Welcome to the second part of detailed securenode creation tutorial.

For thos who missed part one, it can be found here.

In this blog post we will take our basic zencash node and make it a securenode connected to the tracking server.

Step 5 - Registration of domain name

I will not go into the purchasing of a domain name, as there are plenty of guides out there already. You do not need anything fancy, you just need a domain and DNS provider who will allow you to create DNS host entries to point to your securenode.

Once you have registered your domain name, create a DNS A or AAAA entry (if you use IPv6) that will have the the hostname/subdomain you wish to call your securenode and the public IP address for your node. This is important for when you create your SSL certificates.

Step 6 - SSL certificates

Next we are going to need to obtain or create SSL certificates for your securenode. You can get a free SSL certificate through letsencrypt following part a to follow, if you have obtained your SSL certificate via another Root CA you can skip to part b of this step.

Part a - Using acme to get your SSL certificates

First we need to install the acme script dependencies and acme script for creating a certificate:
sudo apt install socat
cd ~
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install

Create the certificate:

Lets setup a variable in the terminal for ease of use:
FQDN=<FQDN> - FQDN is your fully qualified domain name, what you set up in the DNS entries, Replace <FQDN> with your node.domain_name information you entered in the DNS entry, e.g. securenode.zen-solutions.io. Also replace the <USER> with your standard username you log into your node with.

The next command returns what you have entered for the $FQDN variable.
echo $FQDN

The next command creates your certificates:
sudo ~/.acme.sh/acme.sh --issue --standalone -d $FQDN --home /home/<USER>/.acme.sh

It should tell you where your certs are. They should be in
~/.acme.sh/<FQDN>

Install the crontab that will check the script expiration date and renew it if necessary:
sudo crontab -e

Put this at the bottom of the crontab file:
6 0 * * * /home/<USER>/.acme.sh/acme.sh --cron --home "/home/<USER>/.acme.sh" --pre-hook "zen-cli stop" > /dev/null

Skip to part c on this page.

Part b - For purchased SSL certificates

This part is an important step in securing your purchased SSL certificates if you have purchased them. If you purchased a wildcard SSL certificate you really do not want these to be readily obtained, as anyone with your private keys can put them on any server and they can impersonate you.

Create directories:

sudo mkdir /etc/ssl/zen
sudo mkdir /etc/ssl/zen/private

Copying the SSL files:

Put public SSL certificate(s) along with intermediate certificate(s) in /etc/ssl/zen. This can done by running the following commands:
sudo cp path/to/ssl_certificate /etc/ssl/zen/cert.crt
Put private ssl key(s) in /etc/ssl/zen/private using the following command:
sudo mv path/to/ssl_key /etc/ssl/zen/private/privkey.key

  • Note: Please change the path/to/ssl_certificate and path/to/ssl_key to the location of your files.

Set permissions:

Public Certificate(s)
sudo chmod 644 /etc/ssl/zen/*.crt
sudo chmod 755 /etc/ssl/zen

Private Key(s)
sudo chmod 640 /etc/ssl/zen/private/*.key
sudo chmod 710 /etc/ssl/zen/private
Note: chmod 710 supports ssl-cert group under Ubuntu. (See comments)
Setting permission to 700 on /etc/ssl/zen/private will also work fine.
Note: The group permission is set to READ (640) due to Ubuntu ssl-cert group. '600' is fine as well.

Set owner:

sudo chown -R root:root /etc/ssl/zen/
sudo chown -R root:ssl-cert /etc/ssl/zen/private/
Note: If you do not have ssl-cert group, ssl-cert can be installed by sudo apt-get install ssl-cert.

Add user account to the ssl-cert group

You will also need to put the account you use to launch zend into the ssl-cert group, log out and log back in. The user can be added to the ssl-cert group by running sudo adduser username ssl-cert

Part c - Adding Root CA to the trusted store

To install a CA into the trusted store /etc/ssl/certs on ubuntu do the following:

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:
    sudo mkdir /usr/share/ca-certificates/extra
  2. Copy the Root CA file to this directory:
    sudo cp path/to/rootCA.file /usr/share/ca-certificates/extra/<your_ca>.crt
    Note: Please change path/to/rootCA.file with your file. If you used Let's Encrypt then it will be in ~/.acme.sh/<FQDN>/ca.cer and you will need to change the <your_ca>.crt to letsencrypt.crt in the command above.
  3. Let Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
    sudo dpkg-reconfigure ca-certificates

This then presents the following screens:
Screen-Shot-2017-10-14-at-3.10.39-PM

Screen-Shot-2017-10-14-at-3.12.09-PM

People are then just pressing enter all the way through without actually enabling the new Root CA.

