Uncle Jim Noderunner Help: SSL
253 sats \ 4 comments \ @1fatmess 8 Sep bitcoin
Hi Stackers,
I’ve been humbly growing my expertise in noderunning over the years from a simple start with Umbrel on a Pi4, to startOS and beyond.
I’m spinning up a self-hosted new node today using the Minibolt guide (3rd time or so that I’ve spun up a node this way).
I intend the node to be high performance (Fulcrum) and publicly-available (Uncle Jim model for friends & family).
Ultimately my goal is to have the node reachable on clearnet, so friends can connect to node.mydomain.com. The domain will point to a VPS running a reverse proxy & WireGuard to connect to my locally-accessible node.
Before that, however, I want to be sure I’m understanding SSL certificates properly, and where the certificates should sit.
I’d like to first test this by connecting to the node locally via a fully-qualified domain name: node.mylan.com.
I am running a firewall (pfsense) with a reverse proxy (acme + haproxy) already, and have a wildcard certificate there for *.mylan.com.
My question is: should I install certificates with certbot on the node machine (node.mylan.com & node.mydomain.com), and then connect directly to the FQDN, or am I better off using self-signed certificates for the fulcrum/electrs connection on the device and relying on the proxy/proxies for SSL (both locally and then, later with the VPS)?
Looking at SSL on the device itself, it looks like I’ll have to do a fair amount of permissioning of letsencrypt folders for the users running the services on the node… thus I’m wondering if I’m over-complicating matters.
Thanks for any help!
write
preview
related posts
146 sats \ 1 reply \ @justin_shocknet 8 Sep
For clearnet use Caddy as a reverse proxy on the VPS, with directives to whatever... your self signed certs mean nothing to any system including your own without a CA whitelisted on every device that uses it
reply
18 sats \ 0 replies \ @DarthCoin 9 Sep
Yeah caddy is the simplest option, works really nice.
reply
5 sats \ 1 reply \ @jennann 9 Sep
Keep the SSL termination at your reverse proxy (HAProxy) and simplify the node setup. For internal testing with node.mylan.com, rely on the wildcard certificate from HAProxy. Later, when you move to node.mydomain.com via the VPS, you can still use the reverse proxy and WireGuard setup with the proxy handling SSL.
This approach will minimize complexity and avoid unnecessary permission issues on the node, while still maintaining strong security through your existing wildcard certificates and reverse proxy.
Would this approach work for your setup?
reply
0 sats \ 0 replies \ @1fatmess OP 24 Sep
Sorry for the long delay, and thank you very much for your reply. It did help a lot.
I’ve been silent because for some reason HAProxy in Pfsense won’t work for ssl://fulcrum.my domain.com:50002
Am I missing something fulcrum- or connection-type specific? I’ve only ever used it to serve web front-ends in the past.
reply