How to configure Secure Websockets

How to configure Secure Websockets

You are here:
Estimated reading time: 3 min

General

Secure WebSockets should be used for production environments. This will require an SSL certificate. You can either purchase an SSL certificate from one of the know services or use Let’s Encrypt and deploy a webhook for automatic renewal.

The location of pem files needs to specified in the casinocoind.cfg, we suggest to put those files into /opt/casinocoind/ssl/. You need to ensure permissions are set correct via chmod and chown.

ssl_key = /opt/casinocoind/ssl/privkey.pem
ssl_cert = /opt/casinocoind/ssl/cert.pem
ssl_chain = /opt/casinocoind/ssl/fullchain.pem
DNS needs to be set and resolve the host’s IP in order to obtain a certificate from Let’s Encrypt.

Using Let’s Encrypt

In order to use Let’s Encrypt you need to allow incoming connections to port 80 and 443. This needs to be configured on your firewall. The daemon should be stopped while changes are applied or restarted once done.

1.1 Install Let’s Encrypt certbot

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

1.2 Obtain an SSL certificate

sudo certbot certonly
You will be prompted to choose if you want to spin up a temporary webserver, or use an existing webserver if one is already installed. We suggest using a temporary one. Next enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for. For more information on certbot, please see https://certbot.eff.org/docs/using.html#standalone

1.3 Configure casinocoind to use the Let’s Encrypt certificates

Ensure /opt/casinocoind/ssl does exist.

sudo mkdir /opt/casinocoind/ssl

Copy the obtained certificates into the correct locations and set the permissions.

YOURFULLTLD needs to be replaced with your FQDN (Full Qualified Domain Name) that points to the system.
sudo cp /etc/letsencrypt/live/YOURFULLTLD/privkey.pem /opt/casinocoind/ssl/privkey.pem 
sudo cp /etc/letsencrypt/live/YOURFULLTLD/cert.pem /opt/casinocoind/ssl/cert.pem 
sudo cp /etc/letsencrypt/live/YOURFULLTLD/fullchain.pem /opt/casinocoind/ssl/fullchain.pem
sudo chown casinocoind:root /opt/casinocoind/ssl/*

Start or restart of the daemon is needed.

1.4 Deploy webhook for automatic certificate renewal.

Ensure all files exist at the correct locations.

YOURUSERNAME needs to be replaced with the name of the user you are working as.
touch /home/YOURUSERNAME/deployhook.sh
touch /home/YOURUSERNAME/ssl.log

Ensure permissions and ownership on files is set correct.

sudo chown YOURUSERNAME:root /home/YOURUSERNAME/deployhook.sh && sudo chmod 655 /home/YOURUSERNAME/deployhook.sh
sudo chown YOURUSERNAME:root /home/YOURUSERNAME/ssl.log && sudo chmod 655 /home/YOURUSERNAME/ssl.log

Edit the deployhook.sh file and insert the following code.

YOUR.CRNDOMAIN.XYZ needs to be replaced with your FQDN (Full Qualified Domain Name) that points to the system.
#!/bin/sh
echo $RENEWED_DOMAINS
set -e
for domain in $RENEWED_DOMAINS; do
        case $domain in
        YOUR.CRNDOMAIN.XYZ)
                daemon_cert_root=/opt/casinocoind/ssl/
                # Make sure the certificate and private key files are never world readable, even just for an instant while we're copying them into daemon_cert_root.
                echo $RENEWED_LINEAGE
                echo $daemon_cert_root
                umask 077
                cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/fullchain.pem"
                cp "$RENEWED_LINEAGE/cert.pem" "$daemon_cert_root/cert.pem"
                cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/privkey.pem"
                # Apply the proper file ownership and permissions for the daemon to read its certificate and key.
                chown casinocoin "$daemon_cert_root/fullchain.pem" \
                        "$daemon_cert_root/cert.pem" \
                         "$daemon_cert_root/privkey.pem"
                chmod 400 "$daemon_cert_root/fullchain.pem" \
                        "$daemon_cert_root/cert.pem" \
                         "$daemon_cert_root/privkey.pem"
                systemctl restart casinocoind
                ;;
       esac
done

You can verify the hook is working with the following command:

sudo certbot renew --deploy-hook /home/YOURUSERNAME/deployhook.sh >> /home/YOURUSERNAME/ssl.log && date >> /home/YOURUSERNAME/ssl.log

If its working it will output this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

1.5 Enable automatic execution of the webhook via crontab

Edit your system’s crontab.

sudo crontab -e
You might get prompted to pick an editor to modify crontab, pick the one that fits your need. If you are unsure, we suggest nano.

At the very end of the file insert:

0 0 * * * certbot renew --deploy-hook /home/YOURUSERNAME/deployhook.sh && /home/YOURUSERNAME/ssl.log && date && /home/YOURUSERNAME/ssl.log
Contact