Feem ntau peb yuav tsum ua haujlwm nrog SSL daim ntawv pov thawj. Cia peb nco ntsoov cov txheej txheem ntawm kev tsim thiab txhim kho daim ntawv pov thawj (nyob rau hauv rooj plaub rau feem ntau).
- Nrhiav ib tus kws kho mob (qhov chaw uas peb tuaj yeem yuav SSL).
- Tsim CSR.
- Xa nws mus rau tus kws kho mob.
- Txheeb xyuas qhov ua tswv cuab.
- Tau txais daim ntawv pov thawj.
- Hloov daim ntawv pov thawj rau hauv daim ntawv xav tau (yeem). Piv txwv li, los ntawm pem rau PKCS #12.
- Nruab daim ntawv pov thawj ntawm lub vev xaib server.
Qeb nrawm, yooj yim thiab nkag siab. Qhov kev xaiv no yog qhov tsim nyog heev yog tias peb muaj qhov siab tshaj plaws ntawm lub kaum ob txoj haujlwm. Yuav ua li cas yog tias muaj ntau ntawm lawv, thiab lawv muaj tsawg kawg yog peb qhov chaw? Classic dev - staging - ntau lawm. Hauv qhov no, nws tsim nyog xav txog automating txheej txheem no. Kuv thov kom nkag mus tob me ntsis rau hauv qhov teeb meem thiab nrhiav kev daws teeb meem uas yuav txo qis lub sijhawm siv los tsim thiab tswj cov ntawv pov thawj. Kab lus yuav muaj ib qho kev ntsuam xyuas ntawm qhov teeb meem thiab cov lus qhia me me rau kev rov ua dua.
Kuv yuav ua ib qho kev tshwj tseg ua ntej: lub ntsiab tshwj xeeb ntawm peb lub tuam txhab yog .net, thiab, raws li, IIS thiab lwm yam ntsia hlau ntsig txog. Yog li ntawd, ACME cov neeg siv khoom thiab txhua yam kev ua rau nws kuj tseem yuav piav qhia txog kev siv windows.
Rau leej twg nws tseem ceeb thiab qee cov ntaub ntawv keeb kwm yav dhau
Tuam txhab K sawv cev los ntawm tus sau. URL (piv txwv li): company.tld
Project X yog ib qho ntawm peb cov haujlwm, uas kuv tau los xaus tias peb tseem yuav tsum tau txav mus rau lub sijhawm txuag nyiaj siab tshaj plaws thaum ua haujlwm nrog daim ntawv pov thawj. Qhov project no muaj plaub qhov chaw: dev, xeem, staging thiab ntau lawm. Dev thiab xeem yog nyob rau ntawm peb sab, staging thiab ntau lawm yog nyob rau sab neeg.
Ib tug feature ntawm qhov project yog hais tias nws muaj ib tug loj tus naj npawb ntawm modules uas muaj raws li subdomains.
Ntawd yog, peb muaj cov duab hauv qab no:
dev
xeem
staging
Qhuav
projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
projectX.tld
module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld
module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld
...
...
...
...
moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld
Rau kev tsim khoom, siv daim ntawv pov thawj wildcard yuav, tsis muaj lus nug ntawm no. Tab sis nws tsuas yog npog thawj theem ntawm subdomain. Raws li, yog tias muaj daim ntawv pov thawj rau *.projectX.tld, ces nws yuav ua haujlwm rau staging.projectX.tld, tab sis tsis yog rau module1.staging.projectX.tld. Kuv tsis xav yuav ib tug cais.
Thiab qhov no tsuas yog nyob ntawm qhov piv txwv ntawm ib qhov project ntawm ib lub tuam txhab. Thiab qhov project, ntawm chav kawm, tsis yog ib leeg.
Cov laj thawj dav dav rau kev daws qhov teeb meem zoo li no:
- Tsis ntev los no . Nrog rau tag nrho cov kev tshwm sim.
- Txhawm rau pab txhawb cov txheej txheem ntawm kev tshaj tawm thiab tswj xyuas SSL rau cov kev xav tau sab hauv ntawm cov haujlwm thiab lub tuam txhab tag nrho.
