Search
This guide will walk you through how to generate your own self-signed certificates for use by the Chainlink node. You can also substitute self-signed certificates with certificates of your own, like those created by Let's Encrypt.
Important
You will need OpenSSL in order to generate your own self-signed certificates.
Create a directory tls/
within your local Chainlink directory:
mkdir ~/.chainlink-goerli/tls
mkdir ~/.chainlink/tls
Run this command to create a server.crt
and server.key
file in the previously created directory:
openssl req -x509 -out ~/.chainlink-goerli/tls/server.crt -keyout ~/.chainlink-goerli/tls/server.key \
-newkey rsa:2048 -nodes -sha256 -days 365 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
openssl req -x509 -out ~/.chainlink/tls/server.crt -keyout ~/.chainlink/tls/server.key \
-newkey rsa:2048 -nodes -sha256 -days 365 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
Next, add the TLS_CERT_PATH
and TLS_KEY_PATH
environment variables to your .env
file.
echo "TLS_CERT_PATH=/chainlink/tls/server.crt
TLS_KEY_PATH=/chainlink/tls/server.key" >> .env
If CHAINLINK_TLS_PORT=0
is present in your .env
file, remove it by running:
sed -i '/CHAINLINK_TLS_PORT=0/d' .env
Also remove the line that disables SECURE_COOKIES
by running:
code": "sed -i '/SECURE_COOKIES=false/d' .env
Finally, update your run command to forward port 6689 to the container instead of 6688:
cd ~/.chainlink-goerli && docker run -p 6689:6689 -v ~/.chainlink-goerli:/chainlink -it --env-file=.env smartcontract/chainlink local n
cd ~/.chainlink && docker run -p 6689:6689 -v ~/.chainlink:/chainlink -it --env-file=.env smartcontract/chainlink local n
Now when running the node, you can access it by navigating to https://localhost:6689 if running on the same machine or with a ssh tunnel.