å€ãã®å ŽåãSSL 蚌ææžã䜿çšããå¿ èŠããããŸãã 蚌ææžãäœæããŠã€ã³ã¹ããŒã«ããããã»ã¹ (ã»ãšãã©ã®å Žåãäžè¬çãªå Žå) ãæãåºããŠãã ããã
- ãããã€ã㌠(SSL ãè³Œå ¥ã§ãããµã€ã) ãæ¢ããŸãã
- CSRãçã¿åºãã
- ãããã€ããŒã«éä¿¡ããŠãã ããã
- ãã¡ã€ã³ã®æææš©ã確èªããŸãã
- 蚌ææžãååŸããŸãã
- 蚌ææžãå¿ èŠãªåœ¢åŒã«å€æããŸã (ãªãã·ã§ã³)ã ããšãã°ãpem ãã PKCS #12 ãžã
- 蚌ææžã Web ãµãŒããŒã«ã€ã³ã¹ããŒã«ããŸãã
æ¯èŒçé«éã§ãè€éã§ã¯ãªããç解ããããã§ãã ãã®ãªãã·ã§ã³ã¯ãæ倧 XNUMX åã®ãããžã§ã¯ããããå Žåã«éåžžã«é©ããŠããŸãã ãã£ãšå€ãã®ç°å¢ããããå°ãªããšã XNUMX ã€ã®ç°å¢ãããå Žåã¯ã©ããªãã§ãããã? å€å žçãªéçºãã¹ããŒãžã³ã°ãéçšã ãã®å Žåããã®ããã»ã¹ãèªååããããšãæ€èšãã䟡å€ããããŸãã ãã®åé¡ãããå°ãæ·±ãæãäžããŠã蚌ææžã®äœæãšç¶æã«è²»ããæéãããã«æå°éã«æãã解決çãèŠã€ããããšãææ¡ããŸãã ãã®èšäºã«ã¯ãåé¡ã®åæãšç¹°ãè¿ãã«é¢ããå°ããªã¬ã€ããå«ãŸããŠããŸãã
äºåã«äºçŽãããŠããã ããŸããåœç€Ÿã®äž»ãªå°éåé㯠.net ã§ãããããã«å¿ã㊠IIS ããã³ãã®ä»ã® Windows é¢é£è£œåãå°éãšããŠããŸãã ãããã£ãŠãACME ã¯ã©ã€ã¢ã³ããšãã®ãã¹ãŠã®ã¢ã¯ã·ã§ã³ã«ã€ããŠããWindows ã䜿çšãã芳ç¹ãã説æããŸãã
ããã¯èª°ã«é¢ä¿ããã®ãããããŠããã€ãã®åæããŒã¿
èè ã代衚ãåããK瀟ã URL (äŸ): company.tld
ãããžã§ã¯ã X ã¯ç§ãã¡ã®ãããžã§ã¯ãã® XNUMX ã€ã§ãããããã«åãçµãã§ãããã¡ã«ã蚌ææžãæ±ãéã«æ倧éã®æéãç¯çŽããå¿ èŠããããšããçµè«ã«éããŸããã ãã®ãããžã§ã¯ãã«ã¯ãéçºããã¹ããã¹ããŒãžã³ã°ãéçšã® XNUMX ã€ã®ç°å¢ããããŸãã éçºãšãã¹ãã¯ç§ãã¡ã®åŽã«ãããã¹ããŒãžã³ã°ãšæ¬çªã¯ã¯ã©ã€ã¢ã³ãåŽã«ãããŸãã
ãã®ãããžã§ã¯ãã®ç¹å¥ãªç¹åŸŽã¯ããµããã¡ã€ã³ãšããŠå©çšã§ããã¢ãžã¥ãŒã«ãå€æ°ããããšã§ãã
ã€ãŸãã次ã®ãããªå³ããããŸãã
ããããããŒ
ãã€ãŒã«è©Šä¹
äžæŒ
çç£
projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
ãããžã§ã¯ãX.tld
module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld
module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld
...
...
...
...
moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld
å®çšŒåç°å¢ã§ã¯ãè³Œå ¥ããã¯ã€ã«ãã«ãŒã蚌ææžã䜿çšãããŸãããããã§çåã¯çããŸããã ãã ããããã¯ãµããã¡ã€ã³ã®æåã®ã¬ãã«ã®ã¿ãã«ããŒããŸãã ãããã£ãŠã*.projectX.tld ã®èšŒææžãããå Žåãstaging.projectX.tld ã§ã¯æ©èœããŸãããmodule1.staging.projectX.tld ã§ã¯æ©èœããŸããã ã§ãããªããå¥ã®ãã®ãè²·ããããªããã§ãã
ãããŠããã¯ãããäŒæ¥ã® XNUMX ã€ã®ãããžã§ã¯ãã®äŸã«åºã¥ããŠããã«ãããŸããã ãããŠãã¡ããããããžã§ã¯ãã¯è€æ°ãããŸãã
誰ãããã®åé¡ã«åãçµãäžè¬çãªçç±ã¯æ¬¡ã®ãšããã§ãã
- ÐÑМПÑОÑелÑМПМеЎавМП
GoogleãSSL蚌ææžã®æ倧æå¹æéãççž®ããããšãææ¡ ã ãã¹ãŠã®çµæã䌎ããŸãã - ãããžã§ã¯ããäŒç€Ÿå šäœã®å éšããŒãºã«åãããŠãSSL ã®çºè¡ãšç¶æã®ããã»ã¹ãä¿é²ããŸãã
- 蚌ææžã¬ã³ãŒãã®éäžã¹ãã¬ãŒãžãããã«ãããDNS ã䜿çšãããã¡ã€ã³æ€èšŒãšãã®åŸã®èªåæŽæ°ã®åé¡ãéšåçã«è§£æ±ºãããã¯ã©ã€ã¢ã³ãã®ä¿¡é Œã®åé¡ã解決ãããŸãã ããã§ããããŒãããŒ/å®è¡äŒæ¥ã®ãµãŒããŒäžã® CNAME ã¯ããµãŒãããŒãã£ã®ãªãœãŒã¹äžã® CNAME ãããä¿¡é Œã§ããŸãã
- ããŠãæåŸã«ããã®å Žåã¯ãæããªãããã¯ãã£ãã»ããè¯ãããšããè¡šçŸããŽã£ãããšåœãŠã¯ãŸããŸãã
SSLãããã€ããŒã®éžæãšæºåæé
ç¡æã® SSL 蚌ææžã§å©çšå¯èœãªãªãã·ã§ã³ã®äžã§ãcloudflare ãš letsencrypt ãæ€èšãããŸããã ãã® (ããã³ä»ã®ããã€ãã®ãããžã§ã¯ã) ã® DNS 㯠Cloudflare ã«ãã£ãŠãã¹ããããŠããŸãããç§ã¯ãã®èšŒææžã䜿çšããã®ã奜ãã§ã¯ãããŸããã ãããã£ãŠãletsencrypt ã䜿çšããããšã«ããŸããã
ã¯ã€ã«ãã«ãŒã SSL 蚌ææžãäœæããã«ã¯ããã¡ã€ã³ã®æææš©ã確èªããå¿
èŠããããŸãã ãã®æé ã«ã¯ãDNS ã¬ã³ãŒã (TXT ãŸã㯠CNAME) ãäœæãã蚌ææžãçºè¡ãããšãã«ãããæ€èšŒããããšãå«ãŸããŸãã Linuxã«ã¯ãŠãŒãã£ãªãã£ããããŸã -
ãã¡ã€ã³ã®ã¬ã³ãŒããäœæãããã®ã§ã蚌ææžã®äœæã«é²ã¿ãŸãããã
æåŸã®çµè«ãã€ãŸããã¯ã€ã«ãã«ãŒã蚌ææžãçºè¡ããããã«ãã¡ã€ã³ã®æææš©ã確èªããããã«å©çšã§ãããªãã·ã§ã³ã«èå³ããããŸãã
- DNS ã¬ã³ãŒããæåã§äœæããŸã (èªåæŽæ°ã¯ãµããŒããããŠããŸãã)
- acme-dns ãµãŒããŒã䜿çšã㊠DNS ã¬ã³ãŒããäœæãã (詳现ã«ã€ããŠã¯ããã¡ããã芧ãã ãã)
ãã㧠. - ç¬èªã®ã¹ã¯ãªããã䜿çšã㊠DNS ã¬ã³ãŒããäœæããŸã (certbot çšã® Cloudflare ãã©ã°ã€ã³ãšåæ§)ã
äžèŠãããšã2 çªç®ã®ç¹ã¯éåžžã«é©åã§ãããDNS ãããã€ããŒããã®æ©èœããµããŒãããŠããªãå Žåã¯ã©ããªãã§ãããã? ããããäžè¬çãªã±ãŒã¹ãå¿ èŠã§ãã ãã ããCNAME ã¬ã³ãŒãã¯èª°ãããµããŒãããŠãããããäžè¬çãªã±ãŒã¹ãšãªããŸãã ãããã£ãŠããã€ã³ã XNUMX ã§åæ¢ããACME-DNS ãµãŒããŒã®æ§æã«é²ã¿ãŸãã
ACME-DNS ãµãŒããŒãšèšŒææžçºè¡ããã»ã¹ã®ã»ããã¢ãã
ããšãã°ããã¡ã€ã³ 2nd.pp.ua ãäœæããä»åŸã¯ããã䜿çšããäºå®ã§ãã
acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.
