Using non-letsencrypt/acme certificates with your securenode
Greets again,
I have had numerous people asking me about using non-letsencrypt/acme SSL certificates provided by sources like Namecheap or other Certificate Authority (CA). So in this blog post I will be describing what I do to secure my private SSL key and limit access to the SSL certificates and directories.
As I will not know what format your SSL certificates and keys are delivered, I will have to assume that have been provided with or can convert the required files into the .crt, .key/pem, and Root CA.
It really doesn't matter where you put your SSL certificates and keys as long as you properly protect your private key file(s). The public certificate is public; no protection needed - server privileges or otherwise.
Here is an example setup:
Create directories:
sudo mkdir /etc/ssl/zen
sudo mkdir /etc/ssl/zen/private
Place SSL files:
Put public SSL certificate(s) along with intermediate certificate(s) in /etc/ssl/zen
Put private ssl key(s) in /etc/ssl/zen/private
Set permissions:
Public Certificate(s)
sudo chmod 644 /etc/ssl/zen/*.crt
sudo chmod 755 /etc/ssl/zen
Private Key(s)
sudo chmod 640 /etc/ssl/zen/private/*.key
sudo chmod 710 /etc/ssl/zen/private
Note: The group permission is set to READ (640) due to Ubuntu ssl-cert group. '600' is fine as well. (edited)
Note: chmod 710 supports ssl-cert group under Ubuntu. (See comments)
Setting permission to 700 on /etc/ssl/zen/private will also work fine.
Set owner:
sudo chown -R root:root /etc/ssl/zen/
sudo chown -R root:ssl-cert /etc/ssl/zen/private/
Note: If you do not have ssl-cert group, ssl-cert can be installed by sudo apt-get install ssl-cert
, or you can just use 'root:root' on line above, or skip the 2nd line.
Add user account to the ssl-cert group
You will also need to put the account you use to launch zend
into the ssl-cert
group, log out and log back in. The user can be added to the ssl-cert group by running sudo adduser username ssl-cert
Adding Root CA to the trusted store
While this was covered in detail in this this blog post, I will re-outline briefly again here.
To install a CA into the trusted store /etc/ssl/certs
on ubuntu do the following:
- Create a directory for extra CA certificates in /usr/share/ca-certificates:
sudo mkdir /usr/share/ca-certificates/extra
- Copy the CA .crt file to this directory:
sudo cp yourCA.crt /usr/share/ca-certificates/extra/yourCA.crt
- Let Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
sudo dpkg-reconfigure ca-certificates
Add the paths to the certificate and key in zen.conf
Add the following lines to ~/.zen/zen.conf
:
tlskeypath=/etc/ssl/zen/private/yourkey.key
tlscertpath=/etc/ssl/zen/your_cert.crt
Once you have done this, if you already have the zend daemon running, you will need to stop the zend daemon by zen-cli stop
and then restart the daemon by running zend
.
Now when you run zen-cli getnetworkinfo you should see "tls_cert_verified": true in the output.
I hope that this blog post helps installing and securing your SSL certificates. Sing out if you need any help either on Slack or down below.