SSL for Remote OpenBazaar Nodes

The following instructions are only for setting up SSL connections to your server installed on a Linux-based VPS (e.g. hosted by Digital Ocean or others).

You'll need to know how to use a terminal and how to SSH into your server. Some more instructions on setting up a VPS can be found here.

Step 1: Setup SSL

  • SSH into your server
  • Make sure OpenBazaar isn't running
  • Navigate to the folder where ob.cfg is located
    • If you installed from source (i.e. using git), just go to the OpenBazaar-Server folder
    • If you installed from .deb files, then navigate to:
      • /usr/share/openbazaar/resources/OpenBazaar-Server
  • Copy, paste, and run the following commands to generate your SSL certificate and keys:
    • openssl genrsa -out rootCA.key 4096
    • openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.crt -subj "/C=DE/ST=Germany/L=Walldorf/O=SAP SE/OU=Tools/CN=rootCA"
    • openssl genrsa -out server.key 4096
    • openssl req -new -key server.key -out server.csr -subj "/C=DE/ST=Germany/L=Walldorf/O=SAP SE/OU=Tools/CN=localhost"
    • openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt
  • Edit the ob.cfg file to enable SSL:
    • `nano ob.cfg`
    • Modify the file accordingly (don't forget to remove the '#'):
[AUTHENTICATION]
SSL = True

SSL_CERT = [folder path]/server.crt
SSL_KEY = [folder path]/server.key

USERNAME = [add your username]
PASSWORD = [add your password]
    • For example, if you installed from the .deb files, the path would be:
      • /usr/share/openbazaar/resources/OpenBazaar-Server/server.crt
      • /usr/share/openbazaar/resources/OpenBazaar-Server/server.key
    • Press 'Ctrl-O' and then 'Enter' to save the file
    • Press 'Ctrl-X' to exit
  • Run your server as per normal
    • python openbazaard.py start -da [IP address of Client]
      1. -a allows you to permit a specific IP address to make REST andWebsocket API calls
        1. If you want to make your server accessible from potentially any location, set the ip address to 0.0.0.0
          1. You will obviously need to have the SSL certificate installed in order to access the server

Step 2: Install the Certificate for the Client

Windows

Install pscp

  • Press the Windows key and type: 'Path'
    • You should see 'Edit the environmental variables for your account'; click it
    • Select 'Environmental Variables'
    • Under 'User variables for [username]', click 'Edit...'
    • Click 'New'
    • Paste in the folder path to the pscp.exe file that you copied above:
    • Press 'Ok' to save the changes

Download the rootCA.crt from your server

  • Press the Windows key and type 'cmd'; select 'Command Prompt'
  • Use the terminal to navigate to the folder that you want to download the rootCA.crt
    • In this example, I used C:/OpenBazaar as the destination folder
  • Type the following into the terminal:
    • pscp [username]@[IP address of server]:[file path to rootCA.crt] [destination folder]
      • Example:
        • pscp root@128.199.118.253:/home/OpenBazaar-Server/rootCA.crt C:/OpenBazaar/
  • Install the certificate
    • Double-click the rootCA.crt file
    • Click 'Install Certificate'
      • This will open the import certificate wizard
      • Select the store location and click next
    • Select 'Automatically select the certificate store...'
    • Click 'Finish' and 'Ok'

Mas OSX

Download the rootCA.crt from your server

  • Use the terminal to navigate to the folder that you want to download the rootCA.crt
    • In this example, I used /Users/washingtonsanchez/OpenBazaar as the destination folder
  • Type the following into the terminal:
    • scp [username]@[IP address of server]:[file path to rootCA.crt] [destination folder]
      • Example:
        • scp root@128.199.118.253:/home/OpenBazaar-Server/rootCA.crt /Users/washingtonsanchez/OpenBazaar/

Install the rootCA.crt

  • Open the location where you downloaded the rootCA.crt file
  • Double-click the file
    • This will open 'Keychain Access'
    • The certificate is automatically installed, so close 'Keychain Access'

Linux

Download the rootCA.crt from your server

  • Use the terminal to navigate to the folder that you want to download the rootCA.crt
    • In this example, I used /home/OpenBazaar as the destination folder
  • Type the following into the terminal:
    • scp [username]@[IP address of server]:[file path to rootCA.crt] [destination folder]
      • Example:
        • scp root@128.199.118.253:/home/OpenBazaar-Server/rootCA.crt /home/OpenBazaar/

Install the rootCA.crt

  • Open the location where you downloaded the rootCA.crt file
  • Double-click the file
    • The certificate should automatically be installed
  • OR - you can install the certificate manually in the terminal using the following commands:
    • sudo mkdir /usr/share/ca-certificates/extra
    • sudo cp rootCA.crt /usr/share/ca-certificates/extra/rootCA.crt
    • sudo dpkg-reconfigure ca-certificates

Step 3: Run the client

  • In the server configuration window, press the 'SSL off' button so that it shows 'SSL on'
  • Scroll down and add your `username` and `password` that you set earlier
  • Click 'Save Changes' and you should be good to go!