ProHoster > Блог > Gudanarwa > Wajen yin aiki da kai da bayar da SSL

Wajen yin aiki da kai da bayar da SSL

Yawancin lokaci dole ne mu yi aiki tare da takaddun shaida na SSL. Bari mu tuna da tsarin ƙirƙira da shigar da takaddun shaida (a cikin yanayin gabaɗaya don yawancin).

  • Nemo mai bayarwa (shafin da za mu iya siyan SSL).
  • Samar da CSR.
  • Aika zuwa ga mai bayarwa.
  • Tabbatar da ikon yanki.
  • Sami takardar shaida.
  • Maida takardar shaidar zuwa sigar da ake so (na zaɓi). Misali, daga pem zuwa PKCS #12.
  • Shigar da takaddun shaida akan sabar gidan yanar gizo.

In an kwatanta da sauri, mai sauƙi da fahimta. Wannan zaɓin ya dace sosai idan muna da iyakar ayyuka goma sha biyu. Idan akwai fiye da su, kuma suna da aƙalla muhalli guda uku? Classic dev - staging - samarwa. A wannan yanayin, yana da daraja tunani game da sarrafa kansa da wannan tsari. Ina ba da shawara don zurfafa zurfin cikin matsalar kuma a sami mafita wanda zai ƙara rage lokacin da ake kashewa akan ƙirƙira da kiyaye takaddun shaida. Labarin zai ƙunshi nazarin matsalar da ƙaramin jagora don maimaitawa.

Zan yi ajiyar wuri a gaba: babban ƙwarewar kamfaninmu shine .net, kuma, daidai da haka, IIS da sauran abubuwan da suka shafi dunƙule. Don haka, abokin ciniki na ACME da duk ayyukan da za a yi masa kuma za a bayyana su cikin sharuddan amfani da windows.

Ga wanda ya dace da wasu bayanan baya

Kamfanin K wanda marubucin ya wakilta. URL (misali): company.tld

Project X yana ɗaya daga cikin ayyukanmu, wanda na yanke shawarar cewa har yanzu muna buƙatar matsawa zuwa matsakaicin tanadin lokaci yayin aiki tare da takaddun shaida. Wannan aikin yana da mahalli huɗu: dev, gwaji, tsarawa da samarwa. Dev da gwaji suna gefenmu, tsarawa da samarwa suna gefen abokin ciniki.

Siffar aikin ita ce tana da adadi mai yawa na kayayyaki waɗanda ke samuwa azaman yanki.

Wato muna da hoto kamar haka:

Dev
gwajin
Staging
Samar

projectX.dev.company.tld
projectX.test.company.tld
aiki.projectX.tld
projectX.tld

module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld

module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld

...
...
...
...

moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld

Don samarwa, ana amfani da takardar shaidar kati da aka saya, babu tambayoyi a nan. Amma yana rufe matakin farko na yankin yanki ne kawai. Saboda haka, idan akwai takaddun shaida don *.projectX.tld, to zai yi aiki don staging.projectX.tld, amma ba don module1.staging.projectX.tld ba. Bana son siyan na daban.

Kuma wannan yana kan misalin aikin ɗaya ne kawai na kamfani ɗaya. Kuma aikin, ba shakka, ba shi kaɗai ba ne.

Babban dalilai na magance wannan batu sun kasance kamar haka:

  • Kwanan nan Google ya ba da shawarar rage matsakaicin lokacin ingancin takaddun shaida na SSL. Tare da duk sakamakon.
  • Don sauƙaƙe aiwatar da bayarwa da kiyaye SSL don bukatun cikin gida na ayyukan da kamfanin gaba ɗaya.
  • Ma'ajiya ta tsakiya na bayanan takaddun shaida, wanda wani bangare na warware matsalar ingantaccen yanki ta amfani da DNS da sabuntawa ta atomatik na gaba, sannan kuma yana warware batun amincewar abokin ciniki. Duk da haka, CNAME ya fi amintacce akan uwar garken abokin haɗin gwiwa / kamfanin zartarwa fiye da kan albarkatun ɓangare na uku.
  • To, a ƙarshe, a cikin wannan yanayin, kalmar "mafi kyau a samu fiye da rashin samun" ya dace daidai.

Zaɓin Mai Ba da SSL da Matakan Shirye

Daga cikin zaɓuɓɓukan da ake da su don takaddun shaida na SSL kyauta, Cloudflare da letsencrypt an yi la'akari da su. Cloudflare ne ke ɗaukar nauyin DNS na wannan (da wasu ayyukan), amma ni ba mai son amfani da takaddun shaida ba ne. Saboda haka, an yanke shawarar yin amfani da letsencrypt.
Don ƙirƙirar takardar shaidar SSL, kuna buƙatar tabbatar da ikon mallakar yankin. Wannan hanya ta ƙunshi ƙirƙirar wasu rikodin DNS (TXT ko CNAME), tare da tabbacin sa na gaba lokacin bayar da takaddun shaida. Linux yana da mai amfani - certbot, wanda ke ba ka damar wani bangare (ko gaba ɗaya don wasu masu samar da DNS) sarrafa wannan tsari. Don Windows iri ɗaya daga samu aka gwada zaɓuɓɓuka ga abokan cinikin ACME na daidaita WinACME.

Kuma an ƙirƙiri rikodin yankin, bari mu ci gaba zuwa ƙirƙirar takaddun shaida:

Wajen yin aiki da kai da bayar da SSL

Muna sha'awar ƙarshe na ƙarshe, wato, akwai zaɓuɓɓukan da ake da su don tabbatar da ikon mallakar yanki don bayar da takardar shedar kati:

  1. Ƙirƙirar bayanan DNS da hannu (ba a tallafawa sabuntawa ta atomatik)
  2. Ƙirƙirar bayanan DNS ta amfani da uwar garken acme-dns (don ƙarin cikakkun bayanai, duba a nan.
  3. Ƙirƙirar bayanan DNS ta amfani da rubutun ku (mai kama da Cloudflare plugin don certbot).

