ProHoster > Блог > Whakahaerenga > Ki te aunoatanga o te tuku SSL

Ki te aunoatanga o te tuku SSL

He maha nga wa me mahi maatau me nga tiwhikete SSL. Kia maumahara tatou ki te mahi hanga me te whakauru i tetahi tiwhikete (i roto i te keehi whanui mo te nuinga).

  • Kimihia he kaiwhakarato (he waahi ka taea e tatou te hoko SSL).
  • Hanga TKT.
  • Tukuna atu ki to kaiwhakarato.
  • Manatokohia te mana rohe.
  • Tikina he tiwhikete.
  • Hurihia te tiwhikete ki te puka e hiahiatia ana (he kowhiri). Hei tauira, mai i te pem ki te PKCS #12.
  • Tāutahia te tiwhikete ki te tūmau tukutuku.

He tere tere, ehara i te uaua me te maarama. He tino pai tenei whiringa mena ka nui ake nga kaupapa tekau. He aha mena he maha ake o raatau, me te toru neke atu ranei o raatau taiao? Tauhira dev - whakaari - hanga. I tenei keehi, he pai ki te whakaaro mo te whakaaunoa i tenei mahi. Ka whakaaro ahau ki te ruku hohonu ki roto i te raru me te kimi i tetahi otinga ka iti ake te wa e whakapaua ana ki te hanga me te pupuri i nga tiwhikete. Kei roto i te tuhinga he tātaritanga o te raru me tetahi aratohu iti mo te tukurua.

Tukua ahau kia rahui i mua: ko te tino tohungatanga o ta maatau kamupene ko .net, a, na reira, ko IIS me etahi atu hua e pa ana ki te Matapihi. Na reira, ko te kiritaki ACME me nga mahi katoa mo taua mea ka whakaahuahia ano mai i te tirohanga o te whakamahi Windows.

Mo wai tenei e tika ana me etahi raraunga tuatahi

Ko Kamupene K ko te kaituhi. URL (hei tauira): company.tld

Ko te Kaupapa X tetahi o a maatau kaupapa, i te wa e mahi ana ahau i whakatauhia e au me neke tonu tatou ki te penapena wa morahi ina mahi ana me nga tiwhikete. E wha nga taiao o tenei kaupapa: dev, whakamatautau, whakaari me te whakaputa. Ko te Dev me te whakamatautau kei to taatau taha, kei te taha o te kiritaki te mahi whakaari me te whakaputa.

Ko tetahi ahuatanga motuhake o te kaupapa ko te maha o nga waahanga e waatea ana hei subdomains.

Arā, kei a mātou te pikitia e whai ake nei:

Dev
whakamātautau
Te whakarite
production

projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
kaupapaX.tld

module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld

module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld

...
...
...
...

moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld

Mo te whakaputanga, ka whakamahia he tiwhikete mohoao kua hokona, kaore he patai ka puta mai i konei. Engari ka hipokina te taumata tuatahi o te subdomain. No reira, ki te mea he tiwhikete mo *.projectX.tld, ka pai mo te staging.projectX.tld, engari kaua mo te module1.staging.projectX.tld. Engari me pehea e kore ahau e pai ki te hoko i tetahi mea motuhake.

A ko tenei anake i runga i te tauira o tetahi kaupapa o te kamupene kotahi. A, o te akoranga, neke atu i te kotahi kaupapa.

Ko nga take noa mo te katoa ki te whakatika i tenei take he penei te ahua:

  • No tata nei I whakaaro a Google ki te whakaiti i te waa whaimana morahi o nga tiwhikete SSL. Me nga hua katoa.
  • Whakaritea te tukanga o te tuku me te pupuri i te SSL mo nga hiahia o roto o nga kaupapa me te kamupene katoa.
  • Ko te rokiroki o nga rekoata tiwhikete, he waahanga e whakaoti ana i te raru o te manatoko rohe ma te whakamahi i te DNS me te whakahou aunoa i muri mai, me te whakaoti hoki i te take o te whakawhirinaki a te kiritaki. Heoi ano, he pono ake te CNAME i runga i te tūmau o te kamupene hoa mahi/kaiwhakahaere i runga i te rauemi tuatoru.
  • Kaati, ka mutu, i roto i tenei keehi ko te kupu "he pai ke atu i te kore" ka tino pai.

Te whiriwhiri i tetahi Kaiwhakarato SSL me nga Taahi Whakaritenga

I roto i nga whiringa e waatea ana mo nga tiwhikete SSL koreutu, cloudflare me letsencrypt i whakaarohia. Ko te DNS mo tenei (me etahi atu kaupapa) e whakahaerehia ana e cloudflare, engari kaore au i te pai ki te whakamahi i o raatau tiwhikete. Na reira, i whakatauhia kia whakamahia te Letsencrypt.
Hei hanga i tetahi tiwhikete SSL mohoao, me whakau koe i te mana rohe. Ko tenei tikanga ko te hanga i etahi rekoata DNS (TXT, CNAME ranei), ka manatoko i te wa e tuku tiwhikete ana. He whaipainga a Linux - certbot, ka taea e koe te whakaaunoa i tenei tukanga (katoa ranei mo etahi kaiwhakarato DNS). Mo Windows mai kitea me te manatoko Ko nga whiringa kiritaki ACME kua whakatauhia e au WinACME.

Na kua hangahia te rekoata mo te rohe, me haere tatou ki te hanga tiwhikete:

Ki te aunoatanga o te tuku SSL

Kei te pirangi matou ki te whakatau whakamutunga, ara, ko nga whiringa e waatea ana mo te whakaū i te mana o te rohe mo te tuku tiwhikete kaari:

  1. Waihangahia nga rekoata DNS ma te ringa (kaore i te tautokohia te whakahou aunoa)
  2. Te hanga rekoata DNS ma te whakamahi i te tūmau acme-dns (ka taea e koe te panui atu mo konei.
  3. Te hanga rekoata DNS ma te whakamahi i taau ake tuhinga (he rite ki te mono cloudflare mo certbot).

