proxmox/docs/archive/completion/BLOCKSCOUT_SSL_SETUP_COMPLETE.md

# Blockscout SSL Setup Complete! ✅

**Date**: December 23, 2025  
**Status**: ✅ **SSL CONFIGURED AND WORKING**

---

## ✅ Completed Tasks

1. **Let's Encrypt SSL Certificate**: Installed and configured
   - Certificate: `/etc/letsencrypt/live/explorer.d-bis.org/`
   - Valid until: March 23, 2026
   - Auto-renewal: Enabled

2. **Nginx SSL Configuration**: HTTPS enabled on port 443
   - HTTP (port 80): Redirects to HTTPS
   - HTTPS (port 443): Full SSL/TLS with modern ciphers
   - Security headers: HSTS, X-Frame-Options, etc.

3. **Cloudflare Tunnel**: Updated to use HTTPS
   - Route: `explorer.d-bis.org` → `https://192.168.11.140:443`
   - SSL verification: Disabled (noTLSVerify: true) for internal connection

4. **Blockscout Configuration**: Updated for HTTPS
   - Protocol: HTTPS
   - Host: explorer.d-bis.org

---

## Configuration Details

### SSL Certificate
- **Domain**: explorer.d-bis.org
- **Issuer**: Let's Encrypt R13
- **Location**: `/etc/letsencrypt/live/explorer.d-bis.org/`
- **Auto-renewal**: Enabled via certbot.timer

### Nginx Configuration
- **HTTP Port**: 80 (redirects to HTTPS)
- **HTTPS Port**: 443
- **SSL Protocols**: TLSv1.2, TLSv1.3
- **SSL Ciphers**: Modern ECDHE ciphers only
- **Security Headers**: 
  - Strict-Transport-Security (HSTS)
  - X-Frame-Options
  - X-Content-Type-Options
  - X-XSS-Protection

### Cloudflare Tunnel
- **Tunnel ID**: `10ab22da-8ea3-4e2e-a896-27ece2211a05`
- **Route**: `explorer.d-bis.org` → `https://192.168.11.140:443`
- **SSL Verification**: Disabled for internal connection (Cloudflare → Blockscout)

---

## Access Points

### Internal
- **HTTP**: http://192.168.11.140 (redirects to HTTPS)
- **HTTPS**: https://192.168.11.140
- **Health**: https://192.168.11.140/health

### External
- **HTTPS**: https://explorer.d-bis.org
- **Health**: https://explorer.d-bis.org/health
- **API**: https://explorer.d-bis.org/api

---

## Testing

### Test Internal HTTPS
```bash
curl -k https://192.168.11.140/health
```

### Test External HTTPS
```bash
curl https://explorer.d-bis.org/health
```

### Verify Certificate
```bash
openssl s_client -connect explorer.d-bis.org:443 -servername explorer.d-bis.org < /dev/null
```

### Check Certificate Auto-Renewal
```bash
systemctl status certbot.timer
```

---

## Architecture

```
Internet
   ↓
Cloudflare Edge (SSL Termination)
   ↓
Cloudflare Tunnel (encrypted)
   ↓
cloudflared (VMID 102)
   ↓
HTTPS → https://192.168.11.140:443
   ↓
Nginx (VMID 5000) - SSL/TLS
   ↓
HTTP → http://127.0.0.1:4000
   ↓
Blockscout Container
```

---

## Files Modified

- `/etc/letsencrypt/live/explorer.d-bis.org/` - SSL certificates
- `/etc/nginx/sites-available/blockscout` - Nginx SSL configuration
- `/opt/blockscout/docker-compose.yml` - Blockscout HTTPS configuration
- Cloudflare Tunnel configuration - Updated route to HTTPS

---

## Maintenance

### Certificate Renewal
Certificates auto-renew via certbot.timer. Manual renewal:
```bash
certbot renew --nginx
```

### Check Certificate Expiry
```bash
openssl x509 -in /etc/letsencrypt/live/explorer.d-bis.org/fullchain.pem -noout -dates
```

### Restart Services
```bash
# Nginx
systemctl restart nginx

# Blockscout
cd /opt/blockscout && docker-compose restart blockscout
```

---

## Next Steps

1. ✅ SSL certificates installed
2. ✅ Nginx configured with SSL
3. ✅ Cloudflare tunnel updated to HTTPS
4. ⏳ Wait for Blockscout to fully start (may take 1-2 minutes)
5. ⏳ Test external access: `curl https://explorer.d-bis.org/health`

---

**✅ SSL setup is complete! Blockscout is now accessible via HTTPS.**