proxmox/reports/VMID2400_ORIGIN_CERT_INSTALLED.md

# VMID 2400 - Cloudflare Origin Certificate Installation Complete

**Date**: 2026-01-02  
**Status**: ✅ **CERTIFICATE INSTALLED AND CONFIGURED**

---

## ✅ Completed

- ✅ Cloudflare Origin Certificate installed: `/etc/nginx/ssl/cloudflare-origin.crt`
- ✅ Private Key installed: `/etc/nginx/ssl/cloudflare-origin.key`
- ✅ Certificate permissions set (644 for cert, 600 for key)
- ✅ Certificate verified - Valid for `*.defi-oracle.io` and `defi-oracle.io`
- ✅ Nginx installed and configured
- ✅ Nginx configuration created: `/etc/nginx/sites-available/rpc-thirdweb`
- ✅ Site enabled and Nginx reloaded

---

## Certificate Details

**Issuer**: CloudFlare Origin SSL Certificate Authority  
**Subject**: CloudFlare Origin Certificate  
**Valid For**: 
- `*.defi-oracle.io`
- `defi-oracle.io`

**Expiration**: January 29, 2040 (14 years)

---

## Nginx Configuration

**Configuration File**: `/etc/nginx/sites-available/rpc-thirdweb`  
**Enabled**: `/etc/nginx/sites-enabled/rpc-thirdweb`

**Endpoints Configured**:
- **HTTP RPC**: `https://rpc.public-0138.defi-oracle.io:443` → `http://127.0.0.1:8545`
- **WebSocket RPC**: `https://rpc.public-0138.defi-oracle.io:8443` → `http://127.0.0.1:8546`
- **Health Check**: `https://rpc.public-0138.defi-oracle.io/health`

---

## Next Steps

### 1. Update Cloudflare Tunnel Route (Optional)

Since you now have SSL configured, you can optionally update the tunnel route to use HTTPS:

**Current** (HTTP - works fine):
```
URL: http://127.0.0.1:8545
```

**Optional** (HTTPS - if you want end-to-end encryption):
```
URL: https://127.0.0.1:443
```

**Note**: With Cloudflare Origin Certificate, HTTP is fine since Cloudflare validates the origin. HTTPS is optional but provides additional encryption.

### 2. Test the Endpoint

```bash
# Test health endpoint
curl -k https://rpc.public-0138.defi-oracle.io/health

# Test RPC endpoint
curl -k https://rpc.public-0138.defi-oracle.io \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```

### 3. Verify SSL Certificate

```bash
# Check certificate from external
openssl s_client -connect rpc.public-0138.defi-oracle.io:443 -servername rpc.public-0138.defi-oracle.io < /dev/null 2>/dev/null | openssl x509 -noout -text | grep -E 'Subject:|Issuer:|DNS:'
```

---

## Security Notes

✅ **Origin Certificate**: Validates that Cloudflare is connecting to the correct origin  
✅ **Private Key**: Securely stored with 600 permissions (owner read/write only)  
✅ **SSL/TLS**: Encrypted connection between Cloudflare and origin  
✅ **Real IP**: Configured to trust Cloudflare IPs for accurate client IPs

---

## File Locations

| File | Path | Permissions |
|------|------|-------------|
| Certificate | `/etc/nginx/ssl/cloudflare-origin.crt` | 644 (readable) |
| Private Key | `/etc/nginx/ssl/cloudflare-origin.key` | 600 (owner only) |
| Nginx Config | `/etc/nginx/sites-available/rpc-thirdweb` | 644 |
| Enabled Site | `/etc/nginx/sites-enabled/rpc-thirdweb` | Symlink |

---

## Troubleshooting

### Certificate Issues

```bash
# Verify certificate
ssh root@192.168.11.10 "pct exec 2400 -- openssl x509 -in /etc/nginx/ssl/cloudflare-origin.crt -text -noout"

# Check certificate expiration
ssh root@192.168.11.10 "pct exec 2400 -- openssl x509 -in /etc/nginx/ssl/cloudflare-origin.crt -noout -dates"
```

### Nginx Issues

```bash
# Test configuration
ssh root@192.168.11.10 "pct exec 2400 -- nginx -t"

# Check Nginx status
ssh root@192.168.11.10 "pct exec 2400 -- systemctl status nginx"

# View Nginx logs
ssh root@192.168.11.10 "pct exec 2400 -- tail -f /var/log/nginx/rpc-thirdweb-error.log"
```

### SSL Connection Issues

```bash
# Test SSL locally
ssh root@192.168.11.10 "pct exec 2400 -- curl -k https://127.0.0.1/health"

# Test from external (after DNS is configured)
curl -k https://rpc.public-0138.defi-oracle.io/health
```

---

**Last Updated**: 2026-01-02  
**Status**: ✅ **READY** - Certificate installed, Nginx configured