- Centralized cia ntawm daim ntawv pov thawj cov ntaub ntawv, uas ib feem daws qhov teeb meem ntawm domain validation siv DNS thiab txuas ntxiv tsis siv neeg, thiab kuj daws qhov teeb meem ntawm cov neeg siv kev ntseeg siab. Txawm li cas los xij, CNAME muaj kev ntseeg siab dua rau ntawm cov neeg rau zaub mov ntawm tus khub / tus thawj tswj hwm lub tuam txhab tshaj li ntawm cov peev txheej thib peb.
- Zoo, thaum kawg, nyob rau hauv cov ntaub ntawv no, lo lus "zoo dua kom muaj dua tsis muaj" haum txig.
Xaiv ib tus kws kho mob SSL thiab npaj cov kauj ruam
Ntawm cov kev xaiv muaj rau daim ntawv pov thawj SSL dawb, cloudflare thiab letsencrypt raug txiav txim siab. DNS rau qhov no (thiab qee qhov haujlwm) yog tuav los ntawm cloudflare, tab sis kuv tsis yog tus kiv cua ntawm kev siv lawv daim ntawv pov thawj. Yog li ntawd, nws tau txiav txim siab siv letsencrypt.
Txhawm rau tsim daim ntawv pov thawj SSL wildcard, koj yuav tsum txheeb xyuas cov tswv cuab ntawm lub npe. Cov txheej txheem no suav nrog kev tsim qee cov ntaub ntawv DNS (TXT lossis CNAME), nrog rau nws cov ntawv pov thawj tom qab thaum muab daim ntawv pov thawj. Linux muaj kev siv hluav taws xob - , uas tso cai rau koj ib nrab (lossis tag nrho rau qee tus neeg muab kev pabcuam DNS) automate cov txheej txheem no. Rau Windows tib yam los ntawm cov kev xaiv rau ACME cov neeg siv khoom kuv tau txiav txim siab .
Thiab cov ntaub ntawv rau tus sau tau raug tsim, cia peb mus rau kev tsim daim ntawv pov thawj:
Peb txaus siab rau qhov xaus kawg, uas yog, cov kev xaiv muaj rau kev txheeb xyuas cov tswv cuab rau kev muab daim ntawv pov thawj wildcard:
- Tsim DNS cov ntaub ntawv manually (tsis siv neeg hloov tshiab tsis txaus siab)
- Tsim cov ntaub ntawv DNS siv acme-dns server (kom paub meej ntxiv, saib .
- Tsim cov ntaub ntawv DNS siv koj tus kheej tsab ntawv (zoo ib yam li cloudflare plugin rau certbot).
Thaum xub thawj siab ib muag, qhov thib peb taw tes yog heev haum, tab sis yog hais tias tus neeg muab kev pab DNS tsis txhawb no functionality? Thiab peb xav tau ib rooj plaub dav dav. Thiab cov ntaub ntawv dav dav yog CNAME cov ntaub ntawv, txhua tus txhawb nqa lawv. Yog li ntawd, peb nres ntawm point 2, thiab mus rau configure peb ACME-DNS server.
ACME-DNS server teeb tsa thiab cov txheej txheem muab ntawv pov thawj
Piv txwv li, kuv tsim 2nd.pp.ua domain, thiab kuv yuav siv nws yav tom ntej.
rau kev ua haujlwm raug ntawm tus neeg rau zaub mov yog tsim NS thiab A cov ntaub ntawv rau nws cov npe. Thiab thawj lub sijhawm tsis zoo uas kuv ntsib yog tias cloudflare (tsawg kawg hauv hom dawb) tsis tso cai rau koj los tsim ib qho NS thiab A cov ntaub ntawv rau tib lub tswv tsev. Tsis yog tias qhov no yog qhov teeb meem, tab sis nyob rau hauv khi nws yog ua tau. Kev them nyiaj yug teb tias lawv lub vaj huam sib luag tsis tso cai ua qhov no. Nws tsis muaj teeb meem, cia peb tsim ob qho kev nkag:
acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.Nyob rau theem no, peb yuav tsum daws tus tswv tsev acmens.2nd.pp.ua.
