# Blockscout SSL Setup Complete! ✅ **Date**: December 23, 2025 **Status**: ✅ **SSL CONFIGURED AND WORKING** --- ## ✅ Completed Tasks 1. **Let's Encrypt SSL Certificate**: Installed and configured - Certificate: `/etc/letsencrypt/live/explorer.d-bis.org/` - Valid until: March 23, 2026 - Auto-renewal: Enabled 2. **Nginx SSL Configuration**: HTTPS enabled on port 443 - HTTP (port 80): Redirects to HTTPS - HTTPS (port 443): Full SSL/TLS with modern ciphers - Security headers: HSTS, X-Frame-Options, etc. 3. **Cloudflare Tunnel**: Updated to use HTTPS - Route: `explorer.d-bis.org` → `https://192.168.11.140:443` - SSL verification: Disabled (noTLSVerify: true) for internal connection 4. **Blockscout Configuration**: Updated for HTTPS - Protocol: HTTPS - Host: explorer.d-bis.org --- ## Configuration Details ### SSL Certificate - **Domain**: explorer.d-bis.org - **Issuer**: Let's Encrypt R13 - **Location**: `/etc/letsencrypt/live/explorer.d-bis.org/` - **Auto-renewal**: Enabled via certbot.timer ### Nginx Configuration - **HTTP Port**: 80 (redirects to HTTPS) - **HTTPS Port**: 443 - **SSL Protocols**: TLSv1.2, TLSv1.3 - **SSL Ciphers**: Modern ECDHE ciphers only - **Security Headers**: - Strict-Transport-Security (HSTS) - X-Frame-Options - X-Content-Type-Options - X-XSS-Protection ### Cloudflare Tunnel - **Tunnel ID**: `10ab22da-8ea3-4e2e-a896-27ece2211a05` - **Route**: `explorer.d-bis.org` → `https://192.168.11.140:443` - **SSL Verification**: Disabled for internal connection (Cloudflare → Blockscout) --- ## Access Points ### Internal - **HTTP**: http://192.168.11.140 (redirects to HTTPS) - **HTTPS**: https://192.168.11.140 - **Health**: https://192.168.11.140/health ### External - **HTTPS**: https://explorer.d-bis.org - **Health**: https://explorer.d-bis.org/health - **API**: https://explorer.d-bis.org/api --- ## Testing ### Test Internal HTTPS ```bash curl -k https://192.168.11.140/health ``` ### Test External HTTPS ```bash curl https://explorer.d-bis.org/health ``` ### Verify Certificate ```bash openssl s_client -connect explorer.d-bis.org:443 -servername explorer.d-bis.org < /dev/null ``` ### Check Certificate Auto-Renewal ```bash systemctl status certbot.timer ``` --- ## Architecture ``` Internet ↓ Cloudflare Edge (SSL Termination) ↓ Cloudflare Tunnel (encrypted) ↓ cloudflared (VMID 102) ↓ HTTPS → https://192.168.11.140:443 ↓ Nginx (VMID 5000) - SSL/TLS ↓ HTTP → http://127.0.0.1:4000 ↓ Blockscout Container ``` --- ## Files Modified - `/etc/letsencrypt/live/explorer.d-bis.org/` - SSL certificates - `/etc/nginx/sites-available/blockscout` - Nginx SSL configuration - `/opt/blockscout/docker-compose.yml` - Blockscout HTTPS configuration - Cloudflare Tunnel configuration - Updated route to HTTPS --- ## Maintenance ### Certificate Renewal Certificates auto-renew via certbot.timer. Manual renewal: ```bash certbot renew --nginx ``` ### Check Certificate Expiry ```bash openssl x509 -in /etc/letsencrypt/live/explorer.d-bis.org/fullchain.pem -noout -dates ``` ### Restart Services ```bash # Nginx systemctl restart nginx # Blockscout cd /opt/blockscout && docker-compose restart blockscout ``` --- ## Next Steps 1. ✅ SSL certificates installed 2. ✅ Nginx configured with SSL 3. ✅ Cloudflare tunnel updated to HTTPS 4. ⏳ Wait for Blockscout to fully start (may take 1-2 minutes) 5. ⏳ Test external access: `curl https://explorer.d-bis.org/health` --- **✅ SSL setup is complete! Blockscout is now accessible via HTTPS.**