ãã®æ®µéã§ããã¹ãã¯è§£æ±ºããå¿
èŠããããŸã acmens.2nd.pp.ua
.
$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data
ããã acme.2nd.pp.ua
ãµãŒãã¹ãæäŸãã DNS ãµãŒããŒããŸã å®è¡ãããŠããªãããã解決ãããŸããã
ã¬ã³ãŒããäœæãããã®ã§ãACME-DNS ãµãŒããŒã®ã»ããã¢ãããšèµ·åã«é²ã¿ãŸãã ç§ã®ubuntuãµãŒããŒäžã«ååšããŸã
å¿ èŠãªãã£ã¬ã¯ããªãšãã¡ã€ã«ãäœæããŸãã
$ mkdir config
$ mkdir data
$ touch config/config.cfg
ãæ°ã«å
¥ãã®ããã¹ã ãšãã£ã¿ãŒã§ vim ã䜿çšãããµã³ãã«ã config.cfg ã«è²Œãä»ããŠã¿ãŸãããã
æ£åžžã«æäœããã«ã¯ãäžè¬ã»ã¯ã·ã§ã³ãš API ã»ã¯ã·ã§ã³ãä¿®æ£ããã ãã§ååã§ãã
[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua"
nsadmin = "admin.2nd.pp.ua"
records =
"acme.2nd.pp.ua. A 35.237.128.147",
"acme.2nd.pp.ua. NS acmens.2nd.pp.ua.", ]
...
[api]
...
tls = "letsencrypt"
âŠ
ãŸããå¿ èŠã«å¿ããŠãã¡ã€ã³ ãµãŒãã¹ ãã£ã¬ã¯ããªã« docker-compose ãã¡ã€ã«ãäœæããŸãã
version: '3.7'
services:
acmedns:
image: joohoi/acme-dns:latest
ports:
- "443:443"
- "53:53"
- "53:53/udp"
- "80:80"
volumes:
- ./config:/etc/acme-dns:ro
- ./data:/var/lib/acme-dns
æºåãã§ããŠã å®è¡ã§ããŸãã
$ docker-compose up -d
ãã®æ®µéã§ããã¹ãã¯è§£æ±ºãéå§ããã¯ãã§ã acme.2nd.pp.ua
ã404 ã衚瀺ãããŸã https://acme.2nd.pp.ua
$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.
$ curl https://acme.2nd.pp.ua
404 page not found
ããã衚瀺ãããªãå Žå - docker logs -f <container_name>
幞ããªããšã«ããã°ã¯éåžžã«èªã¿ãããã§ãã
蚌ææžã®äœæãéå§ã§ããŸãã 管çè ãšã㊠powershell ãéããwinacme ãå®è¡ããŸãã ç§ãã¡ã¯éžæã«èå³ããããŸã:
- M: æ°ãã蚌ææžãäœæããŸã (ãã«ãªãã·ã§ã³)
- 2:æåå ¥å
- 2: [dns-01] acme-dns ã§æ€èšŒã¬ã³ãŒããäœæ (
https://github.com/joohoi/acme-dns ) - ACME-DNS ãµãŒããŒãžã®ãªã³ã¯ã«ã€ããŠå°ããããããäœæãããµãŒããŒã® URL (https) ãåçã«å
¥åããŸãã acme-dns ãµãŒããŒã® URL:
https://acme.2nd.pp.ua
æåã«ãã¯ã©ã€ã¢ã³ãã¯æ¢åã® DNS ãµãŒããŒã«è¿œå ããå¿ èŠãããã¬ã³ãŒããçºè¡ããŸã (XNUMX åéãã®æé )ã
[INFO] Creating new acme-dns registration for domain 1nd.pp.ua
Domain: 1nd.pp.ua
Record: _acme-challenge.1nd.pp.ua
Type: CNAME
Content: c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note: Some DNS control panels add the final dot automatically.
Only one is required.
å¿ èŠãªã¬ã³ãŒããäœæãããããæ£ããäœæãããããšã確èªããŸãã
$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
winacme ã«å¿ èŠãªãšã³ããªãäœæãããããšã確èªãã蚌ææžã®äœæããã»ã¹ãç¶è¡ããŸãã
certbot ãã¯ã©ã€ã¢ã³ããšããŠäœ¿çšããæ¹æ³ã«ã€ããŠèª¬æããŸã
ããã§èšŒææžã®äœæããã»ã¹ãå®äºããWeb ãµãŒããŒã«ã€ã³ã¹ããŒã«ããŠäœ¿çšã§ããããã«ãªããŸãã 蚌ææžãäœæãããšãã«ã¹ã±ãžã¥ãŒã©ã§ã¿ã¹ã¯ãäœæãããšãä»åŸã¯èšŒææžã®æŽæ°ããã»ã¹ãèªåçã«å®è¡ãããŸãã
åºæïŒ habr.com