net/ plumbing to manage LetsEncrypt TLS certificates (#4985)

automerge

net/common.sh

@@ -25,6 +25,7 @@ entrypointIp=
 publicNetwork=
 netBasename=
 sshPrivateKey=
+letsEncryptDomainName=
 externalNodeSshKey=
 sshOptions=()
 fullnodeIpList=()

net/gce.sh

@@ -67,6 +67,7 @@ externalNodes=false
 failOnValidatorBootupFailure=true
 
 publicNetwork=false
+letsEncryptDomainName=
 enableGpu=false
 customAddress=
 zones=()
@@ -122,6 +123,9 @@ Manage testnet instances
                       * For EC2, [address] is the "allocation ID" of the desired
                         Elastic IP.
    -d [disk-type]   - Specify a boot disk type (default None) Use pd-ssd to get ssd on GCE.
+   --letsencrypt [dns name] - Attempt to generate a TLS certificate using this
+                              DNS name (useful only when the -a and -P options
+                              are also provided)
 
  config-specific options:
    -P               - Use public network IP addresses (default: $publicNetwork)
@@ -136,14 +140,28 @@ EOF
   exit $exitcode
 }
 
-
 command=$1
 [[ -n $command ]] || usage
 shift
 [[ $command = create || $command = config || $command = info || $command = delete ]] ||
   usage "Invalid command: $command"
 
-while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt; do
+shortArgs=()
+while [[ -n $1 ]]; do
+  if [[ ${1:0:2} = -- ]]; then
+    if [[ $1 = --letsencrypt ]]; then
+      letsEncryptDomainName="$2"
+      shift 2
+    else
+      usage "Unknown long option: $1"
+    fi
+  else
+    shortArgs+=("$1")
+    shift
+  fi
+done
+
+while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt "${shortArgs[@]}"; do
   case $opt in
   h | \?)
     usage
@@ -199,7 +217,6 @@ while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt; do
     ;;
   esac
 done
-shift $((OPTIND - 1))
 
 [[ ${#zones[@]} -gt 0 ]] || zones+=("$(cloud_DefaultZone)")
 
@@ -328,6 +345,7 @@ prepareInstancesAndWriteConfigFile() {
 netBasename=$prefix
 publicNetwork=$publicNetwork
 sshPrivateKey=$sshPrivateKey
+letsEncryptDomainName=$letsEncryptDomainName
 EOF
   fi
   touch "$geoipConfigFile"
@@ -598,6 +616,7 @@ $(
     disable-background-upgrades.sh \
     create-solana-user.sh \
     add-solana-user-authorized_keys.sh \
+    install-certbot.sh \
     install-earlyoom.sh \
     install-libssl-compatability.sh \
     install-nodejs.sh \

net/net.sh

@@ -372,6 +372,23 @@ startNode() {
   (
     set -x
     startCommon "$ipAddress"
+
+    if [[ $nodeType = blockstreamer ]] && [[ -n $letsEncryptDomainName ]]; then
+      #
+      # Create/renew TLS certificate
+      #
+      declare localArchive=~/letsencrypt-"$letsEncryptDomainName".tgz
+      if [[ -r "$localArchive" ]]; then
+        timeout 30s scp "${sshOptions[@]}" "$localArchive" "$ipAddress:letsencrypt.tgz"
+      fi
+      ssh "${sshOptions[@]}" -n "$ipAddress" \
+        "sudo -H /certbot-restore.sh $letsEncryptDomainName maintainers@solana.com"
+      rm -f letsencrypt.tgz
+      timeout 30s scp "${sshOptions[@]}" "$ipAddress:/letsencrypt.tgz" letsencrypt.tgz
+      test -s letsencrypt.tgz # Ensure non-empty before overwriting $localArchive
+      cp letsencrypt.tgz "$localArchive"
+    fi
+
     ssh "${sshOptions[@]}" -n "$ipAddress" \
       "./solana/net/remote/remote-node.sh \
          $deployMethod \

net/remote/remote-node.sh

@@ -223,6 +223,13 @@ local|tar)
       if [[ -z $stakeNodesInGenesisBlock ]]; then
         ./multinode-demo/drone.sh > drone.log 2>&1 &
       fi
+
+      # Grab the TLS cert generated by /certbot-restore.sh
+      if [[ -f /.cert.pem ]]; then
+        sudo install -o $UID -m 400 /.cert.pem /.key.pem .
+        ls -l .cert.pem .key.pem
+      fi
+
       export BLOCKEXPLORER_GEOIP_WHITELIST=$PWD/net/config/geoip.yml
       npm install @solana/blockexplorer@1
       npx solana-blockexplorer > blockexplorer.log 2>&1 &

net/scripts/ec2-security-group-config.json

@@ -81,7 +81,7 @@
             "FromPort": 3001,
             "IpRanges": [
                 {
-                    "Description": "blockexplorer API port",
+                    "Description": "blockexplorer http API port",
                     "CidrIp": "0.0.0.0/0"
                 }
             ],
@@ -91,7 +91,26 @@
             "Ipv6Ranges": [
                 {
                     "CidrIpv6": "::/0",
-                    "Description": "blockexplorer API port"
+                    "Description": "blockexplorer http API port"
+                }
+            ]
+        },
+        {
+            "PrefixListIds": [],
+            "FromPort": 3443,
+            "IpRanges": [
+                {
+                    "Description": "blockexplorer https API port",
+                    "CidrIp": "0.0.0.0/0"
+                }
+            ],
+            "ToPort": 3443,
+            "IpProtocol": "tcp",
+            "UserIdGroupPairs": [],
+            "Ipv6Ranges": [
+                {
+                    "CidrIpv6": "::/0",
+                    "Description": "blockexplorer https API port"
                 }
             ]
         },

net/scripts/install-certbot.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -ex
+
+[[ $(uname) = Linux ]] || exit 1
+[[ $USER = root ]] || exit 1
+
+add-apt-repository --yes ppa:certbot/certbot
+apt-get --assume-yes install certbot
+
+cat > /certbot-restore.sh <<'EOF'
+#!/usr/bin/env bash
+set -e
+
+domain=$1
+email=$2
+
+if [[ $USER != root ]]; then
+  echo "Run as root"
+  exit 1
+fi
+
+if [[ -f /.cert.pem ]]; then
+  echo "Certificate already initialized"
+  exit 0
+fi
+
+set -x
+if [[ -r letsencrypt.tgz ]]; then
+  tar -C / -zxf letsencrypt.tgz
+fi
+
+cd /
+rm -f letsencrypt.tgz
+
+maybeDryRun=
+# Uncomment during testing to avoid hitting LetsEncrypt API limits while iterating
+#maybeDryRun="--dry-run"
+
+certbot certonly --standalone -d "$domain" --email "$email" --agree-tos -n $maybeDryRun
+
+tar zcf letsencrypt.tgz /etc/letsencrypt
+ls -l letsencrypt.tgz
+
+# Copy certificates to / for easy access without knowing the value of "$domain"
+rm -f /.key.pem /.cert.pem
+cp /etc/letsencrypt/live/$domain/privkey.pem /.key.pem
+cp /etc/letsencrypt/live/$domain/cert.pem /.cert.pem
+
+EOF
+
+chmod +x /certbot-restore.sh