Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client 1.11.10 - NEW RELEASE: Ardor 2.0.5e TestNet - The Ignis ICO is over!! Ardor genesis snapshots will happen at Nxt block 1,630,000 (expected for 25th December)

Pages: [1]

Author Topic: Method to configure https for Nxt public nodes  (Read 3218 times)

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2592
    • View Profile
  • Karma: +346/-18

Recently, some developers and myself had missed having a simple way to enable remote https access to applications running in public nodes and a custom port.

When websites and services that want to connect to a public node have their backend running on https, unencrypted http calls can become a problem.

Installing SSL Certificates with Letsencrypt/Certbot has become easier than ever, so this is a workaround for the issue that I don't think has been posted before, and might be useful.

It has been tried and will probably be used for SuperNET Iguana nodes (and Basilisk, the lite client evolution), but the first time I discussed this was with Tosch and around Nxt nodes, and it worked easily when I tested it in a public Nxt node.



Requirements

1) A Linux server running Nxt, and configured for public API access. This should only require creating a nxt.properties under nxt/conf similar to this:

nxt.apiServerCORS=true
nxt.uiServerCORS=true
nxt.myAddress=SERVER_IP_ADDRESS
nxt.allowedBotHosts=*
nxt.allowedUserHosts=127.0.0.1; localhost; SERVER_IP_ADDRESS; 0:0:0:0:0:0:0:1;
nxt.enableAPIserver=true
nxt.apiServerHost=0.0.0.0

2) A subdomain (or domain) to access your node. This is required to use an SSL certificate. The subdomain should be included in the domain nameservers configuration as an A record pointing to your server IP.



Procedure

In this example, setup was done using root account. If you're using a non-root account, it needs to be in the sudo group and commands need to be run using sudo.

1) Install letsencrypt (certbot) and generate the SSL certificate for your (sub)domain.

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto certonly --standalone --email admin@example.com -d sub.example.com

2) Install apache webserver and enable the modules for ssl and reverse proxy.

apt-get install apache2
a2enmod ssl proxy_http

3) Configure the default apache configuration file.

nano /etc/apache2/sites-available/000-default.conf

Replace the default configuration lines with the following, replacing the strings in red with your (sub)domain:

<VirtualHost *:80>
        ServerName sub.example.com
        Redirect permanent / https://sub.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName sub.example.com
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/sub.example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/sub.example.com/chain.pem
        SSLProxyEngine On
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass / http://localhost:7876/
        ProxyPassReverse / http://localhost:7876/
</VirtualHost>
</IfModule>

4) Finally, restart the apache webserver.

service apache2 restart



As an example, you can check https://node001.nxtinside.org, and try a Nxt API request to that node using encrypted connection - https://node001.nxtinside.org/nxt?requestType=getState

Any improvements and alternatives for this procedure will be welcome.
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2375
    • View Profile
  • Karma: +211/-18

Thank you very much for sharing this vanBreuk!

This is of great help, this will help getting a better and secure network for Nxt! awesome :)

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2375
    • View Profile
  • Karma: +211/-18

After going through the procedure I would like to add some details, which I saw where missing in the above description.

To be able to go to https://yourdomain.com:7876 later and reach the wallet there, you would have to enable SSL also in the config and the keystore of Nxt and Jetty.

To get some more info you can visit https://nxtwiki.org/wiki/How-To:UseSslCerts

After creating the certificate as vanBreuk described, you should have the certficates in a folder like this

Quote
/etc/letsencrypt/live/sub.example.com/cert.pem
 /etc/letsencrypt/live/sub.example.com/privkey.pem
 /etc/letsencrypt/live/sub.example.com/chain.pem
 /etc/letsencrypt/live/sub.example.com/fullchain.pem

So in order to create the keystore file, you need to go into your nxt folder and execute the following command

Quote
openssl pkcs12 -export -inkey /etc/letsencrypt/live/sub.example.com/privkey.pem -in /etc/letsencrypt/live/sub.example.com/fullchain.pem -out mycert.pkcs12

Then run

Quote
keytool -importkeystore -srckeystore mycert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

To the Nxt config file you have now in conf/nxt.properties you add

Quote
nxt.myAddress=mydomain.com
nxt.allowedUserHosts=127.0.0.1; localhost; mydomain.com ; 0:0:0:0:0:0:0:1;
nxt.uiSSL=true
nxt.apiSSL=true
nxt.keyStorePassword=passwordasusedaboveforkeystore

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2592
    • View Profile
  • Karma: +346/-18

Thanks a lot Tosch for the contribution. However, in my case setting up the keystore for Nxt was not necessary when I installed the https://node001.nxtinside.org test node, with the sole purpose of allowing external https requests that triggered no certificate alarms.

