6.3 KiB
6.3 KiB
SSL Certificate Setup Guide
Complete guide for configuring SSL certificates for ChainID 138 MetaMask integration endpoints.
Overview
SSL certificates are required for HTTPS endpoints (RPC, explorer) to ensure secure connections from MetaMask.
Options
Option 1: Cloudflare SSL (Recommended)
Benefits:
- Free SSL certificates
- Automatic provisioning
- Auto-renewal
- DDoS protection included
Setup:
- Enable Cloudflare proxy (orange cloud)
- Set SSL/TLS mode to "Full" or "Full (strict)"
- SSL certificates are automatically provisioned
- Certificates auto-renew
Configuration:
- Go to Cloudflare Dashboard → SSL/TLS
- Set encryption mode: "Full (strict)"
- Enable "Always Use HTTPS"
- Enable "Automatic HTTPS Rewrites"
Option 2: Let's Encrypt
Benefits:
- Free SSL certificates
- Widely trusted
- 90-day validity
Setup:
# Install certbot
sudo apt-get update
sudo apt-get install certbot
# Obtain certificate for RPC endpoint
sudo certbot certonly --standalone -d rpc.d-bis.org
# Obtain certificate for explorer
sudo certbot certonly --standalone -d explorer.d-bis.org
# Auto-renewal setup
sudo certbot renew --dry-run
Nginx Configuration:
server {
listen 443 ssl http2;
server_name rpc.d-bis.org;
ssl_certificate /etc/letsencrypt/live/rpc.d-bis.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rpc.d-bis.org/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# ... rest of configuration
}
Option 3: Custom SSL Certificate
Use Case: Enterprise or custom requirements
Providers:
- DigiCert
- GlobalSign
- Sectigo
- GoDaddy
Setup:
- Purchase SSL certificate
- Generate CSR (Certificate Signing Request)
- Submit CSR to provider
- Install certificate
- Configure web server
Cloudflare SSL Configuration
Step 1: Enable SSL/TLS
- Go to Cloudflare Dashboard
- Select domain
d-bis.org - Go to SSL/TLS
- Set encryption mode to "Full (strict)"
Step 2: Configure SSL Settings
SSL/TLS encryption mode: Full (strict)
Always Use HTTPS: On
Automatic HTTPS Rewrites: On
Minimum TLS Version: TLS 1.2
Opportunistic Encryption: On
TLS 1.3: On
Step 3: Verify SSL
# Test SSL certificate
openssl s_client -connect rpc.d-bis.org:443 -servername rpc.d-bis.org
# Check certificate details
echo | openssl s_client -connect rpc.d-bis.org:443 2>/dev/null | openssl x509 -noout -text
Let's Encrypt Setup
Automated Setup Script
#!/bin/bash
# Automated Let's Encrypt SSL setup for ChainID 138 endpoints
DOMAINS=(
"rpc.d-bis.org"
"rpc2.d-bis.org"
"explorer.d-bis.org"
)
EMAIL="admin@d-bis.org"
# Install certbot
sudo apt-get update
sudo apt-get install -y certbot
# Obtain certificates
for domain in "${DOMAINS[@]}"; do
echo "Obtaining certificate for $domain..."
sudo certbot certonly \
--standalone \
--non-interactive \
--agree-tos \
--email "$EMAIL" \
-d "$domain"
done
# Setup auto-renewal
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
echo "SSL certificates obtained and auto-renewal configured!"
Nginx SSL Configuration
# SSL Configuration for RPC endpoint
server {
listen 443 ssl http2;
server_name rpc.d-bis.org;
# SSL Certificate
ssl_certificate /etc/letsencrypt/live/rpc.d-bis.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rpc.d-bis.org/privkey.pem;
# SSL Protocols
ssl_protocols TLSv1.2 TLSv1.3;
# SSL Ciphers
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
# SSL Session
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
# ... rest of configuration
}
# HTTP to HTTPS redirect
server {
listen 80;
server_name rpc.d-bis.org;
return 301 https://$server_name$request_uri;
}
Certificate Verification
Test SSL Certificate
# Test certificate validity
openssl s_client -connect rpc.d-bis.org:443 -servername rpc.d-bis.org < /dev/null
# Check certificate expiration
echo | openssl s_client -connect rpc.d-bis.org:443 2>/dev/null | openssl x509 -noout -dates
# Check certificate chain
openssl s_client -connect rpc.d-bis.org:443 -showcerts
# Test from browser
curl -vI https://rpc.d-bis.org
Expected Results
- ✅ Certificate is valid
- ✅ Certificate chain is complete
- ✅ Certificate matches domain
- ✅ Certificate is not expired
- ✅ HTTPS redirect works
Auto-Renewal
Let's Encrypt Auto-Renewal
# Test renewal
sudo certbot renew --dry-run
# Enable auto-renewal (systemd timer)
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
# Check timer status
sudo systemctl status certbot.timer
Cloudflare Auto-Renewal
Cloudflare automatically renews certificates. No action needed.
Troubleshooting
Certificate Not Working
- Check certificate is installed correctly
- Verify certificate matches domain
- Check certificate expiration
- Verify web server configuration
- Check firewall rules
Mixed Content Warnings
- Ensure all resources use HTTPS
- Update HTTP links to HTTPS
- Use relative URLs where possible
- Enable HSTS header
Certificate Chain Issues
- Verify intermediate certificates are included
- Check certificate chain is complete
- Test with SSL Labs: https://www.ssllabs.com/ssltest/
Security Best Practices
- Use Strong Ciphers: Only TLS 1.2 and 1.3
- Enable HSTS: Strict Transport Security
- Regular Updates: Keep certificates updated
- Monitor Expiration: Set up expiration alerts
- Use Full Chain: Include intermediate certificates
Checklist
- SSL certificate obtained
- Certificate installed on server
- Web server configured for SSL
- HTTPS redirect configured
- Certificate verified
- Auto-renewal configured
- Security headers configured
- HSTS enabled
- Certificate tested from browser
- Certificate tested from MetaMask
Last Updated: 2026-01-26