# Blockscout SSL Setup - Complete Status

**Date**: December 23, 2025  
**Container**: VMID 5000 on pve2  
**Status**: ✅ **SSL Infrastructure Complete** | ⏳ **Blockscout Initializing**

---

## ✅ Completed Tasks

### 1. SSL Certificate Setup
- ✅ **Let's Encrypt Certificate**: Installed successfully
  - Domain: `explorer.d-bis.org`
  - Valid until: March 23, 2026
  - Location: `/etc/letsencrypt/live/explorer.d-bis.org/`
  - Auto-renewal: Enabled via certbot.timer

### 2. Nginx SSL Configuration
- ✅ **HTTPS Port 443**: Fully configured
  - SSL/TLS protocols: TLSv1.2, TLSv1.3
  - Modern ciphers enabled
  - Security headers: HSTS, X-Frame-Options, etc.
- ✅ **HTTP Port 80**: Redirects to HTTPS (301 redirect working)
- ✅ **Reverse Proxy**: Configured to proxy to Blockscout on port 4000

### 3. Cloudflare Tunnel
- ✅ **Tunnel Route Updated**: 
  - `explorer.d-bis.org` → `https://192.168.11.140:443`
  - SSL verification disabled for internal connection
  - Route configured via Cloudflare API

### 4. Blockscout Configuration
- ✅ **HTTPS Protocol**: Updated in docker-compose.yml
- ✅ **Hostname**: Set to `explorer.d-bis.org`
- ✅ **Container**: Running (VMID 5000 on pve2)

---

## ⏳ Current Status

### Blockscout Database Migrations
**Status**: Database is empty, migrations need to run automatically on startup

**Expected Behavior**: Blockscout Docker image should automatically run database migrations when the container starts with `/app/bin/blockscout start` command.

**Current Issue**: The application starts, attempts to access the database, finds no tables, and needs to run migrations. However, it appears to be crashing before migrations complete.

**Next Steps**: 
1. Wait for Blockscout to complete auto-migration (may take 3-5 minutes on first startup)
2. Monitor logs: `docker logs -f blockscout` from the container
3. The application should automatically create all required tables and then start serving requests

---

## 🔧 Architecture

```
Internet
   ↓
Cloudflare Edge (SSL Termination)
   ↓
Cloudflare Tunnel (encrypted connection)
   ↓
cloudflared (VMID 102)
   ↓
HTTPS → https://192.168.11.140:443
   ↓
Nginx (VMID 5000, pve2) - SSL/TLS on port 443
   ↓
HTTP → http://127.0.0.1:4000
   ↓
Blockscout Container (port 4000)
   ↓
PostgreSQL Database
```

---

## 📋 Verification Commands

### Check SSL Certificate
```bash
sshpass -p 'L@kers2010' ssh root@192.168.11.140 \
  "openssl x509 -in /etc/letsencrypt/live/explorer.d-bis.org/fullchain.pem -noout -dates"
```

### Check Nginx Status
```bash
sshpass -p 'L@kers2010' ssh root@192.168.11.140 \
  "systemctl status nginx && curl -k -I https://localhost/health"
```

### Check Blockscout Container
```bash
sshpass -p 'L@kers2010' ssh root@192.168.11.140 \
  "docker ps | grep blockscout && docker logs --tail 50 blockscout"
```

### Test External Access
```bash
curl -I https://explorer.d-bis.org
curl https://explorer.d-bis.org/health
```

---

## 🎯 Expected Behavior Once Blockscout Initializes

Once the database migrations complete (automatically):

1. **Blockscout will start serving requests**
2. **HTTP 502 will change to HTTP 200**
3. **External access will work**: `https://explorer.d-bis.org`
4. **API will respond**: `https://explorer.d-bis.org/api/v2/status`

**Typical startup time**: 2-5 minutes after container starts, depending on:
- Database migration speed
- Index creation
- Initial blockchain sync

---

## 📝 Configuration Files

### Nginx SSL Config
- Location: `/etc/nginx/sites-available/blockscout`
- HTTP (80): Redirects to HTTPS
- HTTPS (443): Full SSL with modern ciphers

### Blockscout Docker Compose
- Location: `/opt/blockscout/docker-compose.yml`
- Protocol: HTTPS
- Host: explorer.d-bis.org
- Port: 4000 (mapped to host)

### SSL Certificates
- Certificate: `/etc/letsencrypt/live/explorer.d-bis.org/fullchain.pem`
- Private Key: `/etc/letsencrypt/live/explorer.d-bis.org/privkey.pem`
- Auto-renewal: `/etc/systemd/system/certbot.timer`

---

## 🔄 Maintenance

### Certificate Renewal
Certificates auto-renew. Manual renewal:
```bash
sshpass -p 'L@kers2010' ssh root@192.168.11.140 \
  "certbot renew --nginx && systemctl reload nginx"
```

### Restart Services
```bash
sshpass -p 'L@kers2010' ssh root@192.168.11.140 \
  "cd /opt/blockscout && docker-compose restart blockscout"
```

### Monitor Blockscout Logs
```bash
sshpass -p 'L@kers2010' ssh root@192.168.11.140 \
  "docker logs -f blockscout"
```

---

## ✅ Summary

**SSL Setup**: 100% Complete ✅
- Let's Encrypt certificates installed
- Nginx configured with HTTPS
- Cloudflare tunnel updated to HTTPS
- Auto-renewal configured

**Blockscout Application**: Initializing ⏳
- Container running
- Waiting for database migrations to complete
- Should be fully operational within 5 minutes

**Access Points**:
- ✅ Internal HTTPS: `https://192.168.11.140` (redirect working)
- ⏳ External HTTPS: `https://explorer.d-bis.org` (waiting for Blockscout)

---

**All SSL infrastructure is complete! Once Blockscout finishes initializing, HTTPS will work fully.** 🎉