As you suggested a moment ago in private convo, maybe in your node something else was needed for the reverse proxy to work. In any case, the difference should be

- Method in the OP:

User/external app sends request ====SSL encrypted===> Public node > Reverse proxy forwards it to localhost:7876 ====unencrypted===> Nxt server processes it and sends back response

- With tosch's addition:

User/external app sends request ====SSL encrypted===> Public node > Reverse proxy forwards it to https://localhost:7876 ====SSL encrypted===> Nxt server processes it and sends back response

so I guess that without Nxt server SSL setup a malicious node owner could try to sniff requests containing a passphrase as they leave the reverse proxy, but I don't know if there's a way for users to check if the remote Nxt server is using SSL or not for the localhost connection, so in either case, sending your passphrase to a public node is never a good idea. Use public nodes for safe requests only, and if you need to broadcast a transaction, send it already signed.
 
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

floyd

  • Newbie
  • *
  • Offline Offline
  • Posts: 11
    • View Profile
  • Karma: +0/-0

Thank you, guys.

This is genuinely helpful.

A quick question - if i wanted to set up a simple way to enable remote http access (no https or anything) to a Testnode , what would be the changes i need to make to the nxt.properties file?

Note: I'm running this Testnode on a windows instance on AWS.

Thanks in advance.

lurker10

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1336
    • View Profile
  • Karma: +168/-33

Thank you, guys.

This is genuinely helpful.

A quick question - if i wanted to set up a simple way to enable remote http access (no https or anything) to a Testnode , what would be the changes i need to make to the nxt.properties file?

Note: I'm running this Testnode on a windows instance on AWS.

Thanks in advance.

you want these settings:

nxt.allowedBotHosts=*
nxt.apiServerHost=0.0.0.0

access by http://yourNodeIpAddress:7876

Remember to open your firewall port 7876 if it's closed.
And port 7874 if you wish to make this a public node.
Run a node - win a prize! "Lucky node" project jar: NXT-8F28-EDVE-LPPX-HY4E7

floyd

  • Newbie
  • *
  • Offline Offline
  • Posts: 11
    • View Profile
  • Karma: +0/-0

Worked perfect.

Thank you so much.

NxtSwe

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 658
    • View Profile
  • Karma: +123/-9

I'd like to point out that tosh's method will make the node appear on http://www.peerexplorer.com/peerexplorer-api as a node that has SSL-Api enabled, while the OP does not (even though it is accessible through SSL, but the NRS node does not know about it).
Check out the NxtLib, the .NET Framework API for the Nxt platform.

Claptrap

  • Newbie
  • *
  • Offline Offline
  • Posts: 2
    • View Profile
  • Karma: +0/-0

Hi Everyone,

I got my public node up and running. But i'm unable to sort out the SSL part. Tried following this tutorial but i'm a little lost about the prerequisites for a domain and subdomain.

I'm using Digital Ocean to setup my node. So all I have is the IP address, no domain name.

How should I go about this?

lurker10

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1336
    • View Profile
  • Karma: +168/-33

Hi Everyone,

I got my public node up and running. But i'm unable to sort out the SSL part. Tried following this tutorial but i'm a little lost about the prerequisites for a domain and subdomain.

I'm using Digital Ocean to setup my node. So all I have is the IP address, no domain name.

How should I go about this?

If you don't have a domain name, don't use it.
Using IP is fine, using a domain doesn't get you extra points for the lottery, it's just for vanity or convenience.
For SSL follow this.
https://nxtwiki.org/wiki/How-To:UseSslCerts
https://nxtforum.org/general-discussion/5-million-nxt-bounty-for-nxt-ardor-forgers/msg221688/#msg221688
Run a node - win a prize! "Lucky node" project jar: NXT-8F28-EDVE-LPPX-HY4E7

Riker

  • Core Dev
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1732
    • View Profile
  • Karma: +431/-42

For the next release 1.10.3 or 1.11.0e, whichever comes first, we added support for PKCS12 keystore format.
Referring to the instructions written by Tosch above, you'll no longer need to convert the keystore generated by openssl (from the .pem files provided by LetsEncrypt) to the Java JKS format i.e. no need for the following command:
keytool -importkeystore -srckeystore mycert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

Instead you'll be able to add something like nxt.keyStoreType=PKCS12 to nxt.properties and use the PKCS12 keystore directly.

Just to clarify the pre-requisites for setting this up:
1. Linux workstation with recent versions of OpenSsl and Java installed.
2. A domain under your control mapped to the external IP of this workstation.
3. An NXT node (or any other web server) listening on port 80. To configure an NXT node to listen on port 80 add the following property nxt.apiServerPort=80 and use root privileges to start the node. You can undo this once you received the .pem file from LetsEncrypt but I assume that you'll need it again to renew the certificate 3 month later.
4. Simply follow the "Getting Started" guide of https://letsencrypt.org/getting-started/ for a general web server, to generate the .pem files for the key chain and private key
5. In case something goes wrong, use the following command to list your keystore:
Code: [Select]
keytool -v -list -keystore keystore.pkcs12 -storetype PKCS12You should see the following messages towards the top of the output:
Code: [Select]
Entry type: PrivateKeyEntry
Certificate chain length: 2

