Stratum+ssl configuration

[xsiroxcoin]

can some one tell me how configure stratum+ssl:// with miningcore

[ei8ht187]

You need your certificate in PKCS12 (file ending with .pfx) format. A Linux typical X509 setup is not supported. There are plenty of how tos out there for the conversion of X509 .pem/.key files to pfx.

[xsiroxcoin]

You need your certificate in PKCS12 (file ending with .pfx) format. A Linux typical X509 setup is not supported. There are plenty of how tos out there for the conversion of X509 .pem/.key files to pfx.

how can i setup after get this pem key and how get this certificate

which commands any guide

[ei8ht187]

This a SSL problem and not directly related to miningcore. However, here is a link to several HowTos: https://gprivate.com/5yie0

[xsiroxcoin]

This a SSL problem and not directly related to miningcore. However, here is a link to several HowTos: https://gprivate.com/5yie0

ok and how setup port for ssl and other

[xsiroxcoin]

i set letsencrypt and covert to pfx and after run pool i see this error

=> Pool Endpoint: /var/lib/certs/domain.name.pfx is not valid or does not include the private key and cannot be used

[ei8ht187]

This a SSL problem and not directly related to miningcore. However, here is a link to several HowTos: https://gprivate.com/5yie0

ok and how setup port for ssl and other
In your pool config:

            "5200": {
              "listenAddress": "0.0.0.0",
              "difficulty": 1,
              "name": "GPU Mining",
              "tls": true,
              "tlsAuto": false,
              "tlsPfxFile": "/path/to/certificate.pfx",
              "tlsPfxPassword": "thePasswordYouEnteredDuringConversion",
            }

All possible options are explained in the source:

miningcore/src/Miningcore/Configuration/ClusterConfig.cs

Line 596 in 05b7810

public class PoolEndpoint

[xsiroxcoin]

only need to put these line
"tls": true,
"tlsAuto": false,
"tlsPfxFile": "/path/to/certificate.pfx",
"tlsPfxPassword": "thePasswordYouEnteredDuringConversion",

not other because still same error

[MiningCryptoLive]

Did you figure it out? I was able to do it. When you convert the letsencrypt files to pfx you need to make sure and do it in the directory that letsencrypt created them. cd to /etc/letsencrypt/live/yourdomaindirectory. once there run: openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem. this will ask you to create a password and verify the password. Then your certificate.pfx will be in this directory. Then add them to the config file above and you should be good.

[ei8ht187]

i set letsencrypt and covert to pfx and after run pool i see this error

=> Pool Endpoint: /var/lib/certs/domain.name.pfx is not valid or does not include the private key and cannot be used

Again, this is a SSL issue and not for Miningcore, as long as everything is configured correctly. You have to include the certificate and your private key in the .pfx file. This should also be mentioned in nearly every tutorial from the link I gave you above. Also is it mandatory to set a pasword for the pfx file during creation.

@oliverw maybe move this to discussions. This isn't a bug or issue.

[xsiroxcoin]

i set letsencrypt and covert to pfx and after run pool i see this error
=> Pool Endpoint: /var/lib/certs/domain.name.pfx is not valid or does not include the private key and cannot be used

Again, this is a SSL issue and not for Miningcore, as long as everything is configured correctly. You have to include the certificate and your private key in the .pfx file. This should also be mentioned in nearly every tutorial from the link I gave you above. Also is it mandatory to set a pasword for the pfx file during creation.

@oliverw maybe move this to discussions. This isn't a bug or issue.

i generated pfx file and start pool but see error of this

=> Pool Endpoint: /var/lib/certs/domain.name.pfx is not valid or does not include the private key and cannot be used

[ei8ht187]

Probably best to not use let's encrypt to do this. You have only limited control over the private key there. The error itself says that there is no private key.
In traditional SSl environment (so before Let's Encrypt) you genereated a private key. With this private key and some further information, you generated a certificate signing request (CSR). Then you gave the CSR to a certificate authority (CA, like startssl, sectigo, and so on). They then generated your certificate.

Then you took your previous generated private key and the certificate from your CA and put them into the configuration or merged them with openssl to a pfx.

Now, with Let's encrypt, the whole procedure is full automatic. From the generation of the key and csr and retrival of the crt where let's encrypt is also your CA.

Short hack around this issue is to use a reverse proxy with let's encrypt support (traefik, haproxy, nginx par example) in front of your stratum proxy and terminate SSL there. For full functionality of miningcore in this setup you need to enable tcpProxyProtocol in miningcore and proxyprotocol in the reverse proxy. I asked about this in the discussions.

[xsiroxcoin]

Probably best to not use let's encrypt to do this. You have only limited control over the private key there. The error itself says that there is no private key. In traditional SSl environment (so before Let's Encrypt) you genereated a private key. With this private key and some further information, you generated a certificate signing request (CSR). Then you gave the CSR to a certificate authority (CA, like startssl, sectigo, and so on). They then generated your certificate.

