He maha nga wa me mahi maatau me nga tiwhikete SSL. Kia maumahara tatou ki te mahi hanga me te whakauru i tetahi tiwhikete (i roto i te keehi whanui mo te nuinga).
Kimihia he kaiwhakarato (he waahi ka taea e tatou te hoko SSL).
Hanga TKT.
Tukuna atu ki to kaiwhakarato.
Manatokohia te mana rohe.
Tikina he tiwhikete.
Hurihia te tiwhikete ki te puka e hiahiatia ana (he kowhiri). Hei tauira, mai i te pem ki te PKCS #12.
Tāutahia te tiwhikete ki te tūmau tukutuku.
He tere tere, ehara i te uaua me te maarama. He tino pai tenei whiringa mena ka nui ake nga kaupapa tekau. He aha mena he maha ake o raatau, me te toru neke atu ranei o raatau taiao? Tauhira dev - whakaari - hanga. I tenei keehi, he pai ki te whakaaro mo te whakaaunoa i tenei mahi. Ka whakaaro ahau ki te ruku hohonu ki roto i te raru me te kimi i tetahi otinga ka iti ake te wa e whakapaua ana ki te hanga me te pupuri i nga tiwhikete. Kei roto i te tuhinga he tātaritanga o te raru me tetahi aratohu iti mo te tukurua.
Tukua ahau kia rahui i mua: ko te tino tohungatanga o ta maatau kamupene ko .net, a, na reira, ko IIS me etahi atu hua e pa ana ki te Matapihi. Na reira, ko te kiritaki ACME me nga mahi katoa mo taua mea ka whakaahuahia ano mai i te tirohanga o te whakamahi Windows.
Mo wai tenei e tika ana me etahi raraunga tuatahi
Ko Kamupene K ko te kaituhi. URL (hei tauira): company.tld
Ko te Kaupapa X tetahi o a maatau kaupapa, i te wa e mahi ana ahau i whakatauhia e au me neke tonu tatou ki te penapena wa morahi ina mahi ana me nga tiwhikete. E wha nga taiao o tenei kaupapa: dev, whakamatautau, whakaari me te whakaputa. Ko te Dev me te whakamatautau kei to taatau taha, kei te taha o te kiritaki te mahi whakaari me te whakaputa.
Ko tetahi ahuatanga motuhake o te kaupapa ko te maha o nga waahanga e waatea ana hei subdomains.
Mo te whakaputanga, ka whakamahia he tiwhikete mohoao kua hokona, kaore he patai ka puta mai i konei. Engari ka hipokina te taumata tuatahi o te subdomain. No reira, ki te mea he tiwhikete mo *.projectX.tld, ka pai mo te staging.projectX.tld, engari kaua mo te module1.staging.projectX.tld. Engari me pehea e kore ahau e pai ki te hoko i tetahi mea motuhake.
A ko tenei anake i runga i te tauira o tetahi kaupapa o te kamupene kotahi. A, o te akoranga, neke atu i te kotahi kaupapa.
Ko nga take noa mo te katoa ki te whakatika i tenei take he penei te ahua:
Whakaritea te tukanga o te tuku me te pupuri i te SSL mo nga hiahia o roto o nga kaupapa me te kamupene katoa.
Ko te rokiroki o nga rekoata tiwhikete, he waahanga e whakaoti ana i te raru o te manatoko rohe ma te whakamahi i te DNS me te whakahou aunoa i muri mai, me te whakaoti hoki i te take o te whakawhirinaki a te kiritaki. Heoi ano, he pono ake te CNAME i runga i te tūmau o te kamupene hoa mahi/kaiwhakahaere i runga i te rauemi tuatoru.
Kaati, ka mutu, i roto i tenei keehi ko te kupu "he pai ke atu i te kore" ka tino pai.
Te whiriwhiri i tetahi Kaiwhakarato SSL me nga Taahi Whakaritenga
I roto i nga whiringa e waatea ana mo nga tiwhikete SSL koreutu, cloudflare me letsencrypt i whakaarohia. Ko te DNS mo tenei (me etahi atu kaupapa) e whakahaerehia ana e cloudflare, engari kaore au i te pai ki te whakamahi i o raatau tiwhikete. Na reira, i whakatauhia kia whakamahia te Letsencrypt.
Hei hanga i tetahi tiwhikete SSL mohoao, me whakau koe i te mana rohe. Ko tenei tikanga ko te hanga i etahi rekoata DNS (TXT, CNAME ranei), ka manatoko i te wa e tuku tiwhikete ana. He whaipainga a Linux - certbot, ka taea e koe te whakaaunoa i tenei tukanga (katoa ranei mo etahi kaiwhakarato DNS). Mo Windows mai kitea me te manatoko Ko nga whiringa kiritaki ACME kua whakatauhia e au WinACME.
