Where to get a certificate?


#1

I have cardano-sl running on an Amazon Linux EC2, and I’m trying to call it from my url example.com/api..etc however the ssl certificate that comes with cardano-sl (scripts/tls-files/ca.crt) is only valid for ‘localhost’.

Where can I get a free SSl certificate to use? I’ve looked at AWS Certificate Manger but that only provisions them for things like beanstalk, you can’t actually download the cert to use on things like EC2.

I’ve also looked at lets encrypt, and they don’t support Amazon Linux. I considered whipping up a new RHEL/Ubuntu EC2 but from what I read on the website, the cert is only valid for certain web servers and directories, I’m not sure if I could use it for cardano-sl?

Thanks


#2

Here’s one that’s used widely


#3

Sorry, I see you already looked into let’s encrypt

Amazon has its own CA but that one only works with Amazon scaling services.

On vanilla Linux the only good option perhaps is to use certbot with the dns option.


#4

In default, Cardano creates a startup script called connect-to-mainnet which generates a self-signed certificate for localhost if there is no any existing cert available.
But, that’s for reason and you should not open any public port and only play /w Cardano SL’s API on your local machine or on a VM.

The pool staking would require some additional infrastructure (different type of nodes), registration and proper certificates.


#5

@_ilap Hey. Yep, that’s the script I used to generate the localhost certificate.

The “proper certificate” you refer to is what I’m trying to achieve. I’m not sure why you say I shouldn’t open this up to be accessed from a browser?


#6

For security reason. The cardano have different type of nodes w/ different network topologies e.g. Daedalus Wallet is an edge node where the backend opens the API’s port only on the loopback device (localhost), that prevents any connection from outside. The other example is the explorer, which opens a public port w/ only limited API access (Cardano SL Explorer Web API).

So, if you start cardano-sl as an edge node backend on some public port and you create some wallet w/ some ADA in it then anybody (who has a proper client cert) could steal your money if no spending password is set.

If you want play w/ cardano-sl use a VM, or generate a self signed cert together w/ a client cert (signed w/ that self signed cert’s key) and use that client cert (install it in your browser) to connect to the backend (not recommended).


#7

Yes it’s the explorer that you linked that I’m trying to get working. As you say, it does open up to the public.

If I were to use a custom certificate, as you mention, how do I set the ./connect-to-mainnet to use that certificate?


#8

It depends on the installation. How did you install it? nix or build? if you built it then prod or dev?


#9

I followed this guide for nix-build:


#10

So, you ran this for installing explorer: nix-build -A cardano-sl-explorer-static --cores 0 --max-jobs 2 --no-build-output --out-link master


#11

Sorry no I ran nix-build -A connectScripts.mainnetWallet -o connect-to-mainnet


#12

You should run this instead: nix-build -A connectScripts.mainnetExplorer -o connect-explorer-to-mainnet


#13

okay but either way I can’t see a way of using a custom certificate as per my original question


#14

The answer is depends on what you want to achieve. I am trying to explain it.

I have mentioned already, that there are different configs together w/ some network topologies that represent a node. For example Explorer, has a frontend and a backend either.

The frontend is which opens the port 3100 for public, while the backend (cardano-sl) uses the localhost:8090 to which the frontend connects to. So, there are two possible TLS (certificate) config here.

  • Between the frontend and backend (similar to Daedalus Wallet) and
  • for the frontend (not required as it can be achieved w/ ngix, apache or similar config).

So, what I wanted to say previously, that you should never ever open cardano-sl’s port to public for the Explorer and/or Daedalus. Unfortunately, I do not know the topology for the Pools (priv-, unpriv relay and core nodes), but I assume that core and the un/privileged nodes will use Kadmelia wo/ any opened ports to public.

So, if you try to explain what you really want ot achieve then I could probably help.