> ## Documentation Index
> Fetch the complete documentation index at: https://docs.skale.space/llms.txt
> Use this file to discover all available pages before exploring further.

# Node SSL Setup

> Document walks a validate through how to setup SSL for a node.

## Introduction

Node SSL certificates support secure communication with SKALE Chain endpoints.
By default, each node of a SKALE Chain listens on HTTP and WS ports. If SSL certs exist on the node, then HTTPS and WSS ports are also turned on.

Node SSL certificates aren't required to start a node, register it, or create SKALE Chains.
However, dApp developers using SKALE Chains need HTTPS/WSS endpoints to work with toolings such as API based wallets and other integrations.
Therefore, SSL certificates are required for SKALE Network validator nodes.

## Node SSL onboarding

Here's an example of a step-by-step process of setting up validator node SSL.

### Prerequisites

To upload SSL certificates to the node, you’ll have to do a few steps on your side which may vary depending on your domain name
provider, certificate authority, etc.
[See here for reference example](#reference-letsencrypt-tutorial) of how use free Let's Encrypt certificates.

The steps include:

* getting domain names for each node.
* issuing SSL certificates for them.
* uploading certificates to the node.
* setting up domain name for the node in the SKALE Manager smart contracts.

<Note>
  This procedure will vary depending on your domain management service (Google Domains, GoDaddy, etc).
</Note>

<Steps>
  1. Domain name and redirects

     The first thing you will need is the domain name. You’ll need one per node, so it makes sense to set up a subdomain for each one and set up redirects. Let’s say you own `awesome-validator.com` and run two nodes with the following IP addresses, names, and redirects:

     | Node name | Node IP    | Redirect                     |
     | --------- | ---------- | ---------------------------- |
     | node-0    | 123.1.23.5 | node-0.awesome-validator.com |
     | node-1    | 5.46.34.25 | node-1.awesome-validator.com |

  2. Verify redirects

     You can verify that redirects work by sending a request to the watchdog API on 3009 port using your domain name.

  3. Issue SSL certificates

     Once you have all redirects for your nodes, you can move to the SSL certificates.
     You will need SSL certs issued by one of the [Trusted CAs](#trusted-authorities). Once you've decided on the certificate issuer, you have several options - issue a separate certificate for each subdomain (node-0.awesome-validator.com, node-1.awesome-validator.com) or issue a single Wildcard SSL for all nodes (\*.awesome-validator.com). As a result, you should have 2 main files saved and copied to the respective nodes:

     * Certificate file (usually called something like fullchain.pem or cert.pem)
     * Private key file (usually called something like privkey.pem, pk.pem)

  4. Upload certificates to the SKALE Node

     Once you copied the certificate and private key file, all you have to do is to run the following command:

     ```shell theme={null}
     skale ssl upload -c $PATH_TO_CERT_FILE -k $PATH_TO_KEY_FILE
     ```

       <Note>
         Add -f flag to the command to override existing certificates on the node
       </Note>

     Once certificates are uploaded, you can check them by running:

     ```shell theme={null}
     skale ssl status
     ```

  5. Set domain name for your node in the SKALE Manager smart contracts

     To set the domain name of the registered node with SKALE manager, execute the following node-cli command on each respective node:

     ```shell theme={null}
     skale node set-domain -d node-0.awesome-validator.com
     ```

     See full reference for the `set-domain` command [https://github.com/skalenetwork/node-cli#domain-name\[here](https://github.com/skalenetwork/node-cli#domain-name\[here)].

       <Note>
         In the recent version of the SKALE Manager smart contracts domain name is required during the node registration
       </Note>

     Be sure get a domain in advance to provide it when adding a new node to the network:

     ```shell theme={null}
     skale node register --ip 1.2.3.4 -d node-0.awesome-validator.com --name node-0-AV
     ```

       <Note>
         If you already registered your node, then command will fail. If you are trying to set the domain for an already registered node, simply use `skale node set-domain -d node-0.awesome-validator.com`.
       </Note>

     See full reference for the `register` command [https://github.com/skalenetwork/node-cli#node-registration\[here](https://github.com/skalenetwork/node-cli#node-registration\[here)].
</Steps>

## Trusted authorities

When choosing CA for getting your SSL certificate, consider a source that will be trusted by most major browsers, operating systems, and other devices.

Here’s a list of links that can help you with your decision:

* List of major CA providers: [https://en.wikipedia.org/wiki/Certificate\_authority#Providers](https://en.wikipedia.org/wiki/Certificate_authority#Providers)
* CAs trusted by Mozilla: [https://wiki.mozilla.org/CA/Included\_Certificates](https://wiki.mozilla.org/CA/Included_Certificates)
* CAs trusted by Apple: [https://support.apple.com/en-us/HT204132](https://support.apple.com/en-us/HT204132), [https://support.apple.com/en-us/HT209144](https://support.apple.com/en-us/HT209144)

Also, here’s a list of the most popular and well-known SSL providers:

* DigiCert [https://www.digicert.com/](https://www.digicert.com/)
* GeoTrust [https://www.geotrust.com/](https://www.geotrust.com/)
* RapidSSL [https://www.rapidssl.com/](https://www.rapidssl.com/)

Besides that, usually, you could purchase an SSL certificate from your domain provider. That could be the most convenient way for you to manage everything from a single place:

* GoDaddy [https://godaddy.com/web-security/ssl-certificate](https://godaddy.com/web-security/ssl-certificate)
* NameCheap [http://namecheap.com/](http://namecheap.com/)
* Name.com [https://www.name.com/ssl](https://www.name.com/ssl)

Most of them usually providing you with a few options like RapidSSL and DigiCert.

<Warning>
  Certificates provided by Letsencrypt are widely used now and trusted by most operating systems and devices, so it's OK to use them for your node, but don't forget about renewals since Letsencrypt certs expire in 3 months. You can read more about Letsencrypt security and trust here: [https://letsencrypt.org/certificates/](https://letsencrypt.org/certificates/) and [https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html](https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html)
</Warning>

<Note>
  Generally, Letsencrypt SSL certs are considered safe, but there are some opponents to the idea of a 'free SSL certs for everybody': [https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801](https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801)
</Note>

## Reference Letsencrypt tutorial

This brief tutorial shows you how to generate a wildcard SSL using Letsencrypt.

<Steps>
  1. Install Certbot
     [https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx](https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx)
  2. Run
     ```shell theme={null}
     certbot certonly --standalone -d my.domain.com
     ```
  3. Copy .pem files to secure place
     ```shell theme={null}
     cp *.pem ~/[SECURE_DIR]
     ```
</Steps>
