Kazhinji isu tinofanirwa kushanda nezvitupa zveSSL. Ngatiyeukei maitiro ekugadzira nekuisa chitupa (mune zvakajairika kune vakawanda).
- Tsvaga mupi (saiti yatinogona kutenga SSL).
- Gadzira CSR.
- Tumira kune mubatsiri wako.
- Simbisa muridzi wedomeini.
- Tora chitupa.
- Shandura chitupa kune fomu rinodiwa (optional). Somuenzaniso, kubva pem kusvika PKCS #12.
- Isa chitupa pawebhu server.
Zvine kukurumidza, kwete yakaoma uye inonzwisisika. Iyi sarudzo yakanyatsokodzera kana tiine mapurojekiti anopfuura gumi. Ko kana paine akawanda awo, uye aine nharaunda dzinenge nhatu? Classic dev - staging - kugadzirwa. Muchiitiko ichi, zvakakodzera kufunga nezve automating iyi maitiro. Ini ndinokurudzira kuzama zvakadzama mudambudziko uye kutsvaga mhinduro inozowedzera kuderedza nguva yakashandiswa mukugadzira nekuchengetedza zvitupa. Chinyorwa chichava nekuongorora kwedambudziko uye diki gwara rekudzokorora.
Rega ndiite chengetedzo pachine nguva: iyo huru nyanzvi yekambani yedu ndeye .net, uye, maererano, IIS uye zvimwe Windows zvine hukama zvigadzirwa. Naizvozvo, iyo ACME mutengi uye zvese zviito zvayo zvichatsanangurwa zvakare kubva pakuona kwekushandisa Windows.
Kune ani izvi zvakakosha uye imwe yekutanga data
Kambani K inomiririrwa nemunyori. URL (somuenzaniso): company.tld
Project X nderimwe remapurojekiti edu, ndichishanda pane izvo zvandakasvika pamhedzisiro yekuti isu tichiri kuda kuenda kune yakawandisa nguva yekuchengetedza pakushanda nezvitupa. Iyi purojekiti ine nharaunda ina: dev, bvunzo, staging uye kugadzira. Dev uye bvunzo dziri kudivi redu, staging uye kugadzirwa kuri kudivi revatengi.
Chinhu chakakosha chepurojekiti ndechekuti ine nhamba huru yemamodule inowanikwa se subdomain.
Ndiko kuti, tine mufananidzo unotevera:
Dev
bvunzo
Staging
Production
projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
projectX.tld
module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld
module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld
...
...
...
...
moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld
Pakugadzirwa, chitupa chakatengwa chemusango chinoshandiswa, hapana mibvunzo inomuka pano. Asi inongovhara chikamu chekutanga che subdomain. Saizvozvo, kana paine chitupa che *.projectX.tld, chinozoshanda ku staging.projectX.tld, asi kwete yemodule1.staging.projectX.tld. Asi neimwe nzira ini handidi kutenga imwe yakaparadzana.
Uye izvi zvinongobva pamuenzaniso wepurojekiti imwe yekambani imwe. Uye, hongu, kune zvinopfuura chirongwa chimwe.
Zvikonzero zvinowanzoita kuti munhu wese agadzirise nyaya iyi zvinotaridzika seizvi:
- Munguva pfupi yapfuura
Google yakurudzira kudzikisa nguva yechokwadi yezvitupa zveSSL . Nemigumisiro yese. - Gadzirisa maitiro ekuburitsa uye kuchengetedza SSL yezvinodiwa zvemukati zvemapurojekiti uye kambani yese.
- Centralized kuchengetedza rekodhi rekodhi, iyo inogadzirisa zvishoma dambudziko rekusimbisa domain uchishandisa DNS uye inotevera otomatiki kuvandudzwa, uye zvakare inogadzirisa nyaya yevatengi kuvimba. Zvakadaro, CNAME pane sevha yemumwe wako/muiti kambani yakavimbika kupfuura pane yechitatu-bato resource.
- Zvakanaka, pakupedzisira, munyaya iyi mutsara wokuti "zviri nani kuva nazvo pane kusava" unokodzera zvakakwana.
Kusarudza SSL Mupi uye Matanho Ekugadzirira
Pakati pezvisarudzo zviripo zvemahara SSL zvitupa, cloudflare uye letsencrypt zvakatariswa. Iyo DNS yeiyi (uye mamwe mapurojekiti) anobatwa ne cloudflare, asi ini handisi fan wekushandisa zvitupa zvavo. Naizvozvo, zvakasarudzwa kushandisa letsencrypt.