$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of dataTab sis acme.2nd.pp.ua yuav tsis daws, txij li DNS server uas ua haujlwm nws tseem tsis tau khiav.
Cov ntaub ntawv tau tsim, cia peb mus rau kev teeb tsa thiab pib ACME-DNS server. Kuv yuav nyob nws ntawm ubuntu server hauv thawv, tab sis koj tuaj yeem khiav nws nyob qhov twg muaj golang. Windows zoo ib yam nkaus, tab sis kuv tseem nyiam Linux server.
Tsim cov npe thiab cov ntaub ntawv tsim nyog:
$ mkdir config
$ mkdir data
$ touch config/config.cfgCia peb siv vim nrog koj cov ntawv nyeem uas koj nyiam thiab muab cov qauv tso rau hauv config.cfg .
Rau kev ua haujlwm tau zoo, nws txaus los kho cov ntu dav dav thiab api:
[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua"
nsadmin = "admin.2nd.pp.ua"
records =
"acme.2nd.pp.ua. A 35.237.128.147",
"acme.2nd.pp.ua. NS acmens.2nd.pp.ua.", ]
...
[api]
...
tls = "letsencrypt"
β¦Tsis tas li, xaiv tau, tsim cov ntaub ntawv docker-compose hauv cov npe tseem ceeb ntawm cov kev pabcuam:
version: '3.7'
services:
acmedns:
image: joohoi/acme-dns:latest
ports:
- "443:443"
- "53:53"
- "53:53/udp"
- "80:80"
volumes:
- ./config:/etc/acme-dns:ro
- ./data:/var/lib/acme-dnsNpaj txhij. Koj khiav tau.
$ docker-compose up -dNyob rau theem no, tus tswv tsev yuav tsum pib daws acme.2nd.pp.ua, thiab pom 404 rau https://acme.2nd.pp.ua
$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.
$ curl https://acme.2nd.pp.ua
404 page not foundYog tias qhov no tsis tshwm sim - docker logs -f <container_name> pab, zoo, cov cav yuav nyeem tau heev.
Peb tuaj yeem pib tsim daim ntawv pov thawj. Qhib powershell ua tus thawj coj thiab khiav winacme. Peb txaus siab rau kev xaiv tsa:
- M: Tsim daim ntawv pov thawj tshiab (tag nrho cov kev xaiv)
- 2: Phau ntawv tswv yim
- 2: [dns-01] Tsim cov ntaub ntawv pov thawj nrog acme-dns ()
- Thaum nug txog qhov txuas mus rau ACME-DNS server, nkag mus rau qhov URL ntawm tus tsim server (https) hauv cov lus teb. URL ntawm acme-dns server:
Hauv kev teb, tus neeg siv khoom tau tshaj tawm cov ntaub ntawv uas yuav tsum tau ntxiv rau DNS server uas twb muaj lawm (ib txoj haujlwm ib zaug):
[INFO] Creating new acme-dns registration for domain 1nd.pp.ua
Domain: 1nd.pp.ua
Record: _acme-challenge.1nd.pp.ua
Type: CNAME
Content: c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note: Some DNS control panels add the final dot automatically.
Only one is required.
Peb tsim qhov tsim nyog nkag, thiab xyuas kom meej tias nws tau tsim kom raug:
$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.Peb paub tseeb tias peb tau tsim qhov yuav tsum tau nkag rau hauv winacme, thiab txuas ntxiv cov txheej txheem ntawm kev tsim daim ntawv pov thawj:
Yuav ua li cas siv certbot raws li tus neeg siv khoom tau piav qhia .
Qhov no ua tiav cov txheej txheem ntawm kev tsim daim ntawv pov thawj, koj tuaj yeem nruab nws ntawm lub vev xaib server thiab siv nws. Yog hais tias, thaum tsim ib daim ntawv pov thawj, koj kuj tsim ib txoj hauj lwm nyob rau hauv lub teem caij, ces nyob rau hauv lub neej yav tom ntej tus txheej txheem ntawm kev hloov kho daim ntawv pov thawj yuav tshwm sim.
Tau qhov twg los: www.hab.com