Welcome to the second part of detailed securenode creation tutorial.
For thos who missed part one, it can be found here.
In this blog post we will take our basic zencash node and make it a securenode connected to the tracking server.
Step 5 - Registration of domain name
I will not go into the purchasing of a domain name, as there are plenty of guides out there already. You do not need anything fancy, you just need a domain and DNS provider who will allow you to create DNS host entries to point to your securenode.
Once you have registered your domain name, create a DNS A or AAAA entry (if you use IPv6) that will have the the hostname/subdomain you wish to call your securenode and the public IP address for your node. This is important for when you create your SSL certificates.
Step 6 - SSL certificates
Next we are going to need to obtain or create SSL certificates for your securenode. You can get a free SSL certificate through letsencrypt following part a to follow, if you have obtained your SSL certificate via another Root CA you can skip to part b of this step.
Part a - Using acme to get your SSL certificates
First we need to install the acme script dependencies and acme script for creating a certificate:
sudo apt install socat
git clone https://github.com/Neilpang/acme.sh.git
Create the certificate:
Lets setup a variable in the terminal for ease of use:
FQDN=<FQDN> - FQDN is your fully qualified domain name, what you set up in the DNS entries, Replace
<FQDN> with your node.domain_name information you entered in the DNS entry, e.g. securenode.zen-solutions.io.
The next command returns what you have entered for the $FQDN variable.
The next command creates your certificates:
sudo ~/.acme.sh/acme.sh --issue --standalone -d $FQDN
It should tell you where your certs are. They should be in
Install the crontab that will check the script expiration date and renew it if necessary:
sudo crontab -e
Put this at the bottom of the crontab file:
6 0 * * * "/home/<USER>/.acme.sh"/acme.sh --cron --home "/home/<USER>/.acme.sh" > /dev/null
Skip to part c on this page.
Part b - For purchased SSL certificates
This part is an important step in securing your purchased SSL certificates if you have purchased them. If you purchased a wildcard SSL certificate you really do not want these to be readily obtained, as anyone with your private keys can put them on any server and they can impersonate you.
sudo mkdir /etc/ssl/zen
sudo mkdir /etc/ssl/zen/private
Copying the SSL files:
Put public SSL certificate(s) along with intermediate certificate(s) in
/etc/ssl/zen. This can done by running the following commands:
sudo cp path/to/ssl_certificate /etc/ssl/zen/cert.crt
Put private ssl key(s) in
/etc/ssl/zen/private using the following command:
sudo mv path/to/ssl_key /etc/ssl/zen/private/privkey.key
- Note: Please change the
path/to/ssl_keyto the location of your files.
sudo chmod 644 /etc/ssl/zen/*.crt
sudo chmod 755 /etc/ssl/zen
sudo chmod 640 /etc/ssl/zen/private/*.key
sudo chmod 710 /etc/ssl/zen/private
Note: chmod 710 supports ssl-cert group under Ubuntu. (See comments)
Setting permission to 700 on /etc/ssl/zen/private will also work fine.
Note: The group permission is set to READ (640) due to Ubuntu ssl-cert group. '600' is fine as well.
sudo chown -R root:root /etc/ssl/zen/
sudo chown -R root:ssl-cert /etc/ssl/zen/private/
Note: If you do not have ssl-cert group, ssl-cert can be installed by
sudo apt-get install ssl-cert.
Add user account to the ssl-cert group
You will also need to put the account you use to launch zend into the ssl-cert group, log out and log back in. The user can be added to the ssl-cert group by running
sudo adduser username ssl-cert
Part c - Adding Root CA to the trusted store
To install a CA into the trusted store
/etc/ssl/certs on ubuntu do the following:
- Create a directory for extra CA certificates in
sudo mkdir /usr/share/ca-certificates/extra
- Copy the Root CA file to this directory:
sudo cp path/to/rootCA.file /usr/share/ca-certificates/extra/<your_ca>.crt
Note: Please change
path/to/rootCA.filewith your file. If you used Let's Encrypt then it will be in
~/.acme.sh/<FQDN>/ca.cerand you will need to change the
letsencrypt.crtin the command above.