I te tuatahi o te titiro, he pai te tuatoru o nga tohu, engari me pehea te kore e tautokohia e te kaiwhakarato DNS tenei mahi? Engari e hiahia ana matou ki tetahi keehi whanui. Engari ko te take whanui ko nga rekoata CNAME, na te mea kei te tautoko te katoa. Na reira, ka mutu i te waahi 2 ka haere ki te whirihora i to maatau ACME-DNS server.

Te whakatu i te tūmau ACME-DNS me te tukanga tuku tiwhikete

Hei tauira, i hanga e ahau te rohe 2nd.pp.ua, a ka whakamahia a muri ake nei.

Whakaritenga whakahau Kia tika te mahi a te tūmau, me hanga he rekoata NS me A mo tana rohe. A ko te wa kino tuatahi i tutakihia e au ko te cloudflare (i te iti rawa i roto i te aratau whakamahi kore utu) kaore e taea e koe te hanga i tetahi rekoata NS me A mo te ope kotahi. Ehara i te mea he raru tenei, engari ma te here ka taea. I whakautua e te hunga tautoko kaore ta ratou roopu e whakaae kia mahia tenei. Kaore he raru, me hanga e rua nga rekoata:

acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.

I tenei wahanga, me whakatau to tatou kaihautu acmens.2nd.pp.ua.

$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data

Engari acme.2nd.pp.ua e kore e whakatau, i te mea kaore ano kia rere te tūmau DNS e mahi ana.

Kua hangaia nga rekoata, ka haere tonu matou ki te whakatu me te whakarewa i te tūmau ACME-DNS. Ka ora i runga i taku tūmau ubuntu i roto toka ipu, engari ka taea e koe te whakahaere ki nga waahi katoa kei te waatea te golang. He pai hoki a Windows, engari he pai ki ahau he tūmau Linux.

Waihangahia nga whaiaronga me nga konae e tika ana:

$ mkdir config
$ mkdir data
$ touch config/config.cfg

Me whakamahi te vim me to etita kuputuhi tino pai ka whakapiri i te tauira ki config.cfg whirihoranga.

Mo te mahi angitu, he nui ki te whakatika i nga waahanga whanui me te api:

[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua" 
nsadmin = "admin.2nd.pp.ua" 
records = 
    "acme.2nd.pp.ua. A 35.237.128.147",
    "acme.2nd.pp.ua. NS acmens.2nd.pp.ua.",                                                                                                                                                                                                  ]
...
[api]
...
tls = "letsencrypt"
…

Ano, ki te hiahiatia, ka hangahia e matou he konae tito-docker i roto i te raarangi ratonga matua:

version: '3.7'
services:
  acmedns:
    image: joohoi/acme-dns:latest
    ports:
      - "443:443"
      - "53:53"
      - "53:53/udp"
      - "80:80"
    volumes:
      - ./config:/etc/acme-dns:ro
      - ./data:/var/lib/acme-dns

Kua reri. Ka taea e koe te whakahaere.

$ docker-compose up -d

I tenei wahanga me timata te kaihautu ki te whakatau acme.2nd.pp.ua, ka puta he 404 i runga https://acme.2nd.pp.ua

$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.

$ curl https://acme.2nd.pp.ua
404 page not found

Ki te kore tenei e puta - docker logs -f <container_name> ki te awhina, Waimarie, he tino panui nga poro.

Ka taea e tatou te timata ki te hanga i te tiwhikete. Whakatuwherahia te Powershell hei kaiwhakahaere me te whakahaere winacme. Kei te pirangi matou ki nga pooti:

  • M: Waihangatia he tiwhikete hou (nga whiringa katoa)
  • 2:Tauru a-ringa
  • 2: [dns-01] Waihangahia nga rekoata manatoko me acme-dns (https://github.com/joohoi/acme-dns)
  • I te patai mo tetahi hononga ki te tūmau ACME-DNS, whakauruhia te URL o te tūmau i hangaia (https) ki te whakautu. URL o te tūmau acme-dns: https://acme.2nd.pp.ua

I te whakatuwheratanga, ka tukuna e te kiritaki he rekoata e tika ana kia taapiri atu ki te tūmau DNS o naianei (kotahi te mahi):

[INFO] Creating new acme-dns registration for domain 1nd.pp.ua

Domain:              1nd.pp.ua
Record:               _acme-challenge.1nd.pp.ua
Type:                   CNAME
Content:              c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note:                   Some DNS control panels add the final dot automatically.
                           Only one is required.

Ki te aunoatanga o te tuku SSL

Ka hangahia e matou te rekoata e tika ana me te whakarite kia tika te hanga:

Ki te aunoatanga o te tuku SSL

$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.

Ka whakapumautia e matou kua hangahia e matou te urunga e hiahiatia ana i roto i te winacme, ka haere tonu te mahi o te hanga tiwhikete:

Ki te aunoatanga o te tuku SSL

Me pehea te whakamahi certbot hei kaihoko kua whakaahuatia konei.

Ka oti i tenei te mahi o te hanga tiwhikete; ka taea e koe te whakauru ki runga i te tuumau tukutuku me te whakamahi. Mena, i te wa e hanga ana he tiwhikete, ka hangaia ano e koe he mahi i roto i te raarangi, katahi ka puta aunoa te tukanga whakahou tiwhikete.

Source: will.com

Tāpiri i te kōrero