Pulogalamu ya ProHoster > Blog > Ulamuliro > Kutengera automation ya kutulutsidwa kwa SSL

Kutengera automation ya kutulutsidwa kwa SSL

Nthawi zambiri timayenera kugwira ntchito ndi ziphaso za SSL. Tiyeni tikumbukire njira yopangira ndi kukhazikitsa satifiketi (nthawi zambiri kwa ambiri).

  • Pezani wopereka (malo omwe tingagule SSL).
  • Pangani CSR.
  • Tumizani kwa wothandizira wanu.
  • Tsimikizirani umwini wa domeni.
  • Pezani satifiketi.
  • Sinthani satifiketi kukhala mawonekedwe ofunikira (posankha). Mwachitsanzo, kuchokera ku pem kupita ku PKCS #12.
  • Ikani satifiketi pa seva yapaintaneti.

Mwachangu, osati zovuta komanso zomveka. Njira iyi ndiyabwino ngati tili ndi ma projekiti khumi. Nanga bwanji ngati alipo ambiri, ndipo ali ndi malo osachepera atatu? Classic dev - siteji - kupanga. Pankhaniyi, m'pofunika kuganizira za automating ndondomekoyi. Ndikupangira kuti ndifufuze mozama pang'ono pavutoli ndikupeza yankho lomwe lingachepetse nthawi yomwe ikugwiritsidwa ntchito popanga ndi kusunga ziphaso. Nkhaniyi idzakhala ndi kusanthula kwa vutoli ndi kalozera kakang'ono ka kubwereza.

Ndiroleni ndisungiretu pasadakhale: luso lalikulu la kampani yathu ndi .net, ndipo, molingana, IIS ndi zinthu zina zokhudzana ndi Windows. Chifukwa chake, kasitomala wa ACME ndi zochita zake zonse zidzafotokozedwanso pakuwona kugwiritsa ntchito Windows.

Kodi izi ndizofunikira kwa ndani komanso zoyambira zina

Kampani K yoimiridwa ndi wolemba. URL (mwachitsanzo): company.tld

Project X ndi imodzi mwama projekiti athu, ndikugwira ntchito yomwe ndidazindikira kuti tikufunikabe kupitilira kusungitsa nthawi yayitali tikamagwira ntchito ndi ziphaso. Pulojekitiyi ili ndi malo anayi: dev, test, staging ndi kupanga. Dev ndi mayeso ali kumbali yathu, kupanga ndi kupanga zili kumbali ya kasitomala.

Mbali yapadera ya polojekitiyi ndi yakuti ili ndi ma modules ambiri omwe amapezeka ngati ma subdomains.

Ndiye kuti, tili ndi chithunzi chotsatira:

Dev
mayeso
Kusinthana
kupanga

projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
projectX.tld

module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld

module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld

...
...
...
...

moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld

Pakupanga, satifiketi yogulidwa yakutchire imagwiritsidwa ntchito, palibe mafunso omwe amabwera apa. Koma zimangokhudza gawo loyamba la subdomain. Momwemo, ngati pali satifiketi ya *.projectX.tld, ndiye kuti idzagwira ntchito ku staging.projectX.tld, koma osati ya module1.staging.projectX.tld. Koma mwanjira ina sindikufuna kugula yosiyana.

Ndipo izi zimangotengera chitsanzo cha polojekiti imodzi ya kampani imodzi. Ndipo, ndithudi, pali ntchito zoposa imodzi.

Zifukwa zodziwika kuti aliyense athe kuthana ndi vutoli zikuwoneka motere:

  • Posachedwapa Google ikufuna kuchepetsa nthawi yovomerezeka ya satifiketi za SSL. Ndi zotsatira zake zonse.
  • Kuwongolera njira yoperekera ndi kusunga SSL pazosowa zamkati zama projekiti ndi kampani yonse.
  • Kusungidwa kwapakati kwa zolemba za satifiketi, zomwe zimathetsa pang'onopang'ono vuto la kutsimikizira kwa domain pogwiritsa ntchito DNS ndikukonzanso kotsatira, ndikuthetsanso nkhani ya kasitomala. Komabe, CNAME pa seva ya kampani yothandizana nayo/yochita ndi yodalirika kuposa pagulu lachitatu.
  • Chabwino, potsiriza, mu nkhani iyi mawu akuti "ndi bwino kukhala ndi kuposa kusakhala nazo" akugwirizana mwangwiro.

Kusankha Wopereka SSL ndi Njira Zokonzekera

Zina mwazosankha za satifiketi za SSL zaulere, cloudflare ndi letsencrypt zidaganiziridwa. DNS ya izi (ndi ntchito zina) imayendetsedwa ndi cloudflare, koma sindine wokonda kugwiritsa ntchito ziphaso zawo. Choncho, anaganiza kugwiritsa ntchito letsencrypt.
Kuti mupange satifiketi ya SSL yakutchire, muyenera kutsimikizira umwini wa domain. Izi zimaphatikizapo kupanga mbiri ya DNS (TXT kapena CNAME), ndikuyitsimikizira popereka satifiketi. Linux ili ndi zothandiza - certbot, zomwe zimakulolani kuti musinthe pang'ono (kapena kwathunthu kwa ena opereka DNS) kuti izi zitheke. Za Windows kuchokera anapeza ndi kutsimikiziridwa ACME kasitomala zosankha zomwe ndidakhazikika WinACME.

Ndipo mbiri ya domain idapangidwa, tiyeni tipitilize kupanga satifiketi:

Kutengera automation ya kutulutsidwa kwa SSL

Tili ndi chidwi ndi mawu omaliza, omwe ndi, zosankha zomwe zilipo zotsimikizira umwini wa domain popereka satifiketi ya wildcard:

  1. Pangani zolemba za DNS pamanja (zosintha zokha sizimathandizidwa)
  2. Kupanga zolemba za DNS pogwiritsa ntchito seva ya acme-dns (mutha kuwerenga zambiri za apa.
  3. Kupanga zolemba za DNS pogwiritsa ntchito zolemba zanu (zofanana ndi pulogalamu yowonjezera ya cloudflare ya certbot).