- Let Ubuntu add the .crt file's path relative to
sudo dpkg-reconfigure ca-certificates
This then presents the following screens:
People are then just pressing enter all the way through without actually enabling the new Root CA.
After the first screen and on the screen with the list of Certificates to activate, you must press spacebar to put an asterisk next to the certificate. You can see the difference between the previous image and the next.
Once you have the asterisk next to the new certificate you can press enter to install the certificate. You should then see something similar to this in the console:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Processing triggers for ca-certificates (20161130) ... Updating certificates in /etc/ssl/certs... 1 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
Updating zen.conf with the SSL certificate information
To add the SSL certificate information to the zen.conf file we need to edit it, we will add the following lines to
~/.zen/zen.conf using your favourite editor:
Add the following lines at the bottom of the file:
For those who followed part a on this page:
For those who followed part b on this page:
Once you have done this, if you already have the zend daemon running, you will need to stop the zend daemon by
zen-cli stop and then restart the daemon by running
Now when you run
zen-cli getnetworkinfo you should see
"tls_cert_verified": true in the output.
Step 7 - Secnodetracker
Please note this will be updated once it is in mainnet.
0.2.1 - BETA-Mainnet
sudo apt-get install npm
sudo npm install -g n
sudo n latest
Lets now clone the secnodetracker software into the zencash directory. First we will navigate to that location just in case you are not in there:
Clone the git:
git clone https://github.com/ZencashOfficial/secnodetracker.git
Install the nodejs modules:
Before running setup
Please get in touch with people in the slack/discord securenodes channel regarding wallets on testnet or mainnet, as these are out of the scope of this tutorial. This tutorial assumes that you already have a wallet either on testnet or mainnet.
Prior to running the setup you will need to create a private shielded address on your securenode for the challenges. This can be done by running the following:
You will need to send to your securenode private shielded address either 5x 0.05 or 5x 0.1 transactions of coins. The reasoning behind this can be found here
To setup your securenode information you need to run:
You will need your staking address (with at least 42zen - znt for testnet), the fully qualified domain name (FQDN) address of your node that you used in the SSL certificate creation (if you have a wildcard SSL certificate, you will need to enter
<nodename>.<domain_name> not just the domain name), and an email address for alerts (if you do not want alerts enter 'none' for the email address).
Start the tracking app
Start the securenode tracking app by running the following command:
You will have an output similar to this:
You should now be connected.
control+c to stop your node software, we will restart it as a service in the next section.
Creating a service to keep your secnodetracker running when you disconnect from your securenode
To perform this task, I hereby introduce you to PM2.
PM2 is a "Production Process Manager for Node.js apps with a built-in Load Balancer", that allows you to configure the securenode tracker software application as a service and easy monitoring.
Installation and application execution
PM2 can be installed by running:
sudo npm install pm2 -g
This will then installed the required software you system.
After you install PM2 head into the secnodetracker directory and execute the following command:
pm2 start app.js --name securenodetracker
The above command initiates the pm2 service, tells the service to start the app.js, with the --name of securenodetracker. You can execute the process without the --name flag but the pm2 service will load the app.js with a name of app. Now this isn't really descriptive if you have other nodejs software running on your node and you are trying to identify which is which.
Now save the pm2 configuration:
Next you will want to add the securenodetracker application to run at boot. This is done by running:
This will then give you a command line that you need to execute to complete the configuration of the daemon for system bootup.
Monitoring and stopping the application
Monitoring of the service is very easy. There is an advanced configuration where you can use a portal to monitor all of your nodes, this will be covered in a later blog post.
Monitoring of the securenodetracker service is done by running the following command:
pm2 logs securenodetracker or
To exit the tail of the log press
To check the status of the service you can run:
pm2 status securenodetracker
Stopping the securenodetracker service is just a easy as running the following command:
pm2 stop securenodetracker
pm2 log file location
I have a quick edit to add to this post, thanks devman, the log files for PM2 can be found in .pm2/logs.
Well that's it my friends, I hope that this tutorial helps you setup a securenode zencash, and as always if you have any questions please contact me on slack/discord or using the comments below.
If you find this blog useful, and if you would like to keep it up and running, donations are always appreciated to any of the following addresses: