Nyzo techSetup instructionsWeb listener HTTPS

Web listener HTTPS

These instructions apply to all run modes using the WebListener. Certificates from any authority may be used, but these instructions use Let's Encrypt because it is free and easy to use.

These instructions assume that certbot is not yet installed on a system and no certificate has yet been obtained. The process will differ for certificate renewal. Also, be aware that Let's Encrypt certificates are only valid for 3 months and automatic renewal is not yet implemented.

Before beginning, ensure that your Nyzo software is at version 571 or later and ensure the WebListener is running.

Install certbot.

sudo apt install certbot -y

Create the temporary web-forwarding directory.

sudo mkdir /var/lib/nyzo/production/webTemp

Run certbot to obtain a certificate. This example is for client.nyzo.co.

sudo certbot certonly

The first question asks about how to authenticate.

How would you like to authenticate with the ACME CA?

Choose option 2.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

You may enter your email address, if you choose to do so. This example uses nyzo@nyzo.co.

Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): nyzo@nyzo.co

You must next agree to the terms of service.

(A)gree/(C)ancel: A

You are then asked whether you want to share your email address with the Electronic Frontier Foundation. You may choose either option.

Next, you need to provide the domain or domains for which you want a certificate. This example is for client.nyzo.co.

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): client.nyzo.co

You will then be asked for the webroot for the domain you provided. This is the Nyzo webTemp directory:

Input the webroot for client.nyzo.co: (Enter 'c' to cancel): /var/lib/nyzo/production/webTemp

If everything is working properly, you will see a notice saying that your certificate was created. This example is for client.nyzo.co.

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/client.nyzo.co/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/client.nyzo.co/privkey.pem
Your cert will expire on 2020-05-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"

Next, export the certificate to a Java keystore file. This example is for client.nyzo.co, using a certificate named mycertificate and writing to the file /var/lib/nyzo/production/ssl-keystore.p12.

sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/client.nyzo.co/privkey.pem -in /etc/letsencrypt/live/client.nyzo.co/fullchain.pem -name mycertificate -out /var/lib/nyzo/production/ssl-keystore.p12

You will be asked to choose and verify an export password. Next, add the following two lines to /var/lib/nyzo/production/preferences. This example is for a keystore file located at /var/lib/nyzo/production/ssl-keystore.p12 with an export password of myexportpassword.

web_listener_keystore_path=/var/lib/nyzo/production/ssl-keystore.p12

web_listener_keystore_password=myexportpassword

Reload your Nyzo software.

sudo supervisorctl reload

Finally, if you want to deactivate the temporary web directory, remove it now. This directory will need to be recreated the next time certbot is run.

sudo rmdir /var/lib/nyzo/production/webTemp