Poyamba, mfundo yachitatu ndiyabwino, koma bwanji ngati wopereka DNS sakugwirizana ndi izi? Koma tikufuna nkhani wamba. Ndipo vuto lalikulu ndi zolemba za CNAME, popeza aliyense amazithandizira. Chifukwa chake, timayima pamfundo 2 ndikupita kukakonza seva yathu ya ACME-DNS.

Kukhazikitsa seva ya ACME-DNS ndi njira yoperekera satifiketi

Mwachitsanzo, ndinapanga domain 2nd.pp.ua, ndipo ndidzagwiritsa ntchito mtsogolo.

Chofunikira chovomerezeka Kuti seva igwire bwino ntchito, ndikofunikira kupanga zolemba za NS ndi A zamalo ake. Ndipo mphindi yoyamba yosasangalatsa yomwe ndidakumana nayo ndikuti cloudflare (osagwiritsa ntchito mwaulere) samakulolani kupanga nthawi imodzi NS ndi mbiri ya wolandila yemweyo. Osati kuti ili ndi vuto, koma kumangiriza ndizotheka. Thandizo lidayankha kuti gulu lawo silimaloleza kuchita izi. Palibe vuto, tiyeni tipange zolemba ziwiri:

acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.

Panthawi imeneyi, wolandira wathu ayenera kutsimikiza acmens.2nd.pp.ua.

$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data

Koma acme.2nd.pp.ua sichidzathetsa, popeza seva ya DNS yomwe imayigwiritsa ntchito siinayambe.

Zolembazo zidapangidwa, timapitiliza kukhazikitsa ndikuyambitsa seva ya ACME-DNS. Ikhala pa seva yanga ya ubuntu mkati docker chidebe, koma mutha kuyiyendetsa kulikonse komwe golang ikupezeka. Windows ndiyoyeneranso, koma ndimakondabe seva ya Linux.

Pangani mafayilo ndi mafayilo ofunikira:

$ mkdir config
$ mkdir data
$ touch config/config.cfg

Tiyeni tigwiritse ntchito vim ndi mkonzi wamawu omwe mumakonda ndikuyika chitsanzocho mu config.cfg kasinthidwe.

Kuti mugwire bwino ntchito, ndikokwanira kukonza magawo onse ndi api:

[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua" 
nsadmin = "admin.2nd.pp.ua" 
records = 
    "acme.2nd.pp.ua. A 35.237.128.147",
    "acme.2nd.pp.ua. NS acmens.2nd.pp.ua.",                                                                                                                                                                                                  ]
...
[api]
...
tls = "letsencrypt"
…

Komanso, ngati tingafune, tidzapanga fayilo ya docker-compose mu bukhu lothandizira:

version: '3.7'
services:
  acmedns:
    image: joohoi/acme-dns:latest
    ports:
      - "443:443"
      - "53:53"
      - "53:53/udp"
      - "80:80"
    volumes:
      - ./config:/etc/acme-dns:ro
      - ./data:/var/lib/acme-dns

Okonzeka. Mutha kuyendetsa.

$ docker-compose up -d

Panthawi imeneyi, wodwalayo ayenera kuyambiranso acme.2nd.pp.ua, ndipo 404 ikuwonekera https://acme.2nd.pp.ua

$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.

$ curl https://acme.2nd.pp.ua
404 page not found

Ngati izi sizikuwoneka - docker logs -f <container_name> kuthandiza, mwamwayi, zipika ndi kuwerenga ndithu.

Titha kuyamba kupanga satifiketi. Tsegulani powershell monga woyang'anira ndikuyendetsa winacme. Tili ndi chidwi ndi zisankho:

  • M: Pangani satifiketi yatsopano (zosankha zonse)
  • 2:Kulowetsa pamanja
  • 2: [dns-01] Pangani zolemba zotsimikizira ndi acme-dns (https://github.com/joohoi/acme-dns)
  • Mukafunsidwa za ulalo wa seva ya ACME-DNS, lowetsani ulalo wa seva yopangidwa (https) mu yankho. URL ya seva ya acme-dns: https://acme.2nd.pp.ua

Potsegulira, kasitomala amapereka mbiri yomwe iyenera kuwonjezeredwa ku seva ya DNS yomwe ilipo (njira imodzi):

[INFO] Creating new acme-dns registration for domain 1nd.pp.ua

Domain:              1nd.pp.ua
Record:               _acme-challenge.1nd.pp.ua
Type:                   CNAME
Content:              c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note:                   Some DNS control panels add the final dot automatically.
                           Only one is required.

Kutengera automation ya kutulutsidwa kwa SSL

Timapanga zolemba zofunika ndikuwonetsetsa kuti zidapangidwa molondola:

Kutengera automation ya kutulutsidwa kwa SSL

$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.

Timatsimikizira kuti tapanga cholowa chofunikira mu winacme, ndikupitiliza kupanga satifiketi:

Kutengera automation ya kutulutsidwa kwa SSL

Momwe mungagwiritsire ntchito certbot ngati kasitomala akufotokozedwa apa.

Izi zimamaliza kupanga satifiketi; mutha kuyiyika pa seva yapaintaneti ndikuigwiritsa ntchito. Ngati, popanga satifiketi, mupanganso ntchito mu scheduler, ndiye kuti mtsogolomo njira yokonzanso satifiketi idzachitika zokha.

Source: www.habr.com

Kuwonjezera ndemanga