ProHoster > Π‘Π»ΠΎΠ³ > administratio > Automatio Lets Encrypt SSL libellum administratione usura DNS-01 provocatio et AWS

Automatio Lets Encrypt SSL libellum administratione usura DNS-01 provocatio et AWS

Post gradus describitur ad automate administratione libellorum SSL e Lets Encrypt CA usura DNS-01 provocatio ΠΈ AWS.

acme-dns-route53 instrumentum est quod nos haec factura efficere sinit. Laborare potest cum libellis SSL de Let's Encrypt, nisi eas in Procurator certificationis Amazonicae, Route53 API utere ad provocationem DNS-01 efficiendam, ac denique notificationes SNS impellunt. IN' acme-dns-route53 Est etiam constructum-in functionality ad usum AWS Labda intus, et hoc est quod opus est.

Hic articulus in 4 sectiones dividitur:

  • zip lima creando;
  • IAM munus creando;
  • Munus creando lambda currit acme-dns-route53;
  • CloudWatch timer creando quod triggers functionem 2 vicibus in die;

Nota: Prius quam incipias vos postulo ut install GoLang 1.9+ ΠΈ AWS cli

Creando zip lima

acme-dns-route53 in GoLang scriptum est ac subsidia versionis non minus quam 1.9.

Non opus est creare zip lima cum binarii acme-dns-route53 intus. Hoc facere debes ut install acme-dns-route53 ex GitHub reposito per mandatum go install:

$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53

Binarii installatur $GOPATH/bin presul. Quaeso nota quod in institutione duo mutati ambitus designamus: GOOS=linux ΠΈ GOARCH=amd64. Explicant ad Go compilator quod binarium aptum creandum Linux OS et amd64 architectura β€” hoc est quod currit in AWS.
AWS Expectat programmata nostra in lima lima explicanda esse, ut faciamus acme-dns-route53.zip archivum quod noviter installatum binarium continebit:

$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53

Nota: Binarii debet esse in radice archivi avi. Hoc enim utimur -j vexillum.

Nunc cognomen avi nostri ad instruere parata est, quidquid reliquum est, munus cum iuribus necessariis creare est.

Partum an IAM partes

Munus IAM constituere debemus cum iuribus nostris lambda in eius executione requisitis.
Vocemus hoc consilium lambda-acme-dns-route53-executor et statim eam a basic partes AWSLambdaBasicExecutionRole. Hoc permittet nostra lambda currere et ligna scribere ad AWS CloudWatch officium.
Primum fasciculum JSON creamus iura nostra describens. Hoc per se permittit officia lambda uti munere lambda-acme-dns-route53-executor:

$ touch ~/lambda-acme-dns-route53-executor-policy.json

Contenta fasciculi nostri haec sunt:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream"
            ],
            "Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "cloudwatch:PutMetricData",
                "acm:ImportCertificate",
                "acm:ListCertificates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "sns:Publish",
                "route53:GetChange",
                "route53:ChangeResourceRecordSets",
                "acm:ImportCertificate",
                "acm:DescribeCertificate"
            ],
            "Resource": [
                "arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
                "arn:aws:route53:::hostedzone/*",
                "arn:aws:route53:::change/*",
                "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
            ]
        }
    ]
}

Nunc curramus imperium aws iam create-role munus creare;

$ aws iam create-role --role-name lambda-acme-dns-route53-executor 
 --assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.json

Nota: memento consilii ARN (Amazon Resource Name) - in proximis gradibus egebimus.

partes lambda-acme-dns-route53-executor creatum, nunc permissiones pro ea specificare oportet. Hoc facere facillime est, imperio uti aws iam attach-role-policytransiens consilium ARN AWSLambdaBasicExecutionRole ut sequitur:

$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor 
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Nota: a album cum aliis consiliis inveniri potest hic.

Munus creando labda fugit acme-dns-route53

euge! Nunc munus nostrum ad AWS utendo praecepto explicandam potes aws lambda create-function. Labda configurari debet utentes sequentes variabiles ambitus:

  • AWS_LAMBDA - patet acme-dns-route53 quod supplicium occurrit in AWS Labda.
  • DOMAINS β€” elenchus ditionum per commata separata.
  • LETSENCRYPT_EMAIL - continet Lets Encrypt Email.
  • NOTIFICATION_TOPIC - nomen SNS Notification Topic (libitum).
  • STAGING - ad valorem 1 exhibuit usus.
  • 1024 MB - Memoriae modus, mutari potest.
  • 900 secs (15 min) β€” timeout.
  • acme-dns-route53 β€” nomen binarii nostri, quod est in archivo.
  • fileb://~/acme-dns-route53.zip - iter archivo quod creavimus.

Nunc explicamus:

$ aws lambda create-function 
 --function-name acme-dns-route53 
 --runtime go1.x 
 --role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor 
 --environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}" 
 --memory-size 1024 
 --timeout 900 
 --handler acme-dns-route53 
 --zip-file fileb://~/acme-dns-route53.zip

 {
     "FunctionName": "acme-dns-route53", 
     "LastModified": "2019-05-03T19:07:09.325+0000", 
     "RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558", 
     "MemorySize": 1024, 
     "Environment": {
         "Variables": {
            "DOMAINS": "example1.com,example2.com", 
            "STAGING": "1", 
            "LETSENCRYPT_EMAIL": "[email protected]", 
            "NOTIFICATION_TOPIC": "acme-dns-route53-obtained", 
            "AWS_LAMBDA": "1"
         }
     }, 
     "Version": "$LATEST", 
     "Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor", 
     "Timeout": 900, 
     "Runtime": "go1.x", 
     "TracingConfig": {
         "Mode": "PassThrough"
     }, 
     "CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=", 
     "Description": "", 
     "CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53", 
     "Handler": "acme-dns-route53"
 }

CloudWatch timer partum a munus quod triggers II temporibus per diem

Ultimus gradus est cron erigatur, qui munus nostrum bis in die vocat;

  • CloudWatch cum imperio creare valorem schedule_expression.
  • scopo regulae creare (quod exsecutioni mandari debet) ARN denotando munus lambdae.
  • det licentiam regulae munus vocare ad lambda.

Infra Terraformam meam config iunxi, re vera hoc simpliciter fit utendo AWS console vel AWS CLI.

# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
  name                = "acme-dns-route53-issuer-scheduler"
  schedule_expression = "cron(0 */12 * * ? *)"
}

# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
  rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
  arn  = "${aws_lambda_function.acme_dns_route53.arn}"
}

# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
  principal     = "events.amazonaws.com"
  source_arn    = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}

Nunc configuratus es automatice creare et renovare SSL testimoniales

Source: www.habr.com