ProHoster > Blog > Utongi > Kusvika otomatiki yeSSL kuburitswa

Kusvika otomatiki yeSSL kuburitswa

Kazhinji isu tinofanirwa kushanda nezvitupa zveSSL. Ngatiyeukei maitiro ekugadzira nekuisa chitupa (mune zvakajairika kune vakawanda).

  • Tsvaga mupi (saiti yatinogona kutenga SSL).
  • Gadzira CSR.
  • Tumira kune mubatsiri wako.
  • Simbisa muridzi wedomeini.
  • Tora chitupa.
  • Shandura chitupa kune fomu rinodiwa (optional). Somuenzaniso, kubva pem kusvika PKCS #12.
  • Isa chitupa pawebhu server.

Zvine kukurumidza, kwete yakaoma uye inonzwisisika. Iyi sarudzo yakanyatsokodzera kana tiine mapurojekiti anopfuura gumi. Ko kana paine akawanda awo, uye aine nharaunda dzinenge nhatu? Classic dev - staging - kugadzirwa. Muchiitiko ichi, zvakakodzera kufunga nezve automating iyi maitiro. Ini ndinokurudzira kuzama zvakadzama mudambudziko uye kutsvaga mhinduro inozowedzera kuderedza nguva yakashandiswa mukugadzira nekuchengetedza zvitupa. Chinyorwa chichava nekuongorora kwedambudziko uye diki gwara rekudzokorora.

Rega ndiite chengetedzo pachine nguva: iyo huru nyanzvi yekambani yedu ndeye .net, uye, maererano, IIS uye zvimwe Windows zvine hukama zvigadzirwa. Naizvozvo, iyo ACME mutengi uye zvese zviito zvayo zvichatsanangurwa zvakare kubva pakuona kwekushandisa Windows.

Kune ani izvi zvakakosha uye imwe yekutanga data

Kambani K inomiririrwa nemunyori. URL (somuenzaniso): company.tld

Project X nderimwe remapurojekiti edu, ndichishanda pane izvo zvandakasvika pamhedzisiro yekuti isu tichiri kuda kuenda kune yakawandisa nguva yekuchengetedza pakushanda nezvitupa. Iyi purojekiti ine nharaunda ina: dev, bvunzo, staging uye kugadzira. Dev uye bvunzo dziri kudivi redu, staging uye kugadzirwa kuri kudivi revatengi.

Chinhu chakakosha chepurojekiti ndechekuti ine nhamba huru yemamodule inowanikwa se subdomain.

Ndiko kuti, tine mufananidzo unotevera:

Dev
bvunzo
Staging
Production

projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
projectX.tld

module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld

module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld

...
...
...
...

moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld

Pakugadzirwa, chitupa chakatengwa chemusango chinoshandiswa, hapana mibvunzo inomuka pano. Asi inongovhara chikamu chekutanga che subdomain. Saizvozvo, kana paine chitupa che *.projectX.tld, chinozoshanda ku staging.projectX.tld, asi kwete yemodule1.staging.projectX.tld. Asi neimwe nzira ini handidi kutenga imwe yakaparadzana.

Uye izvi zvinongobva pamuenzaniso wepurojekiti imwe yekambani imwe. Uye, hongu, kune zvinopfuura chirongwa chimwe.

Zvikonzero zvinowanzoita kuti munhu wese agadzirise nyaya iyi zvinotaridzika seizvi:

  • Munguva pfupi yapfuura Google yakurudzira kudzikisa nguva yechokwadi yezvitupa zveSSL. Nemigumisiro yese.
  • Gadzirisa maitiro ekuburitsa uye kuchengetedza SSL yezvinodiwa zvemukati zvemapurojekiti uye kambani yese.
  • Centralized kuchengetedza rekodhi rekodhi, iyo inogadzirisa zvishoma dambudziko rekusimbisa domain uchishandisa DNS uye inotevera otomatiki kuvandudzwa, uye zvakare inogadzirisa nyaya yevatengi kuvimba. Zvakadaro, CNAME pane sevha yemumwe wako/muiti kambani yakavimbika kupfuura pane yechitatu-bato resource.
  • Zvakanaka, pakupedzisira, munyaya iyi mutsara wokuti "zviri nani kuva nazvo pane kusava" unokodzera zvakakwana.

