Instantly share code, notes, and snippets.

Embed
What would you like to do?
Commands to setup a rippled validator on CentOS with a letsencrypt certificate
# Setup rippled validator on CentOS with a letsencrypt certificate.
# Run all commands as sudo unless otherwise indicated.
# Replace <HOSTNAME> with you full server hostname (ex. syracloud.net).
# Replace <COMPACT_HOSTNAME> with your server hostname minus periods (ex. syracloudnet).
# Replace <USER> with your login username
# Set system hostname to <HOSTNAME>
vim /etc/hostname
# Update the system
yum update
reboot
# Config / Setup httpd
dnf install httpd mod_ssl wget
vim /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf
<VirtualHost *:80>
DocumentRoot "/var/www/<COMPACT_HOSTNAME>"
ServerName <HOSTNAME>
</VirtualHost>
service httpd start
firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --add-service=https
firewall-cmd --zone=public --permanent --add-service=https
# Setup web root
cd /var/www/<COMPACT_HOSTNAME>/
vim index.html
# Install rippled
rpm -Uvh https://mirrors.ripple.com/ripple-repo-el7.rpm
yum install --enablerepo=ripple-stable rippled
# setup letsencrypt
# from https://robmclarty.com/blog/how-to-secure-your-web-app-using-https-with-letsencrypt
# create user
adduser letsencrypt
passwd letsencrypt
groupadd letsencrypt
mkdir /etc/letsencrypt
mkdir /etc/letsencrypt/certs
mkdir /etc/letsencrypt/private
chown -R root:letsencrypt /etc/letsencrypt
chmod 750 /etc/letsencrypt/
chmod 775 /etc/letsencrypt/certs
chmod 750 /etc/letsencrypt/private
usermod -a -G letsencrypt rippled
mkdir -p /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge
chown -R letsencrypt.letsencrypt /var/www/<COMPACT_HOSTNAME>/.well-known/
# Download acme setup script
curl https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py > /home/letsencrypt/acme_tiny.py
chown root.letsencrypt /home/letsencrypt/acme_tiny.py
chmod 750 /home/letsencrypt/acme_tiny.py
# create credentials
openssl genrsa 4096 > /etc/letsencrypt/private/account.key
openssl genrsa 4096 > /etc/letsencrypt/private/domain.key
openssl dhparam -out /etc/letsencrypt/certs/dhparam.pem 4096
openssl req -new -sha256 -key /etc/letsencrypt/private/domain.key -subj "/CN=<HOSTNAME>" > /etc/letsencrypt/private/domain.csr
# Generate cert
su letsencrypt
python /home/letsencrypt/acme_tiny.py --account-key /etc/letsencrypt/private/account.key --csr /etc/letsencrypt/private/domain.csr --acme-dir /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge > /etc/letsencrypt/certs/signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/letsencrypt/certs/intermediate.pem
cat /etc/letsencrypt/certs/signed.crt /etc/letsencrypt/certs/intermediate.pem > /etc/letsencrypt/certs/chained_cert.pem
# Set permissions
chown root:letsencrypt /etc/letsencrypt/private/account.key
chown root:letsencrypt /etc/letsencrypt/private/domain.csr
chown root:rippled /etc/letsencrypt/private/domain.key
chmod 640 /etc/letsencrypt/private/account.key
chmod 640 /etc/letsencrypt/private/domain.csr
chmod 640 /etc/letsencrypt/private/domain.key
# Edit httpd to include ssl logic
vim /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/<COMPACT_HOSTNAME>/
ServerName <HOSTNAME>
SSLCertificateFile /etc/letsencrypt/certs/signed.crt
SSLCertificateKeyFile /etc/letsencrypt/private/domain.key
SSLCertificateChainFile /etc/letsencrypt/certs/chained_cert.pem
</VirtualHost>
</IfModule>
vim /etc/httpd/conf.d/ssl.conf # comment out entire virtual host
service httpd reload
# Allow letsencrypt to restart httpd and rippled
EDITOR="vi" visudo -f /etc/sudoers.d/letsencrypt-services-reload
letsencrypt ALL=NOPASSWD: /usr/sbin/service httpd reload
letsencrypt ALL=NOPASSWD: /usr/sbin/service rippled restart
# Create renew script
vim /home/letencrypt/renew_cert.sh
#!/bin/sh
python /home/letsencrypt/acme_tiny.py --account-key /etc/letsencrypt/private/account.key --csr /etc/letsencrypt/private/domain.csr --acme-dir /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge/ > /etc/letsencrypt/certs/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/letsencrypt/certs/intermediate.pem
cat /etc/letsencrypt/certs/signed.crt /etc/letsencrypt/certs/intermediate.pem > /etc/letsencrypt/certs/chained_cert.pem
sudo service httpd reload
sudo service rippled restart
chown root:letsencrypt /home/letsencrypt/renew_cert.sh
chmod 750 /home/letsencrypt/renew_cert.sh
# Add the following line to crontab
su letsencrypt
EDITOR="vi" crontab -e
30 3 1 Jan,Mar,May,Jul,Sep,Nov * /home/letsencrypt/renew_cert.sh >> /var/log/acme_tiny.log
# Set config
vim /etc/opt/ripple/rippled.cfg
[server]
port_wss_public
ssl_key = /etc/letsencrypt/private/domain.key
ssl_chain = /etc/letsencrypt/certs/chained_cert.pem
[port_wss_public]
port = 5003
ip = 0.0.0.0
protocol = wss
send_queue_limit = 65535
[node_size]
medium
[node_db]
online_delete=1024
[ssl_verify]
1
# Enable / start rippled
systemctl enable rippled.service
systemctl start rippled.service
# To clear the entire db
rm -rf /var/lib/rippled/db/
# Open firewall ports
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone public --permanent --add-port 5003/tcp
firewall-cmd --reload
# setup validator keys
/opt/ripple/bin/validator-keys create_keys
/opt/ripple/bin/validator-keys create_token --keyfile /home/<USER>/.ripple/validator-keys.json
Copy the output to /etc/opt/ripple/rippled.cfg
service rippled restart
# Submit to ripple
su
openssl dgst -sha256 -hex -sign /etc/letsencrypt/private/domain.key <(echo <VALIDATOR_PUBLIC_KEY>)
/opt/ripple/bin/validator-keys --keyfile /home/<USER>/.ripple/validator-keys.json sign <HOSTNAME>
Specify the output of the previous two commands on:
https://docs.google.com/forms/d/e/1FAIpQLScszfq7rRLAfArSZtvitCyl-VFA9cNcdnXLFjURsdCQ3gHW7w/viewform
# Make backups of:
# + /home/letsencrypt/acme_tiny.py
# + /home/<USER>/.ripple/validator-keys.json
# + /etc/letsencrypt/certs/chained_cert.pem
# + /etc/letsencrypt/certs/dhparam.pem
# + /etc/letsencrypt/certs/intermediate.pem
# + /etc/letsencrypt/certs/signed.crt
# + /etc/letsencrypt/private/account.key
# + /etc/letsencrypt/private/domain.csr
# + /etc/letsencrypt/private/domain.key
# + /etc/opt/ripple/rippled.cfg
# + /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf
# + /var/www/<COMPACT_HOSTNAME>/index.html
# + this doc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment