Securenode FAQs - Root CA installation
Hello zenophiles, and welcome to the second blog post.
I have been messaged a number of times on the zencash slack with similar questions about configuring a zencash node to be a securenode. And it looks like people are running into the same problems time and time again.
ROLF over at Blockoperations has writen some excellent tutorials on how to setup a zencash securenode part 1, part 2, and part 2.5. I use his tutorials as a guide when ever I build a new securenode so I do not forget something.
One of the most common issues that people seem to be experiencing is that their Root CA or full chain SSL certificate is not being installed to the trusted store. This will result in the zend daemon not verifying your SSL certificate that results in "tls_cert_verified": false
being displayed when you run zen-cli getnetworkinfo
.
Check to see if you have a /usr/share/ca-certificates/extra/. If this directory does not exist, please run sudo mkdir /usr/share/ca-certificates/extra/
.
Copy the Root CA into the /usr/share/ca-certificates/extra
directory. This can be done by running sudo cp path/to/rootCA.file /usr/share/ca-certificates/extra/<your_ca>.crt
, if you are using .acme.sh your Root CA will be found in ~/.acme.sh/<FQDN>/ca.cer
, so your command would be: sudo cp ~/.acme.sh/<FQDN>/ca.cer /usr/share/ca-certificates/extra/letsencrypt.crt
After copying your Root CA into /usr/share/ca-certificates/extra
you need to execute the following:
sudo dpkg-reconfigure ca-certificates
This then presents the following screens:
People are then just pressing enter all the way through without actually enabling the new Root CA.
After the first screen and on the screen with the list of Certificates to activate, you must press spacebar
to put an asterisk next to the certificate. You can see the difference between the previous image and the next.
Once you have the asterisk next to the new certificate you can press enter
to install the certificate. You should then see something similar to this in the console:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Processing triggers for ca-certificates (20161130) ... Updating certificates in /etc/ssl/certs... 1 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
Once you have done this, you will need to stop the zend daemon zen-cli stop
and then restart the daemon by running zend
.
Now when you run zen-cli getnetworkinfo
you should see "tls_cert_verified": true
in the output.
Hopefully this blog post will help you to get by this issue.
Kind regards