Then you took your previous generated private key and the certificate from your CA and put them into the configuration or merged them with openssl to a pfx.

Now, with Let's encrypt, the whole procedure is full automatic. From the generation of the key and csr and retrival of the crt where let's encrypt is also your CA.

Short hack around this issue is to use a reverse proxy with let's encrypt support (traefik, haproxy, nginx par example) in front of your stratum proxy and terminate SSL there. For full functionality of miningcore in this setup you need to enable tcpProxyProtocol in miningcore and proxyprotocol in the reverse proxy. I asked about this in the discussions.

i buy ssl and setup but still same issue
=> Pool Endpoint: /var/lib/certs/domain.name.pfx is not valid or does not include the private key and cannot be used

[ei8ht187]

Most likely there is some misstake during the generation of the pfx file with your crt and your key. Best is to inspect your pfx after the geneartion with openssl, if both parts are in it. It is mandatory to set a password during the generation of the pfx file and use the same password in your miningcore configuration.
As soon as both parts are in it, Miningcore properly configured TLS/SSL runs smoothly with miningcore.

[oliverw]

You need your certificate in PKCS12 (file ending with .pfx) format. A Linux typical X509 setup is not supported. There are plenty of how tos out there for the conversion of X509 .pem/.key files to pfx.

Would love to support this but .NET Core's support for this was lacking when SSL support was added. Would need to check again if there are improvements.

[xsiroxcoin]

Most likely there is some misstake during the generation of the pfx file with your crt and your key. Best is to inspect your pfx after the geneartion with openssl, if both parts are in it. It is mandatory to set a password during the generation of the pfx file and use the same password in your miningcore configuration. As soon as both parts are in it, Miningcore properly configured TLS/SSL runs smoothly with miningcore.

i put this command
openssl pkcs12 -in output.pfx -passin pass:test122 -passout pass:test122 -info

its show me these details

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: B5 00 B0 C8 FF D3 32 C3 90 F9 EE 59 0F 34 CD B3 02 10 F5 11
subject=CN = test.pool.com