Kuti ugadzire chitupa cheSSL chemusango, unofanirwa kusimbisa muridzi wedura. Iyi nzira inosanganisira kugadzira imwe DNS rekodhi (TXT kana CNAME), uye wozoiongorora kana uchiburitsa chitupa. Linux ine chishandiso -
Uye iyo rekodhi yedomasi yagadzirwa, ngatienderere mberi nekugadzira chitupa:
Isu tiri kufarira mhedziso yekupedzisira, zvinoti, sarudzo dziripo dzekusimbisa muridzi wedomasi pakuburitsa chitupa chemusango:
- Gadzira marekodhi eDNS nemaoko (otomatiki yekuvandudza haina kutsigirwa)
- Kugadzira marekodhi eDNS uchishandisa acme-dns server (unogona kuverenga zvakawanda nezve
pano . - Kugadzira marekodhi eDNS uchishandisa yako script (yakafanana necloudflare plugin yecertbot).
Pakutanga kuona, poindi yechitatu yakanyatsokodzera, asi ko kana mupi weDNS asingatsigire kuita uku? Asi tinoda general case. Uye iyo general kesi ndeye CNAME marekodhi, sezvo munhu wese achivatsigira. Naizvozvo, tinomira panzvimbo yechipiri toenda kunogadzirisa yedu ACME-DNS server.
Kumisikidza ACME-DNS sevha uye maitiro ekuburitsa chitupa
Semuenzaniso, ini ndakagadzira iyo domain 2nd.pp.ua, uye ndichaishandisa mune ramangwana.
acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.
Panguva ino, mugamuchiri wedu anofanira kusarudza acmens.2nd.pp.ua
.
$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data
Asi acme.2nd.pp.ua
haizogadzirise, sezvo sevha yeDNS inoishandira haisati yashanda.
Marekodhi akagadzirwa, tinoenderera mberi nekugadzirisa uye kuvhura iyo ACME-DNS server. Ichagara pane yangu ubuntu server mukati
Gadzira anodiwa madhairekitori uye mafaera:
$ mkdir config
$ mkdir data
$ touch config/config.cfg
Ngatishandisei vim neyako yaunofarira mameseji edhita uye tinamate samuenzaniso mu config.cfg
Kuti ushande unobudirira, zvakakwana kugadzirisa zvakajairwa uye api zvikamu:
[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua"
nsadmin = "admin.2nd.pp.ua"
records =
"acme.2nd.pp.ua. A 35.237.128.147",
"acme.2nd.pp.ua. NS acmens.2nd.pp.ua.", ]
...
[api]
...
tls = "letsencrypt"
β¦
Zvakare, kana tichida, isu tichagadzira docker-compose faira mune huru sevhisi dhairekitori:
version: '3.7'
services:
acmedns:
image: joohoi/acme-dns:latest
ports:
- "443:443"
- "53:53"
- "53:53/udp"
- "80:80"
volumes:
- ./config:/etc/acme-dns:ro
- ./data:/var/lib/acme-dns
Ready. Unogona kumhanya.
$ docker-compose up -d
Panguva ino mugadziri anofanira kutanga kugadzirisa acme.2nd.pp.ua
, uye 404 inooneka pa https://acme.2nd.pp.ua
$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.
$ curl https://acme.2nd.pp.ua
404 page not found
Kana izvi zvikasaoneka - docker logs -f <container_name>
kubatsira, rombo rakanaka, matanda anogona kuverengeka.
Tinogona kutanga kugadzira chitupa. Vhura powershell semutungamiri uye shandisa winacme. Tinofarira sarudzo dzinotevera:
- M: Gadzira chitupa chitsva (zvakazara sarudzo)
- 2:Kuisa nemaoko
- 2: [dns-01] Gadzira marekodhi ekusimbisa ane acme-dns (
https://github.com/joohoi/acme-dns ) - Paunenge uchibvunzwa nezve chinongedzo kune ACME-DNS server, isa iyo URL yeyakagadzirwa server (https) mumhinduro. URL ye acme-dns server:
https://acme.2nd.pp.ua
Mukuvhura, mutengi anoburitsa rekodhi inoda kuwedzerwa kune iripo DNS server (imwe-nguva maitiro):
[INFO] Creating new acme-dns registration for domain 1nd.pp.ua
Domain: 1nd.pp.ua
Record: _acme-challenge.1nd.pp.ua
Type: CNAME
Content: c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note: Some DNS control panels add the final dot automatically.
Only one is required.
Isu tinogadzira rekodhi inodiwa uye tinoita shuwa kuti yakagadzirwa nemazvo:
$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Isu tinosimbisa kuti isu takagadzira inodiwa yekupinda muwinacme, uye toenderera mberi nemaitiro ekugadzira chitupa:
Maitiro ekushandisa certbot semutengi anotsanangurwa
Izvi zvinopedzisa maitiro ekugadzira chitupa; unogona kuchiisa pawebhu server uye woishandisa. Kana, paunenge uchigadzira chitupa, iwe zvakare unogadzira basa mune scheduler, saka mune ramangwana maitiro ekuvandudza chitupa achaitika otomatiki.
Source: www.habr.com