Na kua hangahia te rekoata mo te rohe, me haere tatou ki te hanga tiwhikete:
Kei te pirangi matou ki te whakatau whakamutunga, ara, ko nga whiringa e waatea ana mo te whakaū i te mana o te rohe mo te tuku tiwhikete kaari:
Waihangahia nga rekoata DNS ma te ringa (kaore i te tautokohia te whakahou aunoa)
Te hanga rekoata DNS ma te whakamahi i te tūmau acme-dns (ka taea e koe te panui atu mo konei.
Te hanga rekoata DNS ma te whakamahi i taau ake tuhinga (he rite ki te mono cloudflare mo certbot).
I te tuatahi o te titiro, he pai te tuatoru o nga tohu, engari me pehea te kore e tautokohia e te kaiwhakarato DNS tenei mahi? Engari e hiahia ana matou ki tetahi keehi whanui. Engari ko te take whanui ko nga rekoata CNAME, na te mea kei te tautoko te katoa. Na reira, ka mutu i te waahi 2 ka haere ki te whirihora i to maatau ACME-DNS server.
Te whakatu i te tūmau ACME-DNS me te tukanga tuku tiwhikete
Hei tauira, i hanga e ahau te rohe 2nd.pp.ua, a ka whakamahia a muri ake nei.
Whakaritenga whakahau Kia tika te mahi a te tūmau, me hanga he rekoata NS me A mo tana rohe. A ko te wa kino tuatahi i tutakihia e au ko te cloudflare (i te iti rawa i roto i te aratau whakamahi kore utu) kaore e taea e koe te hanga i tetahi rekoata NS me A mo te ope kotahi. Ehara i te mea he raru tenei, engari ma te here ka taea. I whakautua e te hunga tautoko kaore ta ratou roopu e whakaae kia mahia tenei. Kaore he raru, me hanga e rua nga rekoata:
acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.
I tenei wahanga, me whakatau to tatou kaihautu acmens.2nd.pp.ua.
$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data
Engari acme.2nd.pp.ua e kore e whakatau, i te mea kaore ano kia rere te tūmau DNS e mahi ana.
Kua hangaia nga rekoata, ka haere tonu matou ki te whakatu me te whakarewa i te tūmau ACME-DNS. Ka ora i runga i taku tūmau ubuntu i roto toka ipu, engari ka taea e koe te whakahaere ki nga waahi katoa kei te waatea te golang. He pai hoki a Windows, engari he pai ki ahau he tūmau Linux.
Waihangahia nga whaiaronga me nga konae e tika ana:
$ mkdir config
$ mkdir data
$ touch config/config.cfg
Me whakamahi te vim me to etita kuputuhi tino pai ka whakapiri i te tauira ki config.cfg whirihoranga.
Mo te mahi angitu, he nui ki te whakatika i nga waahanga whanui me te api:
I tenei wahanga me timata te kaihautu ki te whakatau acme.2nd.pp.ua, ka puta he 404 i runga https://acme.2nd.pp.ua
$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.
$ curl https://acme.2nd.pp.ua
404 page not found
Ki te kore tenei e puta - docker logs -f <container_name> ki te awhina, Waimarie, he tino panui nga poro.
Ka taea e tatou te timata ki te hanga i te tiwhikete. Whakatuwherahia te Powershell hei kaiwhakahaere me te whakahaere winacme. Kei te pirangi matou ki nga pooti:
M: Waihangatia he tiwhikete hou (nga whiringa katoa)
I te patai mo tetahi hononga ki te tūmau ACME-DNS, whakauruhia te URL o te tūmau i hangaia (https) ki te whakautu. URL o te tūmau acme-dns: https://acme.2nd.pp.ua
I te whakatuwheratanga, ka tukuna e te kiritaki he rekoata e tika ana kia taapiri atu ki te tūmau DNS o naianei (kotahi te mahi):
[INFO] Creating new acme-dns registration for domain 1nd.pp.ua
Domain: 1nd.pp.ua
Record: _acme-challenge.1nd.pp.ua
Type: CNAME
Content: c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note: Some DNS control panels add the final dot automatically.
Only one is required.
Ka hangahia e matou te rekoata e tika ana me te whakarite kia tika te hanga:
Ka whakapumautia e matou kua hangahia e matou te urunga e hiahiatia ana i roto i te winacme, ka haere tonu te mahi o te hanga tiwhikete:
Me pehea te whakamahi certbot hei kaihoko kua whakaahuatia konei.
Ka oti i tenei te mahi o te hanga tiwhikete; ka taea e koe te whakauru ki runga i te tuumau tukutuku me te whakamahi. Mena, i te wa e hanga ana he tiwhikete, ka hangaia ano e koe he mahi i roto i te raarangi, katahi ka puta aunoa te tukanga whakahou tiwhikete.