Author

Topic: Need to host Bitcoin Core RPC server over SSL/TLS [SOLVED] (Read 128 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Take a look at: https://www.cyberciti.biz/faq/how-to-curl-ignore-ssl-certificate-warnings-command-option/
I have used the insecure options with varying levels of success. I have still gotten odd failures but then it starts working again, never really figured out why. And at other times it just complained about other cert issues.

-Dave

Yeah, that seemed to do the trick.

Since I was making production requests through NodeJS, I had to create an httpAgent that had rejectUnauthorized set to false, to perform the equivalent behavior of CURL (ignoring certificate verification errors) like this:

Code:
const https = require('https');

const httpsAgent = new https.Agent({
      rejectUnauthorized: false,
    });

...

const fetch = require('node-fetch);
fetch("https://example.com, {...
    agent: httpsAgent})
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Take a look at: https://www.cyberciti.biz/faq/how-to-curl-ignore-ssl-certificate-warnings-command-option/
I have used the insecure options with varying levels of success. I have still gotten odd failures but then it starts working again, never really figured out why. And at other times it just complained about other cert issues.

-Dave
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I am trying to host bitcoin core over an SSL connection, because it is by default only accessible over HTTP (there used to be an option to configure SSL for the RPC but it was removed back in 0.12).

However, I am finding it difficult to make requests using stunnel software that encapsulates the connection over HTTPS.

This is what I'm trying so far (on a testnet connection):

Code:
# curl --data-binary '{"jsonrpc":"1.0","id":"curltext","method":"getblockchaininfo","params":[]}' -H 'content-type:text/plain;' https://user:[email protected]:28332 -v
*   Trying 127.0.0.1:28332...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 28332 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to 127.0.0.1:28332
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to 127.0.0.1:28332

My stunnel.conf:

Code:
pid=/var/run/stunnel/stunnel.pid

[bitcoind testnet]
accept = 0.0.0.0:28332
cert = /etc/stunnel/stunnel.pem
client = yes
connect = 127.0.0.1:18332

As you can see, by default Bitcoind only binds to localhost and not to the other interfaces (I think there is an option "rpcserver" that configures this or similarly named).

I need to get Bitcoind hosted on my public interface (0.0.0.0) over HTTPS because its running on a different machine than the one that has the rest of the API that's calling it, and I don't like exposing the username and password over HTTP. It is being used for non-wallet functionality.



Changing client = yes to client = no changes the output to this:

Code:
*   Trying 127.0.0.1:28332...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 28332 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

As you can see, I am using a self-signed certificate, I need to figure out a way to make CURL stop complaining about this warning so that RPC calls can be made.
Jump to: