Instantly share code, notes, and snippets.

What would you like to do?
Commands to setup a rippled validator on CentOS with a letsencrypt certificate
# Setup rippled validator on CentOS with a letsencrypt certificate.
# Run all commands as sudo unless otherwise indicated.
# Replace <HOSTNAME> with you full server hostname (ex.
# Replace <COMPACT_HOSTNAME> with your server hostname minus periods (ex. syracloudnet).
# Replace <USER> with your login username
# Set system hostname to <HOSTNAME>
vim /etc/hostname
# Update the system
yum update
# Config / Setup httpd
dnf install httpd mod_ssl wget
vim /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf
<VirtualHost *:80>
DocumentRoot "/var/www/<COMPACT_HOSTNAME>"
ServerName <HOSTNAME>
service httpd start
firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --add-service=https
firewall-cmd --zone=public --permanent --add-service=https
# Setup web root
cd /var/www/<COMPACT_HOSTNAME>/
vim index.html
# Install rippled
rpm -Uvh
yum install --enablerepo=ripple-stable rippled
# setup letsencrypt
# from
# create user
adduser letsencrypt
passwd letsencrypt
groupadd letsencrypt
mkdir /etc/letsencrypt
mkdir /etc/letsencrypt/certs
mkdir /etc/letsencrypt/private
chown -R root:letsencrypt /etc/letsencrypt
chmod 750 /etc/letsencrypt/
chmod 775 /etc/letsencrypt/certs
chmod 750 /etc/letsencrypt/private
usermod -a -G letsencrypt rippled
mkdir -p /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge
chown -R letsencrypt.letsencrypt /var/www/<COMPACT_HOSTNAME>/.well-known/
# Download acme setup script
curl > /home/letsencrypt/
chown root.letsencrypt /home/letsencrypt/
chmod 750 /home/letsencrypt/
# create credentials
openssl genrsa 4096 > /etc/letsencrypt/private/account.key
openssl genrsa 4096 > /etc/letsencrypt/private/domain.key
openssl dhparam -out /etc/letsencrypt/certs/dhparam.pem 4096
openssl req -new -sha256 -key /etc/letsencrypt/private/domain.key -subj "/CN=<HOSTNAME>" > /etc/letsencrypt/private/domain.csr
# Generate cert
su letsencrypt
python /etc/letsencrypt/ --account-key /etc/letsencrypt/private/account.key --csr /etc/letsencrypt/private/domain.csr --acme-dir /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge > /etc/letsencrypt/certs/signed.crt
wget -O - > /etc/letsencrypt/certs/intermediate.pem
cat /etc/letsencrypt/certs/signed.crt /etc/letsencrypt/certs/intermediate.pem > /etc/letsencrypt/certs/chained_cert.pem
# Set permissions
chown root:letsencrypt /etc/letsencrypt/private/account.key
chown root:letsencrypt /etc/letsencrypt/private/domain.csr
chown root:rippled /etc/letsencrypt/private/domain.key
chmod 640 /etc/letsencrypt/private/account.key
chmod 640 /etc/letsencrypt/private/domain.csr
chmod 640 /etc/letsencrypt/private/domain.key
# Edit httpd to include ssl logic
vim /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/<COMPACT_HOSTNAME>/
ServerName <HOSTNAME>
SSLCertificateFile /etc/letsencrypt/certs/signed.crt
SSLCertificateKeyFile /etc/letsencrypt/private/domain.key
SSLCertificateChainFile /etc/letsencrypt/certs/chained_cert.pem
vim /etc/httpd/conf.d/ssl.conf # comment out entire virtual host
service httpd reload
# Allow letsencrypt to restart httpd and rippled
EDITOR="vi" visudo -f /etc/sudoers.d/letsencrypt-services-reload
letsencrypt ALL=NOPASSWD: /usr/sbin/service httpd reload
letsencrypt ALL=NOPASSWD: /usr/sbin/service rippled restart
# Create renew script
vim /home/letencrypt/
python /home/letsencrypt/ --account-key /etc/letsencrypt/private/account.key --csr /etc/letsencrypt/private/domain.csr --acme-dir /var/www/<COMPACT_HOSTNAME>/.well-known/acme-challenge/ > /etc/letsencrypt/certs/signed.crt || exit
wget -O - > /etc/letsencrypt/certs/intermediate.pem
cat /etc/letsencrypt/certs/signed.crt /etc/letsencrypt/certs/intermediate.pem > /etc/letsencrypt/certs/chained_cert.pem
sudo service httpd reload
sudo service rippled restart
chown root:letsencrypt /home/letsencrypt/
chmod 750 /home/letsencrypt/
# Add the following line to crontab
su letsencrypt
EDITOR="vi" crontab -e
30 3 1 Jan,Mar,May,Jul,Sep,Nov * /home/letsencrypt/ >> /var/log/acme_tiny.log
# Set config
vim /etc/opt/ripple/rippled.cfg
ssl_key = /etc/letsencrypt/private/domain.key
ssl_chain = /etc/letsencrypt/certs/chained_cert.pem
port = 5003
ip =
protocol = wss
send_queue_limit = 65535
# Enable / start rippled
systemctl enable rippled.service
systemctl start rippled.service
# To clear the entire db
rm -rf /var/lib/rippled/db/
# Open firewall ports
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone public --permanent --add-port 5003/tcp
firewall-cmd --reload
# setup validator keys
/opt/ripple/bin/validator-keys create_keys
/opt/ripple/bin/validator-keys create_token --keyfile /home/<USER>/.ripple/validator-keys.json
Copy the output to /etc/opt/ripple/rippled.cfg
service rippled restart
# Submit to ripple
openssl dgst -sha256 -hex -sign /etc/letsencrypt/private/domain.key <(echo <VALIDATOR_PUBLIC_KEY>)
/opt/ripple/bin/validator-keys --keyfile /home/<USER>/.ripple/validator-keys.json sign <HOSTNAME>
Specify the output of the previous two commands on:
# Make backups of:
# + /home/letsencrypt/
# + /home/<USER>/.ripple/validator-keys.json
# + /etc/letsencrypt/certs/chained_cert.pem
# + /etc/letsencrypt/certs/dhparam.pem
# + /etc/letsencrypt/certs/intermediate.pem
# + /etc/letsencrypt/certs/signed.crt
# + /etc/letsencrypt/private/account.key
# + /etc/letsencrypt/private/domain.csr
# + /etc/letsencrypt/private/domain.key
# + /etc/opt/ripple/rippled.cfg
# + /etc/httpd/conf.d/<COMPACT_HOSTNAME>.conf
# + /var/www/<COMPACT_HOSTNAME>/index.html
# + this doc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment