Ọtụtụ mgbe, anyị ga-eji asambodo SSL arụ ọrụ. Ka anyị cheta usoro nke ịmepụta na ịwụnye akwụkwọ (n'ozuzu maka ọtụtụ).
- Chọta onye na-eweta (saịtị ebe anyị nwere ike ịzụta SSL).
- Mepụta CSR.
- Ziga ya na onye na-eweta gị.
- Nyochaa ikike ngalaba.
- Nweta asambodo.
- Tụgharịa akwụkwọ ahụ ka ọ bụrụ ụdị achọrọ (nhọrọ). Dịka ọmụmaatụ, site na pem ruo PKCS #12.
- Wụnye asambodo na sava weebụ.
Dịtụ ngwa ngwa, ọ bụghị mgbagwoju anya na nghọta. Nke a nhọrọ bụ nnọọ adabara ma ọ bụrụ na anyị nwere kacha nke iri oru ngo. Gịnị ma ọ bụrụ na e nwere ọtụtụ n'ime ha, na ha nwere ma ọ dịkarịa ala atọ gburugburu? Classic dev - staging - mmepụta. N'okwu a, ọ bara uru iche echiche maka ịmegharị usoro a. M na-atụ aro ka ị nyochaa ntakịrị n'ime nsogbu ahụ wee chọta ngwọta nke ga-ebelata oge a na-etinye na ịmepụta na idobe asambodo. Edemede a ga-enwe nyocha nke nsogbu na obere ntuziaka maka ikwugharị.
Ka m mee ndoputa n'ọdịnihu: isi ọkachamara nke ụlọ ọrụ anyị bụ .net, na, ya mere, IIS na ngwaahịa ndị ọzọ metụtara Windows. Ya mere, a ga-akọwakwa onye ahịa ACME na omume niile maka ya site n'echiche nke iji Windows.
Maka onye nke a dị mkpa yana ụfọdụ data mbụ
Ụlọ ọrụ K nke onye ode akwụkwọ nọchitere anya ya. URL (dịka ọmụmaatụ): company.tld
Project X bụ otu n'ime ọrụ anyị, ka m na-arụ ọrụ na nke m bịara na nkwubi okwu na anyị ka kwesịrị ịkwaga n'ebe nchekwa oge kachasị elu mgbe ị na-arụ ọrụ na asambodo. Ọrụ a nwere gburugburu anọ: dev, test, staging and production. Dev na ule dị n'akụkụ anyị, nhazi na mmepụta dị n'akụkụ ndị ahịa.
Akụkụ pụrụ iche nke ọrụ ahụ bụ na ọ nwere ọnụ ọgụgụ buru ibu nke modul ndị dị ka subdomains.
Ya bụ, anyị nwere foto a:
Nrụpụta
ule
Nhazi
Production
projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
projectX.tld
module1.projectX.dev.company.tld
module1.projectX.test.company.tld
modul1.staging.projectX.tld
modul1.projectX.tld
module2.projectX.dev.company.tld
module2.projectX.test.company.tld
modul2.staging.projectX.tld
modul2.projectX.tld
...
...
...
...
moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
modulN.projectX.tld
Maka mmepụta, a na-eji akwụkwọ ikike ịzụrụ, ọ nweghị ajụjụ na-ebilite ebe a. Mana ọ na-ekpuchi naanị ọkwa mbụ nke subdomain. N'ihi ya, ọ bụrụ na e nwere akwụkwọ maka * .projectX.tld, mgbe ahụ ọ ga-arụ ọrụ maka staging.projectX.tld, ma ọ bụghị maka module1.staging.projectX.tld. Mana n'ụzọ ụfọdụ achọghị m ịzụta nke dị iche.
Na nke a na-adabere naanị na ihe atụ nke otu ọrụ nke otu ụlọ ọrụ. Na, n'ezie, e nwere ihe karịrị otu oru ngo.
Ihe ndị a na-emekarị maka onye ọ bụla iji dozie okwu a dị ka nke a:
- Na nso nso a . Site na nsonaazụ niile.