Da farko kallo, batu na uku ya dace sosai, amma idan mai bada sabis na DNS baya goyan bayan wannan aikin? Kuma muna bukatar shari'a ta gama-gari. Kuma babban lamarin shine bayanan CNAME, kowa yana goyan bayan su. Don haka, mun tsaya a aya ta 2, kuma mu je don saita uwar garken ACME-DNS ɗin mu.

Saitin uwar garken ACME-DNS da tsarin bayar da takaddun shaida

Misali, na kirkiro yankin 2nd.pp.ua, kuma zan yi amfani da shi a nan gaba.

Wajibi na wajibi don daidaitaccen aiki na uwar garken shine ƙirƙirar NS da A records don yankinsa. Kuma lokacin farko mara daɗi da na ci karo da shi shine Cloudflare (aƙalla a cikin yanayin kyauta) baya ba ku damar ƙirƙirar rikodin NS da A lokaci guda don mai watsa shiri iri ɗaya. Ba wai wannan matsala ce ba, amma a daure yana yiwuwa. Magoya bayan sun amsa cewa kwamitin su bai yarda yin hakan ba. Ba komai, bari mu ƙirƙiri shigarwar guda biyu:

acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.

A wannan mataki, ya kamata mu warware mai watsa shiri acmens.2nd.pp.ua.

$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data

Amma acme.2nd.pp.ua ba zai warware ba, tunda uwar garken DNS da ke aiki da shi bai riga ya gudana ba.

An ƙirƙiri bayanan, bari mu matsa zuwa kafawa da fara uwar garken ACME-DNS. Zan rayu a cikin ubuntu uwar garken docker ganga, amma za ka iya gudu da shi a duk inda akwai Golang. Windows ma yana da kyau, amma har yanzu na fi son uwar garken Linux.

Ƙirƙiri kundayen adireshi da fayiloli masu mahimmanci:

$ mkdir config
$ mkdir data
$ touch config/config.cfg

Bari mu yi amfani da vim tare da editan rubutu da kuka fi so kuma manna samfurin cikin config.cfg daidaitawa.

Don aikin nasara, ya isa a gyara sassan gabaɗaya da api:

[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua" 
nsadmin = "admin.2nd.pp.ua" 
records = 
    "acme.2nd.pp.ua. A 35.237.128.147",
    "acme.2nd.pp.ua. NS acmens.2nd.pp.ua.",                                                                                                                                                                                                  ]
...
[api]
...
tls = "letsencrypt"
…

Hakanan, na zaɓi, ƙirƙiri fayil ɗin docker-compose a cikin babban kundin adireshin sabis:

version: '3.7'
services:
  acmedns:
    image: joohoi/acme-dns:latest
    ports:
      - "443:443"
      - "53:53"
      - "53:53/udp"
      - "80:80"
    volumes:
      - ./config:/etc/acme-dns:ro
      - ./data:/var/lib/acme-dns

Shirya Kuna iya gudu.

$ docker-compose up -d

A wannan mataki, mai watsa shiri ya kamata ya fara warwarewa acme.2nd.pp.ua, kuma ya bayyana 404 akan https://acme.2nd.pp.ua

$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.

$ curl https://acme.2nd.pp.ua
404 page not found

Idan wannan bai bayyana ba - docker logs -f <container_name> don taimakawa, mai kyau, rajistan ayyukan suna da sauƙin karantawa.

Za mu iya fara ƙirƙirar takaddun shaida. Buɗe powershell azaman mai gudanarwa kuma gudanar da winacme. Muna sha'awar zaben:

  • M: Ƙirƙiri sabon takaddun shaida (cikakkun zaɓuɓɓuka)
  • 2: Shigar da hannu
  • 2: [dns-01] Ƙirƙiri bayanan tabbatarwa tare da acme-dns (https://github.com/joohoi/acme-dns)
  • Lokacin da aka tambaye shi game da hanyar haɗi zuwa uwar garken ACME-DNS, shigar da URL na uwar garken da aka ƙirƙira (https) don amsawa. URL na uwar garken acme-dns: https://acme.2nd.pp.ua

A cikin martani, abokin ciniki yana ba da rikodin da ke buƙatar ƙarawa zuwa uwar garken DNS da ke akwai (tsari na lokaci ɗaya):

[INFO] Creating new acme-dns registration for domain 1nd.pp.ua

Domain:              1nd.pp.ua
Record:               _acme-challenge.1nd.pp.ua
Type:                   CNAME
Content:              c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note:                   Some DNS control panels add the final dot automatically.
                           Only one is required.

Wajen yin aiki da kai da bayar da SSL

Mun ƙirƙiri shigarwar da ake buƙata, kuma muna tabbatar da cewa an halicce ta daidai:

Wajen yin aiki da kai da bayar da SSL

$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.

Mun tabbatar da cewa mun ƙirƙiri shigarwar da ake buƙata a winacme, kuma mun ci gaba da aikin ƙirƙirar takaddun shaida:

Wajen yin aiki da kai da bayar da SSL

Yadda ake amfani da certbot azaman abokin ciniki an bayyana shi a nan.

Wannan yana kammala aikin ƙirƙirar takaddun shaida, zaku iya shigar dashi akan sabar gidan yanar gizo kuma kuyi amfani dashi. Idan, lokacin ƙirƙirar takaddun shaida, kun ƙirƙiri ɗawainiya a cikin mai tsarawa, to nan gaba aiwatar da sabunta takaddun shaida zai faru ta atomatik.

source: www.habr.com

Add a comment