###### tags: `DevOps` `Symbol Infrastructure` # Symbol Bootstrap HTTPS Upgrade This page describes how community members can upgrade their current nodes to support HTTPS. The plan is to migrate all the Dual and Api nodes from HTTP port 3000 to HTTPS port 3001. We would leave both ports open for a little bit while Symbol and community apps and nodes are migrated over. HTTPS would be required, if not, Explorer won't be able to list your node in the [node list](http://explorer.symbolblockchain.io/nodes), the Desktop Wallet may require it and users may not want to use a non SSL node when connecting to the Symbol network. ## Option 1: Native Rest SSL If you like to use your SSL certificates, you can do so by providing the Base64 of the of Key and Crt files to Bootstrap via a custom preset. Add the `gateways:` section to your custom preset file: ``` # more properties nodes: - friendlyName: My Awesome Node host: my.awesomenode.mycompany.net # more properties gateways: # ADD THIS SECTION - restProtocol: HTTPS openPort: 3001 restSSLCertificateBase64: >- LS0tLS1CRUdJTiBDRVJUSUZ...Base64...== restSSLKeyBase64: >- LS0tLS1CRUdJTiBSU0EgUFJ...Base64...= ``` To get the Base64 of a file, use: ```` cat restSsl.key | base64 -w 0 cat restSsl.crt | base64 -w 0 ```` Copy the outputs and paste them into the custom preset file. The provided certificate needs to be valid for the hostname `my.awesomenode.mycompany.net`. The domain needs to resolve the IP address of your node. The certificates would eventually expire, so you would need to upgrade the custom preset and the nodes before it happens by repeating these steps. This option only leaves HTTPS port 3001 open, there is not HTTP 3000. This is a "hard" migration. Open port 3001 in your firewall or security group, port 3000 can be closed as it's not used anymore. Once the custom preset has been updated, upgrade your node like always: ``` sudo npm install -g symbol-bootstrap cd symbol-node symbol-bootstrap stop cp target backup-target -r symbol-bootstrap start -c custom-preset.yml --upgrade -d ``` PR: https://github.com/symbol/catapult-rest/pull/641 PR: https://github.com/symbol/symbol-bootstrap/pull/284 ## Option 2: Automatic Let's Encrypt Service If desired, Bootstrap adds a fully configured [Http Proxy](https://github.com/SteveLTN/https-portal) service. To enable it, just opt-in by providing the `httpsProxies:` section to your custom preset. ```` # more properties nodes: - friendlyName: My Awesome Node host: my.awesomenode.mycompany.net # more properties httpsProxies: # ADD THIS SECTION - excludeDockerService: false ```` You need to own the domain `my.awesomenode.mycompany.net` and it needs to resolve the IP address of your node. The Let's Encrypt service will handle the certificate creation and renewals for you. Internally, Bootstrap generates a Docker service in the compose file: ```` ### MORE SERVICES https-proxy: container_name: https-proxy image: 'steveltn/https-portal:1' stop_signal: SIGINT working_dir: /symbol-workdir ports: - '80:80' - '3001:443' environment: DOMAINS: 'my.awesomenode.mycompany.net -> http://rest-gateway:3000' WEBSOCKET: 'true' STAGE: production SERVER_NAMES_HASH_BUCKET_SIZE: 128 restart: 'on-failure:2' volumes: - '../gateways/https-proxy:/symbol-workdir:rw' depends_on: - rest-gateway ```` Open ports 3001 and 80 in your firewall or security group. Port 3000 may or may not be closed. Keep it open while migrating your apps... Once the custom preset has been updated, upgrade your node like always: ``` sudo npm install -g symbol-bootstrap cd symbol-node symbol-bootstrap stop cp target backup-target -r symbol-bootstrap start -c custom-preset.yml --upgrade -d ``` The HTTP Proxy option (and the default 3001 port :) ) has been heavily inspired by this great blog https://nemlog.nem.social/blog/58808. Bootstrap bundles this solution. If you have followed the blog, you can keep the solution without modifying Bootstrap or migrate it to the Bootstrap service removing the extra compose file and process. PR: https://github.com/symbol/symbol-bootstrap/pull/284 ## Option 3: Wizard If you are creating a **new node**, the wizard will help you select the right HTTPS configuration generating the custom preset for you. Just run: ``` sudo npm install -g symbol-bootstrap symbol-bootstrap verify symbol-bootstrap wizard ``` And follow the instructions... # Release Plan - [x] Rest HTTPS PR - [x] Bootstrap HTTPS PR - [x] Testnet HTTPS Deploy (ngl-api-* are native, ngl-dual-* are automatic) - [x] Explorer Testnet HTTPS upgrade - [x] Faucet Testnet HTTPS upgrade - [x] Statistics Testnet HTTPS upgrade - [ ] Wallet Tesnet HTTPS PR (https:// and 3001). - [x] Testnet Soak time - [x] Rest release - [x] Bootstrap release - [ ] Mainnet Deploy - [x] HTTPS guide release - [ ] Wallet relese (nodes will be both HTTP and HTTPs for a while) - [x] Explorer and Statistics HTTPS mainnet upgrade - [ ] Shutdown HTTP 3000 eventually