Super & Secure Nodes Installation Instructions


#1

Dear ZenCash Community Members,

we significantly appreciate you are so interested in our Secure Nodes.

While Super Nodes are coming and you are asking for installation instructions we are more than happy to present you the current consolidated installation instructions for Secure Nodes and Super Nodes located at:

https://zencash.atlassian.net/wiki/spaces/ZEN/pages/7537322/Installation

Thank you for staying with us!:kissing_heart::+1:

On behalf of @Spencer and ZenCash Secure & Super Node Team and Documentation Team who did absolutely great job
Kamila
Community Project Manager of ZenCash


#2

For me the certificate step did not work as expected on a Debian 9 system. I get " “tls_cert_verified”: false," even though my certificate is issued without problems. (Had to replace domain.tld with domain dot tld in the paste)

openssl shows:
> [email protected]:/root$ openssl s_client --connect 127.0.0.1:9033
> CONNECTED(00000003)
> depth=0 CN = zend.wirhabenstil dot de
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = zend.wirhabenstil dot de
> verify error:num=21:unable to verify the first certificate
> verify return:1
> —
> Certificate chain
> 0 s:/CN=zend.wirhabenstil dot de
> i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
> —
> Server certificate
> -----BEGIN CERTIFICATE-----
> […]
> subject=/CN=zend.wirhabenstil dot de
> issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
> —
> No client certificate CA names sent
> Client Certificate Types: RSA sign, DSA sign, ECDSA sign
> Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
> Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
> Peer signing digest: SHA512
> Server Temp Key: X25519, 253 bits
> —
> SSL handshake has read 2232 bytes and written 281 bytes
> Verification error: unable to verify the first certificate
> […]
> Start Time: 1531987613
> Timeout : 7200 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> Extended master secret: yes
>
>

For other systems that I use Lets Encrypt certificates the whole chain is sent:

> [email protected]:/root$ openssl s_client --connect blog.wirhabenstil dot de:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = blog.wirhabenstil dot de
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=blog.wirhabenstil dot de
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/CN=blog.wirhabenstil dot de
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> [..]

Any idea how to solve this?


#3

I ended up using stunnel and socat to terminate TLS. The zencash client seems to send only leaf certificate and not chain, which breaks openssl check. Now I finally get:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = zend.wirhabenstil dot de
verify return:1
---
Certificate chain
 0 s:/CN=zend.wirhabenstil dot de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
[..]
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Only need to patch zen/utiltls.cpp to verify my cert by adding STACK_OF(X509) *chain to X509_STORE_CTX_init or simply always returning 1. Guess which way I will go :wink:

Edit:
"tls_cert_verified": true,
:wink:


#4

Hello, documentation team,
Just wanted to say a big THANK YOU for the very professional instructions you provided. I just completed the test installation of a super node.

Thanks also to the systems management folks who created a much more streamlined installation process that resulted in a more Zen-centric application environment. Great job, folks! Great job!


#5

Hi @DarkStar,

Thank you very much for these kinds words👍 Our engineers are amazing and they were very pleased by your compliments😊 I’m more than happy that you appreciate their work.

On behalf of ZenCash team many thanks again! :kiss:

Warm regards,
Kamila
Community Project Manager of ZenCash