Custom Hosts

ARKVault allows you to set up your own custom hosts if so desired. The following information outlines the various approaches you can use in order to set up custom hosts.

Use Your Own SSL Certificate with a Domain (Recommended #1)

Information

We recommend using both a domain and SSL certificate together with Cloudflare to allow for the most secure setup for your custom host. While Cloudflare is not a prerequisite, it gives you the benefit of free DDoS protection.

Create DNS A record (yourDomain) pointing to your node IP address. Ensure you have all CRT files (Intermediate 3, Intermediate 2, Intermediate 1 and Root Certificate) from the issuer along with your own CRT file in a single location.

1Example file names:
2# Root CA Certificate - AddTrustExternalCARoot.crt
3# Intermediate CA Certificate 1 - UTNAddTrustSGCCA.crt
4# Intermediate CA Certificate 2 - ComodoUTNSGCCA.crt
5# Intermediate CA Certificate 3 - EssentialSSLCA_2.crt
6# Your SSL Certificate - yourDomain.crt

Create a bundle file that contains all of these files.

Example:

cat yourDomain.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt >> yourDomain-bundle.crt


Create a folder and copy the newly-created bundle crt and key files into it.

Example:

1sh
2mkdir ~/ssl
3cp /path/to/yourDomain-bundle.crt /path/to/yourDomain.key ~/ssl

Add the necessary variables to your .env(/.config/ark-core/mainnet/.env) file.

Example:

1CORE_API_SSL=true
2CORE_API_SSL_HOST=0.0.0.0
3CORE_API_SSL_PORT=443
4CORE_API_SSL_KEY=~/ssl/yourDomain.key
5CORE_API_SSL_CERT=~/ssl/yourDomain.crt

Upon restarting Core, your logs should indicate that an HTTPS server has initialized.

Example:

INFO: Public API (HTTPS) Server started at https://0.0.0.0:443

Let’s Encrypt SSL Certificate with a Domain (Recommended #2)

Create DNS A record (yourDomain) pointing to your node IP address.

Attention

Cloudflare users need to turn off host protection/proxy during the initial setup.

Install Certbot.

sudo apt-get update && sudo apt-get install certbot


Obtain your certificate.

sudo certbot certonly --standalone --preferred-challenges http -d yourDomain


When executing the command, a prompt will appear requesting that you enter an email address and agree to the terms of service. Upon doing so, a message should appear informing you that the process completed successfully and reveal the location in which your certificates are stored. The location should resemble the following:

/etc/letsencrypt/live/yourDomain so /etc/letsencrypt/live/yourDomain/fullchain.pem is your CRT bundle file and /etc/letsencrypt/live/yourDomain/privkey.pem is your key file.


Create a user-readable folder and copy the bundle and key files. You will then need to set the correct permissions.

1sh
2mkdir ~/letsencrypt
3sudo cp /etc/letsencrypt/live/yourDomain/fullchain.pem ~/letsencrypt
4sudo cp /etc/letsencrypt/live/yourDomain/privkey.pem ~/letsencrypt
5sudo chown -R $USER:$GROUP ~/letsencrypt

Add the necessary variables to your .env (/.config/ark-core/mainnet/.env) file.

Example:

1env
2CORE_API_SSL=true
3CORE_API_SSL_HOST=0.0.0.0
4CORE_API_SSL_PORT=443
5CORE_API_SSL_KEY=~/letsencrypt/privkey.pem
6CORE_API_SSL_CERT=~/letsencrypt/fullchain.pem

Upon restarting Core, your logs should indicate that an HTTPS server has initialized.

Example:

INFO: Public API (HTTPS) Server started at https://0.0.0.0:443


Handle automated Let’s Encrypt renewals.

Attention

You must execute the following steps as root user.

sudo -i


Create post-renew.sh using the following content:

1#!/usr/bin/env bash
2DOMAIN=yourDomain #<= set your domain
3CORE_USER=user #<= set the user Core runs with
4CORE_GROUP=group #<= set the core user group
5
6cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem /home/$CORE_USER/letsencrypt
7cp /etc/letsencrypt/live/$DOMAIN/privkey.pem /home/$CORE_USER/letsencrypt
8chown -R $CORE_USER:$CORE_GROUP /home/$CORE_GROUP/letsencrypt
9su - $CORE_USER -c "pm2 restart all"

Move the script into your /root folder and set executable flag: chmod +x /root/post-renew.sh.


Edit the renewal config /etc/letsencrypt/renewal/yourDomain.conf by appending the following line:

renew_hook = /root/post-renew.sh

Ensure the renewal does not result in any errors by running certbot renew --dry-run.


If successful, proceed with adding a cronjob for root.

echo "0 12 * * * /usr/bin/certbot renew -q" | crontab -


Upon completing the setup, you can return to the user shell.

exit

Success

Cloudflare users can now turn host protection/proxy back on.

Self-Signed Certificates (Not Safe, Not Recommended)

Danger

Due to the security concerns associated with this setup, it is not recommended. As such, if you choose to use this approach, you do so at your own risk.

Modern Browsers do not allow communication between HTTPS and HTTP hosts since there is no means of encrypting the connection. However, you can bypass this if so desired (for example, by using the bypass phrase thisisunsafe in Chromium browsers).

If you still wish to use a self-signed certificate despite that fact modern browsers will treat it as untrusted, then use the following setup:

Create a new directory and cd into it.

1mkdir ark-ssl-core-api
2cd ark-ssl-core-api

Generate a key and certificate.

1openssl genrsa -out yourDomain.key
2openssl req -new -key yourDomain.key -out yourDomain.csr
3openssl x509 -req -days 365 -in yourDomain.csr -signkey yourDomain.key -out yourDomain.crt

Configure Core to use the certificate.

1CORE_API_SSL=true
2CORE_API_SSL_HOST=0.0.0.0
3CORE_API_SSL_PORT=8443
4CORE_API_SSL_KEY=~/ssl/yourDomain.key
5CORE_API_SSL_CERT=~/ssl/yourDomain.crt
Last updated 2 years ago
Edit Page
Share: