EOSIO HTTPS Configuration

by | Wednesday, April 1, 2020 | Crypto

The Problem

By default, when deploying an EOSIO node, the eosio::http_plugin for nodeos binds insecurely to a port of your choosing. The following is an extract from the config.ini running on a newly deployed host.

FYI, there are multiple ways to run nodeos, my preference is to build the config into the config.ini, , however, you can also start the software directly from the CLI. In the future I plan to post on my process for starting, stopping and replaying nodes. 

# The name supplied to identify this node amongst the peers. (eosio::net_plugin)
agent-name = yourbp

# ID of producer controlled by this node (e.g. inita; may specify multiple times) (eosio::producer_plugin)
# producer-name = yourbp

# The local IP and port to listen for incoming http connections; set blank to disable. (eosio::http_plugin)
http-server-address = 0.0.0.0:8888

# The actual host:port used to listen for incoming p2p connections. (eosio::net_plugin)
p2p-listen-endpoint = 0.0.0.0:9876

# Plugin(s) to enable, may be specified multiple times
plugin = eosio::http_plugin
plugin = eosio::chain_plugin
plugin = eosio::chain_api_plugin
plugin = eosio::db_size_api_plugin
.... More ...

HTTPS Configuration

In order to set up your node for HTTPS, you require an SSL certificate. This can be a signed public certificate, Let’s Encrypt or even a certificate from an enterprise certificate service. For info on how to setup Let’s Encrypt, check out this great Telos article.

Once you’ve sorted your SSL certificate, you then need to update the config.ini to look something like the below. In my case, I’m binding HTTPS to port 9999 so I can start nodeos as a standard user, rather than a superuser. Port 443 is exposed publicly via a load balancer, nodes are not exposed directly to the Internet. 

# The name supplied to identify this node amongst the peers. (eosio::net_plugin)
agent-name = yourbp

# ID of producer controlled by this node (e.g. inita; may specify multiple times) (eosio::producer_plugin)
# producer-name = yourbp

# The local IP and port to listen for incoming http connections; set blank to disable. (eosio::http_plugin)
https-server-address = 0.0.0.0:9999

# Alias to ip address and FQDN
http-alias = <ipaddress>:9999
http-alias = <fqdn>:9999

https-certificate-chain-file = <path>/certificate.crt
https-private-key-file = <path>/certificate.key

# The actual host:port used to listen for incoming p2p connections. (eosio::net_plugin)
p2p-listen-endpoint = 0.0.0.0:9876

# Plugin(s) to enable, may be specified multiple times
plugin = eosio::http_plugin
plugin = eosio::chain_plugin
plugin = eosio::chain_api_plugin
plugin = eosio::db_size_api_plugin
.... More ...

Restart nodeos

Before the changes take effect, you need to restart nodeos. A quick way to do that is below. Later I’ll post more about this process. 

pkill nodeos
nodeos <this starts it in the local directory, adjust based off your configuation>

Test

To test the configuration, point CLEOS (eosio CLI tool, see my last post for details) to the host and use the HTTPS port 9999. 

cleos -u https://<yournode>:9999 get info

If you’re using a publicly signed certificate, say Let’s Encrypt, it should work straight up. If you’re using an Enterprise CA, you may need to use the following command

cleos --no-verify -u https://<yournode>:9999 get info

This one doesn’t verify your SSL certificate, so use at your own risk.