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

-----BEGIN CERTIFICATE-----
MIIF4DCCBMigAwIBAgIQR8BGnieEu+V1x2tityj5OjANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIyMDMwNzAwMDAwMFoXDTIyMDgzMTIzNTk1OVowJDEiMCAGA1UEAxMZYXNp
YS5taW5pbmdwb29sZ2xvYmFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANW/Y3O5O5Faqpt/vWxdPONh1MK0ar+pYCYMRo2pVfpBn7pMez8AhkjV
HIjmqgf6NU2xQFQhQ6soz2xGawH5l0JeGr/gOsSSOj+UHVsE8vn4y5F0GH5bEaOB
BE335ngCIuqNThj413unL8TNLX3yOgkNSgCriB1JwCs74x3ydke4m16cr9bha8zL
hIZkjrBh5yFX+Cy5PTaMUcrGZYLTmMjSvWbAYA/K/Ly1Mjg3dO8WiQGO8UupHmOL
ZOX4jg99OdC6Anf+VywxORaLVUVUpqYse4mDwd8+BhrwEx4RvsdRlVioLnwDmA6m
qoaDBOn/UeOg40xysdfsadfsadfsdafsdfsdfaOCAqAwggKcMB8GA1UdIwQYMBaA
FI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBSPlQKmE0aFM4/nl5eO2jha
dkjetjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMG
CCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQG
CCsGAQUFBwEBBHgwdjBPBdsfasdafasdfasdfxczvzxcvxczvxccZWN0aWdvLmNv
bS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAj
BggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wQwYDVR0RBDwwOoIZ
YXNpYS5taW5pbmdwb29sZ2xvYmFsLmNvbYIdd3d3LmFzaWEubWluaW5ncG9vbGds
b2JhbC5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBGpVXrdfqRIDC1oolp
9PN9ESxBdL79SbiFq/L8cP5tRwAAAX9k6Oe0AAAEAwBHMEUCIQC4P4gLWQEZnKj0
xSARzBDcr5NTmTR25Yj00fHqwyQlOgIgPvShXmwoNiZwKWS9g0es0s3lSOL1j4Ye
Xd+Eqq5pTk4AdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAX9k
6OeWAAAEAwBHMEUCIQDTVLfPbqDB1jeJiOmnr1xcgbXJBtUhaOsmZ6SU/150rQIg
SIiNOpjMybzMeCZ8ITqPuaJANOw0PwN8fnzVAqE9Ta0wDQYJKoZIhvcNAQELBQAD
ggEBAFdlGmRoDnZLSblwrmjJfu4t90KegCUTQ+65hoj9IBASPpqnXkFH15/JxWDl
fgoOMIL+P8iLAOO7bFcpdLcqbw+0QhRECsRFdDx+ObvMF9EfxBKtZXp3UUvEHTsY
jRjiyfEvWcPCnC3NrY254Cvqd9uuy7olHA8i6GR2EnkUlEOyaPdREquJsG32HVWg
c4FNErO7pMDYgJsplE/cDVplZvOi3i8X5YG9pRUNWWq9AhZ48hvyoUV2LyhHjx0Q
hMS7IUOI64RfVAwm6GMRaKbkxOisZ7wlpzsp4xqwfdAlRp0y0Q71mza5tX8KCdtD
X1a4Auvlj/d7Lu/WcPZOWFJ4xcc=
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: B5 00 B0 C8 FF D3 32 C3 50 F9 EE 59 0F 78 CD B3 02 10 F5 11
Key Attributes:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI+20D4Pa2XeQCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECA1dIHUocDlvBIIEyFj732PWAXeA
ic8sJy1QMrsi6i4DU8yb+IRha+HicBSZLsjGcLMpSSyU3J8zGFWzekNZonOUWWuB
TT/NFLigweiE9jvAVFnfbHQO0rDmftPmdpqc7Wvt8x9Zy7qCCgHG3IIMWt0h+7Fl
7S1DlobQyJuX6msdafsadffffffffffffffffffffffffdsfffffffdddddddd4e
3k1eeT3W4SzNFqPAnvDfcD85kWBfosiPW+bXQ/waMtVYcsCXwj789maIPauRdXHN
hs38Lep2KY4vLlBzmyGm1JfieDrC/feoY2IYYAfduQ1VlrOTAm2/CPzy8eyxMpez
PKt47DYokBeQheMLlcVyFDMubHDFve2yKWYBGLXK4MaOxJmq50pQX6hihyscgojB
TvoaOIUdCjwcd4/AiglZRS3m2xKKjf0+IfxsBJvfmU5hBpycxw4LDE0xamMKscF/
4A331MmkZRh+GZrs1iVF6v/LTMOwRucFcaJa+tqujP72h7iLrS96iwJSKABtFwBq
L2+akmEp57ut7QPgpXKIP5rXM4HOuUAPDT9imlU0Z6r9MTkT9wGNy2pKyVxEbDIA
UsspFAll49v7Fd+DfHkTU1Rq6BJq7SJB/95SCPgYhz2Z+ILn2l055sW+V9nSy1cN
4/pdOh1MowK97m4N1MpdBxgdn98kR0kDZYPKk+gaUWRTmSf+ADF2jDAcdH3s97rH
Voy53c1cvoHGPeh4PUO167rmbn4mnUD24oKKDMGlAaH+T8VZAICx2eXWYmMqJXJJ
tagZ1nkzOph3T9udJL3ZGUXtWysSZz1GT1zStzZK+Az8c516dOMa1xay4mtwVGhE
oc05c5eXtOb25/4Fv4NAr6dVdWr07V1zqZ7GmFmnRBIJJ+x6vxTG8+9/1nFc5g0d
XBihF+Cgtp+T4eQfZIESc8bJpBuXk4Q9OF8n0C61BzQjdj/MNUx/K2TN0oXqpNRR
QvyyVkaE3NuHdBAadJEJTqD5Qia8ikuj0TMkUVOLVDu8JXY4aO5c8mNHOQIodpDt
oIEtzmD3pBKu3kLgXkPz3adrDBgvpSRd3vVLrEI4K+NUmrNN/tI/tHXjqt8r/Omb
AftFLUzNd+CcyoYpk//hDJ2M26I6wBwyOs7zac1oYPNZrGFAPOUsPEyhJTe5/iPp
pOKD+uNLDzKknvhC5nwJjKdGNRNPf72UUiZaY8FZB+A4p8mdFBWS2o5dxv2/sn+N
hBrRM6qwEcGau89gmS6uaq4U/puZpexec5V2ntZarxh/wuMP1waGppEDtJMFCH3F
ns8/35jSlu4JnqP6UvE58045lbn4xQ2Du9He1R6b9o/sk0mtjIesK+u/CazShYhv
Tf6C2Us135DcXelnsvKEePY6C2M17H9VwkbpdQ/JV/LSyMb38mj8tr6lvJDQPY8l
ISCfQg+vqVnR7uTUQUs8akM/xsmMKogw9AMKvP02iAegyiSL+jFED60E5wE7KRFF
BERcQAASjvlukrJ7aXbWXTpk/zzMgR+ppYFTncEfRFYFFUfb1e2rVTaxzXO7zFU/
QNv8I+P4wlO4+DHY8LEkZChsVFzzMSU7m9XQr3pcoUHQ0IzAFPVisS2B/mxZMsIT
zvA7Wc1CAcOJbhhBstKBYw==
-----END ENCRYPTED PRIVATE KEY-----

[oliverw]

:sad Dude you've just burned your Certificate by posting the private key here. Never ever do that.

[xsiroxcoin]

Dude you've just burned your Certificate by posting the private key here. Never ever do that.

this is just demo i change all things :)

[Konstantin35]

For those who haven't figured it out
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

"tlsPfxFile": "/path/to/cert.pfx",