Verify your Ripple Validator & show your domain

So you decided to run your own Ripple Validator? Great! You didn’t? Check my Howto on running a Ripple Validator on a DigitalOcean server.

If you got your validator running, you probably looked it up in the Ripple Validator Registry. It’s cool to see your own validator listed over there, but it would be even cooler to have the Validator Registry show your own domain in green, right?

Follow the four steps in this howto (5~10 minutes) or jump all the way to the bottom for the screencast of this Howto.

Only verified validators have a green domain name and check mark next to it.

If you own a domain name and you have access to DNS management for your domain, you can think up a subdomain, and create an A-record pointing to the public IP of your your Docker host.

So let’s say your domain name is wietse.com and you want to run your validator on xrp.wietse.com, you create an A-record for xrp (.wietse.com) pointing to the public IP of your server at DigitalOcean. This is the IP you used to login using SSH / Putty in my previous howto.

1. Connect to your docker host (server)

Use SSH / Putty to login at your server (Step 3 of the previous Howto). If you followed my instructions to launch a Docker host at Digital Ocean, we’ll first create a new firewall rule to allow LetsEncrypt to connect to our server at HTTP port 80 (they will provide a certificate to sign stuff for the verification process).

ufw insert 1 allow in on eth0 to any port 80 proto tcp

This command will tell ufw (uncomplicated firewall) to create a new rule on position one to allow incoming traffic on our public network interface (eth0) to port 80 (if it’s TCP traffic).

If you run my docker rippled validator container on another server, make sure there’s not a firewall blocking traffic to port 80. If you are running the validator on your home / office network, make sure port 80 points to your docker host (you might have to setup port forwarding). This is only for a few minutes.

2. Launch a new container

Use my new Docker container verify-rippledvalidator to launch the helper. The helper will guide you through the steps required to verify your domain and sign all the required data. The helper in this container will provide you with an e-mail you can send to Ripple right away.

Note. If you followed my Howto to the word (Step 4), you have your keystore on your docker host in /keystore/ (argument -v) and your validator container is called rippledvalidator (argument --name). If you changed this, you’ll have to change the commands below to match your values.

Type the following command:

docker run --rm -it -v /keystore/:/keystore/ -p 80:80 xrptipbot/verify-rippledvalidator

This comand will run the verify-rippledvalidator image. The following arguments are set:

  • --rm to tell docker to remove this container after the signing process is done, no need to keep this container running.
  • -it to be able to interact with the container. The helper is going to ask a few questions and we need to be able to input our answers.
  • -v /keystore/:/keystore/ tells docker to mount the folder /keystore/ on our docker host to the container. The container can then access the validator keys. We need this to sign stuff using the public the key.
  • -p 80:80 tells docker to map port 80 (HTTP) on our docker host to port 80 inside the docker container. LetsEncrypt will run a webserver on port 80 for a few seconds to allow LetsEncrypt to verify we own this server & the domain.
  • xrptipbot/verify-rippledvalidator is the name of the image with the tool I wrote to help you verify.

3. Answer the questions

The container will ask you some questions. You just type in the answer and press enter. If everything is OK, the tool continues. If there’s something wrong, it will try to explain what to do.

4. Run another command

One more command to enter…

If everything was setup OK, the tool will show you a command. This command needs to run inside the rippledvalidator container:

docker exec rippledvalidator /keystore/finish_signing

Just copy paste the command as-is (except if you changed the name of your validator container, in that case you have to replace only the rippledvalidator container name with the name of your container running the validator image)

After running this last command, the tool will finish with the body of the e-mail you can now send to Ripple. Ripple will check the contents of you e-mail. If everything is OK (at this point is’s hard to imagine why it wouldn’t be OK) they will reply within (probably) a few days your validator is verified. It will now show your domain in green at the Validator Registry. You rock!


5. Docker troubleshooting

So you forgot the name of the container you created?

docker ps

… will show you all your containers. The container name is in the last colunn.

So you forgot the folder on the host you used to mount to the container (to store the keys)? Use the container name (last column from the previous command) — the default is rippledvalidator, and:

docker inspect --format="{{.Mounts}}" rippledvalidator

You will see something like this:

[{bind  /my/folder/keystore /keystore   true private}]

This output means you used /my/folder/keystore to save the keyfiles. This is the first part (before the colon) of the -v argument required for Step 2.

No result? In that case you skilled mounting a folder on the host in the previous Howto. Just remove your container and re-create using the previous howto (this time use the -v argument and mount a folder on the host to the docker container ;))

docker rm -f rippledvalidator

… Now re-create the container with Step 4 of this howto and start from scratch in this howto.

6. Certificate troubleshooting

If you get a reply from a Ripple employee asking you for the certificate for the key used for signing: the certificate received from LetsEncrypt is stored in the folder used to store the validator keys (the keystore folder used in the -v mapping on your docker host).

You can go to this folder using:

cd /my/keystore/folder/

(Insert your path, of course) — then you can issue the command:

ls -lah

(ls will do, but the -lah options give a nice list with all files, human readable) — you see a listing of all the files in the folder. There is a file called “yourdomain-fullchain.pem”, where yourdomain is the (sub)domain you signed.

That’s the file we want to send (or the contents at least). We’ll show the contents with our last command:

cat yourdomain-fullchain.pem

The output will be something like this; you can copy and paste it in your reply to the Ripple employee.