Is there a simpler procedure if you just like to renew an existing certificate ?
Repeating this procedure every 3 month can be tiresome.
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

ScripterRon

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 457
    • View Profile
  • Karma: +72/-2

Is there a simpler procedure if you just like to renew an existing certificate ?
Repeating this procedure every 3 month can be tiresome.
I'm doing the following on Ubuntu
Code: [Select]
sudo letsencrypt renew --standalone
to renew the certificate.  This eliminates the need for a web server listening on port 80.  But you still need to use openssl to convert the .pem files to .pkcs12.  But at least it can be wrapped in a shell script.
NXT-XM86-4ZNA-65L5-CDWUE

box1413

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 671
    • View Profile
  • Karma: +98/-4

got the following errors during install of the cert. See: http://prntscr.com/eo51n2

Quote
Setting up libaugeas0 (1.2.0-0ubuntu1.1~ubuntu12.04.1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree       
Reading state information... Done
gcc is already the newest version.
gcc set to manually installed.
python is already the newest version.
python-dev is already the newest version.
python-dev set to manually installed.
The following packages were automatically installed and are no longer required:
  apache2-mpm-prefork apache2.2-common apache2.2-bin
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  libssl1.0.2 python-setuptools
Recommended packages:
  python-pip
The following NEW packages will be installed:
  libffi-dev libssl1.0.2 python-setuptools python-virtualenv
The following packages will be upgraded:
  ca-certificates libssl-dev openssl
3 upgraded, 4 newly installed, 0 to remove and 234 not upgraded.
Need to get 7,169 kB of archives.
After this operation, 8,584 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
WARNING: The following packages cannot be authenticated!
  libssl1.0.2 openssl libssl-dev
Install these packages without verification [y/N]? y
Get:1 http://archive.ubuntu.com/ubuntu/ precise-updates/main ca-certificates all 20160104ubuntu0.12.04.1 [208 kB]
Err http://ppa.launchpad.net/ondrej/php5/ubuntu/ precise/main libssl1.0.2 amd64 1.0.2h-1+deb.sury.org~precise+1
  404  Not Found
Err http://ppa.launchpad.net/ondrej/php5/ubuntu/ precise/main openssl amd64 1.0.2h-1+deb.sury.org~precise+1
  404  Not Found
Err http://ppa.launchpad.net/ondrej/php5/ubuntu/ precise/main libssl-dev amd64 1.0.2h-1+deb.sury.org~precise+1
  404  Not Found
Get:2 http://archive.ubuntu.com/ubuntu/ precise/main python-setuptools all 0.6.24-1ubuntu1 [441 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ precise/universe python-virtualenv all 1.7.1.2-1 [2,112 kB]
Get:4 http://archive.ubuntu.com/ubuntu/ precise/main libffi-dev amd64 3.0.11~rc1-5 [96.1 kB]
Fetched 2,857 kB in 1s (1,692 kB/s)
Failed to fetch http://ppa.launchpad.net/ondrej/php5/ubuntu/pool/main/o/openssl/libssl1.0.2_1.0.2h-1+deb.sury.org~precise+1_amd64.deb  404  Not Found
Failed to fetch http://ppa.launchpad.net/ondrej/php5/ubuntu/pool/main/o/openssl/openssl_1.0.2h-1+deb.sury.org~precise+1_amd64.deb  404  Not Found
Failed to fetch http://ppa.launchpad.net/ondrej/php5/ubuntu/pool/main/o/openssl/libssl-dev_1.0.2h-1+deb.sury.org~precise+1_amd64.deb  404  Not Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

box1413

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 671
    • View Profile
  • Karma: +98/-4

i fixed my issue with the following:

In terminal...

cd /etc/apt               # change directory
grep ondrej sources.list  # search for ondrej
if this grep returns an answer, then...

sudo gksudo gedit /etc/apt/sources.list  # edit the file
and place a # at the front of the offending line. Save the file and quit gedit.

Next we'll search in all *.list files...

cd /etc/apt/sources.list.d  # change directory
grep ondrej *.list          # search for a {filename}.list
You'll probably only get one filename as the output of the grep command. Note the filename. Next we'll delete that file...

sudo rm -i /etc/apt/sources.list.d/enter_filename_here.list

----------------

then it just worked without any errors. just make sure to change your port number if your running testnet.

schoad

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 16
    • View Profile
  • Karma: +0/-0

I already set-up a Public node with SSL on my Raspberry Pi with Tosch110 additional remarks.
Works flawlessly.

On my new VPS with Debian 8 I'm unable to get SSL to work properly.
NXT stops with the following error: (FIXED)

FIXED:
Quote
Generate key, please choose your genkey the same as your keystore password. If not, you get keystore errors from NRS (bug/feature in NRS). Run this in console:
« Last Edit: June 17, 2017, 01:22:48 pm by schoad »
Pages: [1]