setup rippled validator on CentOS with a letsencrypt certificate. | |
# Run all commands as sudo unless otherwise indicated. | |
# Replace <HOSTNAME> with you full server hostname (ex. syracloud.net). | |
# Replace <COMPACT_HOSTNAME> with your server hostname minus periods (ex. syracloudnet). | |
# Replace <USER> with your login username | |
# Set system hostname to <HOSTNAME> | |
vim /etc/hostname | |
# Update the system | |
yum update | |
reboot | |
# Config / Setup httpd | |
dnf install httpd mod_ssl wget | |
vim /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf | |
<VirtualHost *:80> | |
DocumentRoot "/var/www/<COMPACT_HOSTNAME>" | |
ServerName <HOSTNAME> | |
</VirtualHost> | |
service httpd start | |
firewall-cmd --zone=public --add-service=http | |
firewall-cmd --zone=public --permanent --add-service=http | |
firewall-cmd --zone=public --add-service=https | |
firewall-cmd --zone=public --permanent --add-service=https | |
# Setup web root | |
cd /var/www/<COMPACT_HOSTNAME>/ | |
vim index.html | |
# Install rippled | |
rpm -Uvh https://mirrors.ripple.com/ripple-repo-el7.rpm | |
yum install --enablerepo=ripple-stable rippled | |
# setup letsencrypt | |
# from https://robmclarty.com/blog/how-to-secure-your-web-app-using-https-with-letsencrypt | |
# create user | |
adduser letsencrypt | |
passwd letsencrypt | |
groupadd letsencrypt | |
mkdir /etc/letsencrypt | |
mkdir /etc/letsencrypt/certs | |
mkdir /etc/letsencrypt/private | |
chown -R root:letsencrypt /etc/letsencrypt | |
chmod 750 /etc/letsencrypt/ | |
chmod 775 /etc/letsencrypt/certs | |
chmod 750 /etc/letsencrypt/private | |
usermod -a -G letsencrypt rippled | |
mkdir -p /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge | |
chown -R letsencrypt.letsencrypt /var/www/<COMPACT_HOSTNAME>/.well-known/ | |
# Download acme setup script | |
curl https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py > /home/letsencrypt/acme_tiny.py | |
chown root.letsencrypt /home/letsencrypt/acme_tiny.py | |
chmod 750 /home/letsencrypt/acme_tiny.py | |
# create credentials | |
openssl genrsa 4096 > /etc/letsencrypt/private/account.key | |
openssl genrsa 4096 > /etc/letsencrypt/private/domain.key | |
openssl dhparam -out /etc/letsencrypt/certs/dhparam.pem 4096 | |
openssl req -new -sha256 -key /etc/letsencrypt/private/domain.key -subj "/CN=<HOSTNAME>" > /etc/letsencrypt/private/domain.csr | |
# Generate cert | |
su letsencrypt | |
python /home/letsencrypt/acme_tiny.py --account-key /etc/letsencrypt/private/account.key --csr /etc/letsencrypt/private/domain.csr --acme-dir /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge > /etc/letsencrypt/certs/signed.crt | |
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/letsencrypt/certs/intermediate.pem | |
cat /etc/letsencrypt/certs/signed.crt /etc/letsencrypt/certs/intermediate.pem > /etc/letsencrypt/certs/chained_cert.pem | |
# Set permissions | |
chown root:letsencrypt /etc/letsencrypt/private/account.key | |
chown root:letsencrypt /etc/letsencrypt/private/domain.csr | |
chown root:rippled /etc/letsencrypt/private/domain.key | |
chmod 640 /etc/letsencrypt/private/account.key | |
chmod 640 /etc/letsencrypt/private/domain.csr | |
chmod 640 /etc/letsencrypt/private/domain.key | |
# Edit httpd to include ssl logic | |
vim /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf | |
<IfModule mod_ssl.c> | |
<VirtualHost *:443> | |
SSLEngine on | |
DocumentRoot /var/www/<COMPACT_HOSTNAME>/ | |
ServerName <HOSTNAME> | |