After the first screen and on the screen with the list of Certificates to activate, you must press spacebar to put an asterisk next to the certificate. You can see the difference between the previous image and the next.
Screen-Shot-2017-10-14-at-3.15.25-PM

Once you have the asterisk next to the new certificate you can press enter to install the certificate. You should then see something similar to this in the console:

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Processing triggers for ca-certificates (20161130) ...
Updating certificates in /etc/ssl/certs...
1 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Updating zen.conf with the SSL certificate information

To add the SSL certificate information to the zen.conf file we need to edit it, we will add the following lines to ~/.zen/zen.conf using your favourite editor:
nano ~/.zen/zen.conf
Add the following lines at the bottom of the file:
For those who followed part a on this page:

tlscertpath=/home/<username>/.acme.sh/<FQDN>/<FQDN>.cer
tlskeypath=/home/<username>/.acme.sh/<FQDN>/<FQDN>.key

For those who followed part b on this page:

tlskeypath=/etc/ssl/zen/private/yourkey.key
tlscertpath=/etc/ssl/zen/your_cert.crt

Once you have done this, if you already have the zend daemon running, you will need to stop the zend daemon by zen-cli stop and then restart the daemon by running zend.

Now when you run zen-cli getnetworkinfo you should see "tls_cert_verified": true in the output.

Step 7 - Secnodetracker

Please note this will be updated once it is in mainnet.

0.2.1 - BETA-Mainnet

Before we can clone the secnodetracker software we need to install some dependencies.The following installs the NPM and Node.js (a javascript virtual machine).
sudo apt-get install npm
sudo npm install -g n
sudo n latest

Lets now clone the secnodetracker software into the zencash directory. First we will navigate to that location just in case you are not in there:
cd ~/zencash

Clone the git:

git clone https://github.com/ZencashOfficial/secnodetracker.git

Install the nodejs modules:

cd secnodetracker
npm install

Before running setup

Please get in touch with people in the slack/discord securenodes channel regarding wallets on testnet or mainnet, as these are out of the scope of this tutorial. This tutorial assumes that you already have a wallet either on testnet or mainnet.

Prior to running the setup you will need to create a private shielded address on your securenode for the challenges. This can be done by running the following:
zen-cli z_getnewaddress

You will need to send to your securenode private shielded address either 5x 0.05 or 5x 0.1 transactions of coins. The reasoning behind this can be found here

Run setup

To setup your securenode information you need to run:
node setup
You will need your staking address (with at least 42zen - znt for testnet), the fully qualified domain name (FQDN) address of your node that you used in the SSL certificate creation (if you have a wildcard SSL certificate, you will need to enter <nodename>.<domain_name> not just the domain name), and an email address for alerts (if you do not want alerts enter 'none' for the email address).

Start the tracking app

Start the securenode tracking app by running the following command:
node app

You will have an output similar to this:
Screen-Shot-2017-10-26-at-3.11.52-pm
You should now be connected.

Press control+c to stop your node software, we will restart it as a service in the next section.

Creating a service to keep your secnodetracker running when you disconnect from your securenode

To perform this task, I hereby introduce you to PM2.

PM2 is a "Production Process Manager for Node.js apps with a built-in Load Balancer", that allows you to configure the securenode tracker software application as a service and easy monitoring.

Installation and application execution

PM2 can be installed by running:
sudo npm install pm2 -g
This will then installed the required software you system.

After you install PM2 head into the secnodetracker directory and execute the following command:
pm2 start app.js --name securenodetracker

The above command initiates the pm2 service, tells the service to start the app.js, with the --name of securenodetracker. You can execute the process without the --name flag but the pm2 service will load the app.js with a name of app. Now this isn't really descriptive if you have other nodejs software running on your node and you are trying to identify which is which.

Now save the pm2 configuration:
pm2 save

Next you will want to add the securenodetracker application to run at boot. This is done by running:
pm2 startup
This will then give you a command line that you need to execute to complete the configuration of the daemon for system bootup.

Monitoring and stopping the application

Monitoring of the service is very easy. There is an advanced configuration where you can use a portal to monitor all of your nodes, this will be covered in a later blog post.

Monitoring of the securenodetracker service is done by running the following command:
pm2 logs securenodetracker or pm2 monit

To exit the tail of the log press control+c.

To check the status of the service you can run:
pm2 status securenodetracker

Stopping the securenodetracker service is just a easy as running the following command:
pm2 stop securenodetracker

pm2 log file location

I have a quick edit to add to this post, thanks devman, the log files for PM2 can be found in .pm2/logs.

Final thoughts

Well that's it my friends, I hope that this tutorial helps you setup a securenode zencash, and as always if you have any questions please contact me on slack/discord or using the comments below.

If you find this blog useful, and if you would like to keep it up and running, donations are always appreciated to any of the following addresses:
ZEN: znYjefe2QBfm9HEWfAtpwiBHMHTXwePs48C
ZEC: t1YZxjMEmPPLx1kFVp2zcWRBC4zrmRc71eZ
BTC: 14D1emX2xDeh3zA2myrhCmaWf1ZKAn1QzS
ETH: Ae491f4493F8d051ac23cE0d4aa2B524504eCb84