- Kwado usoro nke ịnye na idowe SSL maka mkpa dị n'ime nke ọrụ na ụlọ ọrụ ahụ n'ozuzu ya.
- Centralized nchekwa nke akwụkwọ ndekọ, nke partially solves nsogbu nke ngalaba nkwenye iji DNS na ụdi akpaka ọhụrụ, na-edozi okwu nke ahịa ntụkwasị obi. N'agbanyeghị nke ahụ, CNAME na ihe nkesa nke onye mmekọ / onye na-arụ ọrụ ụlọ ọrụ bụ ntụkwasị obi karịa na akụ ndị ọzọ.
- Ọfọn, n'ikpeazụ, n'okwu a, okwu ahụ bụ "ọ ka mma inwe karịa ịghara inwe" dabara nke ọma.
Ịhọrọ onye na-enye SSL na Nzọụkwụ Nkwadebe
N'ime nhọrọ ndị dị maka asambodo SSL efu, Cloudflare na letsencrypt tụlere. A na-akwado DNS maka nke a (na ụfọdụ ọrụ ndị ọzọ) site na cloudflare, mana abụghị m onye na-akwado iji asambodo ha. Ya mere, e kpebiri iji letsencrypt.
Iji mepụta akwụkwọ ikike SSL wildcard, ịkwesịrị ịkwado ikike ngalaba. Usoro a gụnyere ịmepụta ụfọdụ ndekọ DNS (TXT ma ọ bụ CNAME), wee nyochaa ya mgbe ị na-enye akwụkwọ ikike. Linux nwere ihe bara uru - , nke na-enye gị ohere iji akụkụ ụfọdụ (ma ọ bụ kpamkpam maka ụfọdụ ndị na-enye DNS) megharịa usoro a. Maka Windows si Nhọrọ ndị ahịa ACME m doziri .
Na ndekọ maka ngalaba ka emepụtara, ka anyị gaa n'ihu ịmepụta asambodo:
Anyị nwere mmasị na nkwubi okwu ikpeazụ, ya bụ, nhọrọ dị maka ikwado nwe ngalaba maka ịnye akwụkwọ ikike ịgba akwụkwọ:
- Jiri aka mepụta ndekọ DNS (anaghị akwado mmelite akpaka)
- Ịmepụta ndekọ DNS site na iji ihe nkesa acme-dns (ị nwere ike ịgụkwu gbasara ya .
- Ịmepụta ndekọ DNS site na iji edemede nke gị (dị ka ngwa mgbakwunye Cloudflare maka certbot).
Na nlele mbụ, isi ihe nke atọ dabara adaba, mana gịnị ma ọ bụrụ na onye na-eweta DNS anaghị akwado ọrụ a? Mana anyị chọrọ ikpe izugbe. Na izugbe ikpe bụ CNAME ndekọ, ebe ọ bụ na onye ọ bụla na-akwado ha. Ya mere, anyị kwụsịrị na isi 2 wee gaa hazie ihe nkesa ACME-DNS anyị.
Ịtọlite ACME-DNS nkesa na usoro inye akwụkwọ
Dịka ọmụmaatụ, m mepụtara ngalaba 2nd.pp.ua, ma ga-eji ya n'ọdịnihu.
Ka ihe nkesa na-arụ ọrụ nke ọma, ọ dị mkpa ịmepụta NS na A ndekọ maka ngalaba ya. Na oge mbụ na-adịghị mma m zutere bụ na Cloudflare (opekata mpe na ọnọdụ iji n'efu) anaghị ekwe ka ịmepụta NS na ndekọ maka otu onye ọbịa n'otu oge. Ọ bụghị na nke a bụ nsogbu, ma na agbụ ọ ga-ekwe omume. Nkwado ahụ zara na panel ha anaghị ekwe ka eme nke a. Enweghị nsogbu, ka anyị mepụta ndekọ abụọ:
acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.N'oge a, onye ọbịa anyị kwesịrị ikpebi acmens.2nd.pp.ua.
