Where to get a certificate?

Wazcov · 2018-07-01 14:26:29 UTC

I have cardano-sl running on an Amazon Linux EC2, and I’m trying to call it from my url example.com/api..etc however the ssl certificate that comes with cardano-sl (scripts/tls-files/ca.crt) is only valid for ‘localhost’.

Where can I get a free SSl certificate to use? I’ve looked at AWS Certificate Manger but that only provisions them for things like beanstalk, you can’t actually download the cert to use on things like EC2.

I’ve also looked at lets encrypt, and they don’t support Amazon Linux. I considered whipping up a new RHEL/Ubuntu EC2 but from what I read on the website, the cert is only valid for certain web servers and directories, I’m not sure if I could use it for cardano-sl?

Thanks

canopus · 2018-07-01 15:11:39 UTC

Here’s one that’s used widely

canopus · 2018-07-01 15:18:20 UTC

Sorry, I see you already looked into let’s encrypt

Amazon has its own CA but that one only works with Amazon scaling services.

On vanilla Linux the only good option perhaps is to use certbot with the dns option.

_ilap · 2018-07-01 15:42:50 UTC

In default, Cardano creates a startup script called connect-to-mainnet which generates a self-signed certificate for localhost if there is no any existing cert available.
But, that’s for reason and you should not open any public port and only play /w Cardano SL’s API on your local machine or on a VM.

The pool staking would require some additional infrastructure (different type of nodes), registration and proper certificates.

Wazcov · 2018-07-01 15:45:19 UTC

@_ilap Hey. Yep, that’s the script I used to generate the localhost certificate.

The “proper certificate” you refer to is what I’m trying to achieve. I’m not sure why you say I shouldn’t open this up to be accessed from a browser?

_ilap · 2018-07-01 16:16:20 UTC

For security reason. The cardano have different type of nodes w/ different network topologies e.g. Daedalus Wallet is an edge node where the backend opens the API’s port only on the loopback device (localhost), that prevents any connection from outside. The other example is the explorer, which opens a public port w/ only limited API access (Cardano SL Explorer Web API).

So, if you start cardano-sl as an edge node backend on some public port and you create some wallet w/ some ADA in it then anybody (who has a proper client cert) could steal your money if no spending password is set.

If you want play w/ cardano-sl use a VM, or generate a self signed cert together w/ a client cert (signed w/ that self signed cert’s key) and use that client cert (install it in your browser) to connect to the backend (not recommended).

Wazcov · 2018-07-01 17:22:17 UTC

Yes it’s the explorer that you linked that I’m trying to get working. As you say, it does open up to the public.

If I were to use a custom certificate, as you mention, how do I set the ./connect-to-mainnet to use that certificate?

_ilap · 2018-07-01 17:50:06 UTC

It depends on the installation. How did you install it? nix or build? if you built it then prod or dev?

Wazcov · 2018-07-01 17:52:06 UTC

I followed this guide for nix-build:

github.com

input-output-hk/cardano-sl/blob/develop/docs/how-to/build-cardano-sl-and-daedalus-from-source-code.md

# How to Build Cardano SL and Daedalus from Source Code

This manual describes how to build Cardano SL and Daedalus from the source code.

## Cardano SL and Daedalus

Cardano SL consists of a collection of binaries that constitute
the backend and the Electron-based wallet called “Daedalus”.

The source code of Cardano SL can be obtained from the
[official repository](https://github.com/input-output-hk/cardano-sl).

Cardano SL supports two ways for building itself:

-   (preferred) [Nix](https://nixos.org/nix/) package manager (backed by a binary cache by IOHK continuous integration)
-   [Stack](https://haskellstack.org) with Nix for system libraries

In any case, we strongly suggest using [Nix package manager](https://nixos.org/nix/download.html)
to get the correct dependencies for building Cardano SL. It will fetch the correct `openssl` version,
but won't override the system-installed version. The following commands assume that you already have

This file has been truncated. show original

_ilap · 2018-07-01 17:57:26 UTC

So, you ran this for installing explorer: nix-build -A cardano-sl-explorer-static --cores 0 --max-jobs 2 --no-build-output --out-link master

Wazcov · 2018-07-01 18:02:06 UTC

Sorry no I ran nix-build -A connectScripts.mainnetWallet -o connect-to-mainnet

_ilap · 2018-07-01 18:08:08 UTC

You should run this instead: nix-build -A connectScripts.mainnetExplorer -o connect-explorer-to-mainnet

Wazcov · 2018-07-01 18:10:27 UTC

okay but either way I can’t see a way of using a custom certificate as per my original question

_ilap · 2018-07-01 18:47:40 UTC

The answer is depends on what you want to achieve. I am trying to explain it.

I have mentioned already, that there are different configs together w/ some network topologies that represent a node. For example Explorer, has a frontend and a backend either.

The frontend is which opens the port 3100 for public, while the backend (cardano-sl) uses the localhost:8090 to which the frontend connects to. So, there are two possible TLS (certificate) config here.

Between the frontend and backend (similar to Daedalus Wallet) and
for the frontend (not required as it can be achieved w/ ngix, apache or similar config).

So, what I wanted to say previously, that you should never ever open cardano-sl’s port to public for the Explorer and/or Daedalus. Unfortunately, I do not know the topology for the Pools (priv-, unpriv relay and core nodes), but I assume that core and the un/privileged nodes will use Kadmelia wo/ any opened ports to public.

So, if you try to explain what you really want ot achieve then I could probably help.