This guide provides step-by-step instructions to configure a Fulcrum SPV server to use a domain name and an SSL certificate issued by a Certificate Authority (CA) instead of an IP address and a self-signed SSL certificate. We'll obtain an SSL certificate from Let's Encrypt that will automatically renew using Certbot.
When you're done, your Fulcrum server will be accessible to Electron Cash and other Bitcoin Cash (BCH) wallets with a user-friendly domain name instead of an IP address. Your Fulcrum server will also announce itself to peers so that more clients connect to your server.
dig bch.yourdomain.comWe'll create another firewall that opens inbound port 80 so that the Certificate Authority can download the challenge files from the temporary standalone webserver started by Certbot.
On the DigitalOcean website, log in to your DigitalOcean account and add the tag "certbot" to your bchn-fulcrum droplet. This will add the droplet to the certbot-firewall, which we'll set up next.
On DigitalOcean, go to Networking > Firewall and create a new firewall:
In Inbound Rules, change the single default rule to have these settings:
In Outbound Rules, keep the default rules, which permit all traffic to any destination on any port.
We're going to use Certbot to obtain and automatically renew our certificate. As recommended by the Certbot instructions, we'll use "snap" instead of "apt" to install Certbot because snap generally has a newer version of certbot.
In the Terminal app on your Mac, SSH in to your DigitalOcean droplet:
ssh bitcoin@YOUR_DROPLET_IPInstall Certbot:
sudo snap install --classic certbotNote: Certbot requires --classic because it needs access to system files and directories (e.g., /etc/letsencrypt) to function properly, which strict confinement would prevent. This flag ensures Certbot can manage your SSL/TLS certificates.
Create a symlink for certbot:
sudo ln -s /snap/bin/certbot /usr/bin/certbotGet a certificate (replace "bch.yourdomain.com" with your own domain name):
sudo certbot certonly --standalone -d bch.yourdomain.comNote: These instructions assume you do NOT have a web server running on your server on port 80. The --standalone option means Certbot will temporarily spin up it's own webserver on your machine so that the Certificate Authority can download challenge files when issuing the certificate. If you do have a web server running, you'll have to stop it before running the certbot command.
Certbot set up a systemd timer that will renew your certificate automatically before it expires. You will not need to run certbot manually again, unless you change your configuration. You can test automatic renewal for your certificate by running this command:
sudo certbot renew --dry-runVerify that a scheduled timer exists for automatic renewals (should see a UNIT for snap.certbot.renew.timer):
systemctl list-timersTo view the status of the automatic renewal timer:
sudo systemctl status snap.certbot.renew.timerNext, we'll configure a hook to restart Fulcrum after certificate renewals.
Open the configuration file created by Certbot using the nano text editor (replace "bch.yourdomain.com" with your domain name):
sudo nano /etc/letsencrypt/renewal/bch.yourdomain.com.confModify the [renewalparams] section to include:
[renewalparams]
post_hook = systemctl restart fulcrum
Save the file and exit the nano text editor (Control+O, Return, Control+X).
We need to update permissions to allow fulcrum to read the certificate directories and files.
Change permissions to allow fulcrum to read the certificate directories:
sudo chmod 0755 /etc/letsencrypt/{live,archive}Change the group of the private key to fulcrum (replace "bch.yourdomain.com" with your domain name):
sudo chgrp fulcrum /etc/letsencrypt/live/bch.yourdomain.com/privkey.pemUpdate permissions on the private key file so it can be read by the fulcrum group (replace "bch.yourdomain.com" with your domain name):
sudo chmod 0640 /etc/letsencrypt/live/bch.yourdomain.com/privkey.pemOpen a "fulcrum" user session:
sudo su - fulcrumEdit the fulcrum configuration file using the nano text editor (replace "/mnt/volume_nyc1_01" with the location of your fulcrum data directory):
nano /mnt/volume_nyc1_01/fulcrum/fulcrum.confModify these lines in fulcrum.conf (replace all 3 instances of "bch.yourdomain.com" with your domain name):
cert = /etc/letsencrypt/live/bch.yourdomain.com/fullchain.pem
key = /etc/letsencrypt/live/bch.yourdomain.com/privkey.pem
hostname = bch.yourdomain.com
Save the file and exit the nano text editor (Control+O, Return, Control+X).
Exit "fulcrum" user session to return to "bitcoin" user session:
exitRestart fulcrum:
sudo systemctl restart fulcrumCheck the fulcrum log to verify the certificate was loaded (should see "Loaded SSL certificate: bch.yourdomain.com"):
sudo journalctl -u fulcrum -n 250 | grep "SSL"Optional: Use 'openssl' to test the SSL connection (replace "bch.yourdomain.com" with your domain name):
openssl s_client -connect bch.yourdomain.com:50002You should see the the certificate chain containing the words "Let's Encrypt". Press Control-C to exit.
If you previously followed the steps to connect your Electron Cash wallet to your Fulcrum server, you need to update your Electron Cash configuration to use your new domain name.
First, quit Electron Cash so it isn't open while you modify the config file, otherwise it might overwrite your changes.
Next, we'll add your server to the list of preferred servers. On your Mac, edit the Electron Cash config file using the nano text editor:
nano ~/.electron-cash/configModify the file to include the following lines (replace both instances of bch.yourdomain.com with your domain name):
"server": "bch.yourdomain.com:50002:s",
"server_whitelist_added": [
"bch.yourdomain.com:50002:s"
],
Save the file and exit the nano text editor (Control+O, Return, Control+X).
Open Electron Cash as normal by double-clicking the application icon in your Applications folder.