Using SSL with EOS.IO nodes
This is a guide on how to setup a secure HTTPS API using the built-in EOS http_plugin.
SSL support is available since 2018-04-27 release.
First of all you have to be on the DAWN-2018-04-27-ALPHA tag or newer.
If you run nodeos --version
it should output 2594537369. Otherwise you have to update.
To update please run on your eos repo clone:
$ cd [EOSIO_DIR]
$ git pull
$ git checkout DAWN-2018-04-27-ALPHA
$ git submodule update --recursive
$ ./eosio_build.sh
$ cd build
$ sudo make install
Obtaining a SSL certificate for your domain with Certbot / Let's Encrypt
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot
Certbot will need to listen on port 80 for the certificate generation challenge.
If you have any service using it please stop that first. Then run:
$ sudo certbot certonly --standalone --preferred-challenges http -d your-domain
Now copy the generated files to your testnet folder:
$ cd [TESTNET_FOLDER]
$ sudo cp /etc/letsencrypt/live/your-domain/fullchain.pem .
$ sudo cp /etc/letsencrypt/live/your-domain/privkey.pem .
$ sudo chown user:user fullchain.pem privkey.pem
Configure nodeos
Edit your config.ini
file and add the following lines:
https-server-address = 0.0.0.0:443
https-certificate-chain-file = /[TESTNET_FOLDER]/fullchain.pem
https-private-key-file = /[TESTNET_FOLDER]/privkey.pem
If you want to disable insecure HTTP completely just set (commenting out the line won't work)
http-server-address =
Start nodeos and go to https://your-domain/v1/chain/get_info
to check! You should have a green padlock in chrome showing a successful TLS connection.
If something went wrong please take a look on the first lines of your log file less stderr.txt
Good luck!
Thank you for this great howto guide!
One question: after adding https-server-address in config
do you need to disable existing http-server-address setting?
Ok just found by trying that if you keep http-server-address setting - RPC will run on both Http and Https protocols using ports specified for each.
You can not uncomment http-server-address setting but you can empty it's value to disable Http access:
http-server-address =
You can leave both protocols enabled. But if you want to disable HTTP, you have to set
http-server-address =
(commenting out the line will enable on default port)Great tutorial!
I've tried it a few times and I keep getting
https: Underlying Transport Error
after runningnodeos
. Has anyone else encountered this error following these steps?Note: When launching
nodeos
I successfully seeconfigured https to listen on 0.0.0.0:443 (TLS configuration will be validated momentarily)
.Thanks EOS Nation!
Can you verify if you are running on IPv6 mode on your network interface? This might be the reason for this error. Also try checking if you have ufw enable, if so please add a rule for that port.
I get the same error here,
Underlying Transport Error
, no ipv6, no ufw enabled on 443.