Skip to content

Obtaining TLS certificate

Note

This information can be used by STRATO node administrators.

Problem Statement

STRATO node runs as a Peer-to-Peer (P2P) network peer and a webserver (for API and Dashboard access.)

For secure communication, it is strongly encouraged to run STRATO on https://. This requires a TLS certificate for each of the nodes' domain names.

In some cases administrators may have wildcard certificates to cover any sub-domain one level down, e.g. *.example.com to run nodes on:

  • node1.example.com
  • node2.example.com
  • etc.

However, this implies the manual process of certificate update when certificate expires and makes it hard to run STRATO on lower level domains like:

  • node1.strato.example.com
  • node2.strato.example.com
  • etc.

This would require you to obtain a new wildcard certificate for *.strato.example.com or a separate certificate for each of the domains from the Certificate Authority.

Let's Encrypt

The solution for automating the certificate management is to use the Certbot with Let's Encrypt Certificate Authority.

To implement and simplify the process, BlockApps' has created the BlockApps Letsenrypt Tool.

Please follow the steps in the README.md file on the GitHub repository to set up your automated certificate renewal for a STRATO node.

Certificate for STRATO Application

The tool also supports the update process for the renewal of certificate in your Application (for the cases when your Application is running on the same host as STRATO).

Note

The tool scripts may also give you the general understanding of the certificate renewal process and help you build your custom solution on top of that if required.

Update Certificate Manually on a Live Node

In case you are not using the Letsencrypt Tool and need to manually update the certificate and the private key on a live STRATO node, follow these steps:

  1. Copy the certificates into the STRATO Nginx container: 
    sudo docker cp /path/to/server.pem strato_nginx_1:/etc/ssl/certs/server.pem
sudo docker cp /path/to/server.key strato_nginx_1:/etc/ssl/private/server.key
  2. Reload the Nginx configuration (STRATO uses Openresty platform built on top of Nginx): 
    sudo docker exec strato_nginx_1 openresty -s reload