Securenode FAQs - Root CA installation
Hello zenophiles, and welcome to the second blog post.
I have been messaged a number of times on the zencash slack with similar questions about configuring a zencash node to be a securenode. And it looks like people are running into the same problems time and time again.
ROLF over at Blockoperations has writen some excellent tutorials on how to setup a zencash securenode part 1, part 2, and part 2.5. I use his tutorials as a guide when ever I build a new securenode so I do not forget something.
One of the most common issues that people seem to be experiencing is that their Root CA or full chain SSL certificate is not being installed to the trusted store. This will result in the zend daemon not verifying your SSL certificate that results in
"tls_cert_verified": false being displayed when you run
Check to see if you have a /usr/share/ca-certificates/extra/. If this directory does not exist, please run
sudo mkdir /usr/share/ca-certificates/extra/.
Copy the Root CA into the
/usr/share/ca-certificates/extra directory. This can be done by running
sudo cp path/to/rootCA.file /usr/share/ca-certificates/extra/<your_ca>.crt, if you are using .acme.sh your Root CA will be found in
~/.acme.sh/<FQDN>/ca.cer, so your command would be:
sudo cp ~/.acme.sh/<FQDN>/ca.cer /usr/share/ca-certificates/extra/letsencrypt.crt
After copying your Root CA into
/usr/share/ca-certificates/extra you need to execute the following:
sudo dpkg-reconfigure ca-certificates
This then presents the following screens:
People are then just pressing enter all the way through without actually enabling the new Root CA.
After the first screen and on the screen with the list of Certificates to activate, you must press
spacebar to put an asterisk next to the certificate. You can see the difference between the previous image and the next.
Once you have the asterisk next to the new certificate you can press
enter to install the certificate. You should then see something similar to this in the console:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Processing triggers for ca-certificates (20161130) ... Updating certificates in /etc/ssl/certs... 1 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
Once you have done this, you will need to stop the zend daemon
zen-cli stop and then restart the daemon by running
Now when you run
zen-cli getnetworkinfo you should see
"tls_cert_verified": true in the output.
Hopefully this blog post will help you to get by this issue.