SSLCertificateFile /etc/letsencrypt/certs/signed.crt | |
SSLCertificateKeyFile /etc/letsencrypt/private/domain.key | |
SSLCertificateChainFile /etc/letsencrypt/certs/chained_cert.pem | |
</VirtualHost> | |
</IfModule> | |
vim /etc/httpd/conf.d/ssl.conf # comment out entire virtual host | |
service httpd reload | |
# Allow letsencrypt to restart httpd and rippled | |
EDITOR="vi" visudo -f /etc/sudoers.d/letsencrypt-services-reload | |
letsencrypt ALL=NOPASSWD: /usr/sbin/service httpd reload | |
letsencrypt ALL=NOPASSWD: /usr/sbin/service rippled restart | |
# Create renew script | |
vim /home/letencrypt/renew_cert.sh | |
#!/bin/sh | |
python /home/letsencrypt/acme_tiny.py --account-key /etc/letsencrypt/private/account.key --csr /etc/letsencrypt/private/domain.csr --acme-dir /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge/ > /etc/letsencrypt/certs/signed.crt || exit | |
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/letsencrypt/certs/intermediate.pem | |
cat /etc/letsencrypt/certs/signed.crt /etc/letsencrypt/certs/intermediate.pem > /etc/letsencrypt/certs/chained_cert.pem | |
sudo service httpd reload | |
sudo service rippled restart | |
chown root:letsencrypt /home/letsencrypt/renew_cert.sh | |
chmod 750 /home/letsencrypt/renew_cert.sh | |
# Add the following line to crontab | |
su letsencrypt | |
EDITOR="vi" crontab -e | |
30 3 1 Jan,Mar,May,Jul,Sep,Nov * /home/letsencrypt/renew_cert.sh >> /var/log/acme_tiny.log | |
# Set config | |
vim /etc/opt/ripple/rippled.cfg | |
[server] | |
port_wss_public | |
ssl_key = /etc/letsencrypt/private/domain.key | |
ssl_chain = /etc/letsencrypt/certs/chained_cert.pem | |
[port_wss_public] | |
port = 5003 | |
ip = 0.0.0.0 | |
protocol = wss | |
send_queue_limit = 65535 | |
[node_size] | |
medium | |
[node_db] | |
online_delete=1024 | |
[ssl_verify] | |
1 | |
# Enable / start rippled | |
systemctl enable rippled.service | |
systemctl start rippled.service | |
# To clear the entire db | |
rm -rf /var/lib/rippled/db/ | |
# Open firewall ports | |
systemctl enable firewalld | |
systemctl start firewalld | |
firewall-cmd --zone public --permanent --add-port 5003/tcp | |
firewall-cmd --reload | |
# setup validator keys | |
/opt/ripple/bin/validator-keys create_keys | |
/opt/ripple/bin/validator-keys create_token --keyfile /home/<USER>/.ripple/validator-keys.json | |
Copy the output to /etc/opt/ripple/rippled.cfg | |
service rippled restart | |
# Submit to ripple | |
su | |
openssl dgst -sha256 -hex -sign /etc/letsencrypt/private/domain.key <(echo <VALIDATOR_PUBLIC_KEY>) | |
/opt/ripple/bin/validator-keys --keyfile /home/<USER>/.ripple/validator-keys.json sign <HOSTNAME> | |
Specify the output of the previous two commands on: | |
https://docs.google.com/forms/d/e/1FAIpQLScszfq7rRLAfArSZtvitCyl-VFA9cNcdnXLFjURsdCQ3gHW7w/viewform | |
# Make backups of: | |
# + /home/letsencrypt/acme_tiny.py | |
# + /home/<USER>/.ripple/validator-keys.json | |
# + /etc/letsencrypt/certs/chained_cert.pem | |
# + /etc/letsencrypt/certs/dhparam.pem | |
# + /etc/letsencrypt/certs/intermediate.pem | |
# + /etc/letsencrypt/certs/signed.crt | |
# + /etc/letsencrypt/private/account.key | |
# + /etc/letsencrypt/private/domain.csr | |
# + /etc/letsencrypt/private/domain.key | |
# + /etc/opt/ripple/rippled.cfg | |
# + /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf | |
# + /var/www/<COMPACT_HOSTNAME>/index.html | |
# + this doc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment