Node SSL Setup
Node SSL certificates support secure communication with sChain endpoints. By default, each node of a SKALE Chain listens on HTTP and WS ports. If SSL certs exist on the node, then HTTPS and WSS ports are also turned on.
Node SSL certificates aren’t required to start a node, register it, or create sChains. However, dApp developers using SKALE Chains need HTTPS/WSS endpoints to work with toolings such as API based wallets and other integrations. Therefore, SSL certificates are required for SKALE Network validator nodes.
Here’s an example of a step-by-step process of setting up validator node SSL.
To upload SSL certificates to the node, you’ll have to do a few steps on your side which may vary depending on your domain name provider, certificate authority, etc. See here for reference example of how use free Let’s Encrypt certificates.
The steps include: * getting domain names for each node. * issuing SSL certificates for them. * uploading certificates to the node. * setting up domain name for the node in the SKALE Manager smart contracts.
|This procedure will vary depending on your domain management service (Google Domains, GoDaddy, etc).|
The first thing you will need is the domain name. You’ll need one per node, so it makes sense to set up a subdomain for each one and set up redirects. Let’s say you own
awesome-validator.com and run two nodes with the following IP addresses, names, and redirects:
|Node name||Node IP||Redirect|
You can verify that redirects work by sending a request to the watchdog API on 3009 port using your domain name.
Once you have all redirects for your nodes, you can move to the SSL certificates. You will need SSL certs issued by one of the Trusted CAs. Once you’ve decided on the certificate issuer, you have several options - issue a separate certificate for each subdomain (node-0.awesome-validator.com, node-1.awesome-validator.com) or issue a single Wildcard SSL for all nodes (*.awesome-validator.com). As a result, you should have 2 main files saved and copied to the respective nodes:
Certificate file (usually called something like fullchain.pem or cert.pem)
Private key file (usually called something like privkey.pem, pk.pem)
Once you copied the certificate and private key file, all you have to do is to run the following command:
skale ssl upload -c $PATH_TO_CERT_FILE -k $PATH_TO_KEY_FILE
|Add -f flag to the command to override existing certificates on the node|
Once certificates are uploaded, you can check them by running:
skale ssl status
To set the domain name of the registered node with SKALE manager, execute the following node-cli command on each respective node:
skale node set-domain -d node-0.awesome-validator.com
See full reference for the
set-domain command here.
|In the recent version of the SKALE Manager smart contracts domain name is required during the node registration|
Be sure get a domain in advance to provide it when adding a new node to the network:
skale node register --ip 18.104.22.168 -d node-0.awesome-validator.com --name node-0-AV
If you already registered your node, then command will fail. If you are trying to set the domain for an already registered node, simply use
See full reference for the
register command here.
When choosing CA for getting your SSL certificate, consider a source that will be trusted by most major browsers, operating systems, and other devices.
Here’s a list of links that can help you with your decision:
List of major CA providers: https://en.wikipedia.org/wiki/Certificate_authority#Providers
CAs trusted by Mozilla: https://wiki.mozilla.org/CA/Included_Certificates
Also, here’s a list of the most popular and well-known SSL providers:
Besides that, usually, you could purchase an SSL certificate from your domain provider. That could be the most convenient way for you to manage everything from a single place:
Most of them usually providing you with a few options like RapidSSL and DigiCert.
|Certificates provided by Letsencrypt are widely used now and trusted by most operating systems and devices, so it’s OK to use them for your node, but don’t forget about renewals since Letsencrypt certs expire in 3 months. You can read more about Letsencrypt security and trust here: https://letsencrypt.org/certificates/ and https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html|
|Generally, Letsencrypt SSL certs are considered safe, but there are some opponents to the idea of a 'free SSL certs for everybody': https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801|
This brief tutorial shows you how to generate a wildcard SSL using Letsencrypt.