$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of dataMa acme.2nd.pp.ua ọ gaghị edozi, ebe ọ bụ na ihe nkesa DNS nke na-eje ozi adịghị arụ ọrụ.
Emeela ihe ndekọ ahụ, anyị na-aga n'ihu ịtọlite na ịmalite sava ACME-DNS. Ọ ga-adị ndụ na ubuntu nkesa m n'ime akpa, mana ị nwere ike ịgba ya ebe ọ bụla golang dị. Windows dịkwa mma nke ukwuu, mana m ka na-ahọrọ sava Linux.
Mepụta akwụkwọ ndekọ aha na faịlụ ndị dị mkpa:
$ mkdir config
$ mkdir data
$ touch config/config.cfgKa anyị jiri vim jiri onye ndezi ederede ọkacha mmasị gị wee mado sample n'ime config.cfg .
Maka ịrụ ọrụ nke ọma, o zuru ezu iji dozie ngalaba izugbe na api:
[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua"
nsadmin = "admin.2nd.pp.ua"
records =
"acme.2nd.pp.ua. A 35.237.128.147",
"acme.2nd.pp.ua. NS acmens.2nd.pp.ua.", ]
...
[api]
...
tls = "letsencrypt"
…Ọzọkwa, ọ bụrụ na achọrọ anyị, anyị ga-emepụta faịlụ docker-ede na ndekọ ndekọ ọrụ:
version: '3.7'
services:
acmedns:
image: joohoi/acme-dns:latest
ports:
- "443:443"
- "53:53"
- "53:53/udp"
- "80:80"
volumes:
- ./config:/etc/acme-dns:ro
- ./data:/var/lib/acme-dnsNjikere. Ị nwere ike ịgba ya.
$ docker-compose up -dN'oge a, onye ọbịa kwesịrị ịmalite idozi ya acme.2nd.pp.ua, na 404 pụtara na https://acme.2nd.pp.ua
$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.
$ curl https://acme.2nd.pp.ua
404 page not foundỌ bụrụ na nke a apụtaghị - docker logs -f <container_name> iji nyere aka, ọ dabara nke ọma, na ndekọ bụ nnọọ ịgụ.
Anyị nwere ike ịmalite ịmepụta akwụkwọ ahụ. Mepee powershell dị ka onye nchịkwa wee mee winacme. Anyị nwere mmasị na ntuli aka:
- Nna-ukwu: Mepụta asambodo ọhụrụ (nhọrọ zuru oke)
- 2: Ntinye akwụkwọ ntuziaka
- 2: [dns-01] Mepụta ndekọ nkwenye na acme-dns ()
- Mgbe ajụrụ ya maka njikọ na sava ACME-DNS, tinye URL nke ihe nkesa emepụtara (https) na azịza. URL nke ihe nkesa acme-dns:
Na mmeghe, onye ahịa ahụ na-enye ndekọ nke kwesịrị ịgbakwunye na sava DNS dị (usoro otu oge):
[INFO] Creating new acme-dns registration for domain 1nd.pp.ua
Domain: 1nd.pp.ua
Record: _acme-challenge.1nd.pp.ua
Type: CNAME
Content: c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note: Some DNS control panels add the final dot automatically.
Only one is required.
Anyị na-emepụta ndekọ dị mkpa ma hụ na e kere ya nke ọma:
$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.Anyị na-akwado na anyị ekepụtala ntinye achọrọ na winacme, wee gaa n'ihu usoro ịmepụta asambodo:
Otu esi eji certbot dị ka onye ahịa ka akọwara .
Nke a na-emecha usoro nke ịmepụta akwụkwọ; ị nwere ike ịwụnye ya na sava weebụ wee jiri ya. Ọ bụrụ na, mgbe na-eke a akwụkwọ, ị nwekwara ike a ọrụ na scheduler, mgbe ahụ n'ọdịnihu na akwụkwọ ọhụrụ usoro ga-eme na-akpaghị aka.
isi: www.habr.com