Kusarudza SSL Mupi uye Matanho Ekugadzirira

Pakati pezvisarudzo zviripo zvemahara SSL zvitupa, cloudflare uye letsencrypt zvakatariswa. Iyo DNS yeiyi (uye mamwe mapurojekiti) anobatwa ne cloudflare, asi ini handisi fan wekushandisa zvitupa zvavo. Naizvozvo, zvakasarudzwa kushandisa letsencrypt.
Kuti ugadzire chitupa cheSSL chemusango, unofanirwa kusimbisa muridzi wedura. Iyi nzira inosanganisira kugadzira imwe DNS rekodhi (TXT kana CNAME), uye wozoiongorora kana uchiburitsa chitupa. Linux ine chishandiso - certbot, iyo inokutendera kuti uite zvishoma (kana zvachose kune vamwe vanopa DNS) otomatiki maitiro aya. YeWindows kubva yakawanikwa uye yakasimbiswa ACME mutengi sarudzo dzandakagadzirisa WinACME.

Uye iyo rekodhi yedomasi yagadzirwa, ngatienderere mberi nekugadzira chitupa:

Kusvika otomatiki yeSSL kuburitswa

Isu tiri kufarira mhedziso yekupedzisira, zvinoti, sarudzo dziripo dzekusimbisa muridzi wedomasi pakuburitsa chitupa chemusango:

  1. Gadzira marekodhi eDNS nemaoko (otomatiki yekuvandudza haina kutsigirwa)
  2. Kugadzira marekodhi eDNS uchishandisa acme-dns server (unogona kuverenga zvakawanda nezve pano.
  3. Kugadzira marekodhi eDNS uchishandisa yako script (yakafanana necloudflare plugin yecertbot).

Pakutanga kuona, poindi yechitatu yakanyatsokodzera, asi ko kana mupi weDNS asingatsigire kuita uku? Asi tinoda general case. Uye iyo general kesi ndeye CNAME marekodhi, sezvo munhu wese achivatsigira. Naizvozvo, tinomira panzvimbo yechipiri toenda kunogadzirisa yedu ACME-DNS server.

Kumisikidza ACME-DNS sevha uye maitiro ekuburitsa chitupa

Semuenzaniso, ini ndakagadzira iyo domain 2nd.pp.ua, uye ndichaishandisa mune ramangwana.

Zvinosungirwa zvinodiwa Kuti sevha ishande nemazvo, zvinodikanwa kugadzira NS uye A marekodhi enzvimbo yayo. Uye yekutanga isinganakidze nguva yandakasangana nayo ndeyekuti cloudflare (inenge mune yemahara yekushandisa mode) haikubvumidze iwe kuti ugadzire panguva imwe chete iyo NS uye A rekodhi yemugamuchiri mumwechete. Kwete kuti iri idambudziko, asi mukusunga zvinogoneka. Vatsigiro vakapindura kuti dare ravo haribvumidze kuita izvi. Hapana dambudziko, ngatigadzire marekodhi maviri:

acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.

Panguva ino, mugamuchiri wedu anofanira kusarudza acmens.2nd.pp.ua.

$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data

Asi acme.2nd.pp.ua haizogadzirise, sezvo sevha yeDNS inoishandira haisati yashanda.

Marekodhi akagadzirwa, tinoenderera mberi nekugadzirisa uye kuvhura iyo ACME-DNS server. Ichagara pane yangu ubuntu server mukati docker mudziyo, asi unogona kumhanyisa chero kupi golang inowanikwa. Windows zvakare yakanyatsokodzera, asi ini ndichiri kuda Linux server.

Gadzira anodiwa madhairekitori uye mafaera:

$ mkdir config
$ mkdir data
$ touch config/config.cfg

Ngatishandisei vim neyako yaunofarira mameseji edhita uye tinamate samuenzaniso mu config.cfg kugadzirisa.

Kuti ushande unobudirira, zvakakwana kugadzirisa zvakajairwa uye api zvikamu:

[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua" 
nsadmin = "admin.2nd.pp.ua" 
records = 
    "acme.2nd.pp.ua. A 35.237.128.147",
    "acme.2nd.pp.ua. NS acmens.2nd.pp.ua.",                                                                                                                                                                                                  ]
...
[api]
...
tls = "letsencrypt"
…

Zvakare, kana tichida, isu tichagadzira docker-compose faira mune huru sevhisi dhairekitori:

version: '3.7'
services:
  acmedns:
    image: joohoi/acme-dns:latest
    ports:
      - "443:443"
      - "53:53"
      - "53:53/udp"
      - "80:80"
    volumes:
      - ./config:/etc/acme-dns:ro
      - ./data:/var/lib/acme-dns

Ready. Unogona kumhanya.

$ docker-compose up -d

Panguva ino mugadziri anofanira kutanga kugadzirisa acme.2nd.pp.ua, uye 404 inooneka pa https://acme.2nd.pp.ua

$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.

$ curl https://acme.2nd.pp.ua
404 page not found

Kana izvi zvikasaoneka - docker logs -f <container_name> kubatsira, rombo rakanaka, matanda anogona kuverengeka.

Tinogona kutanga kugadzira chitupa. Vhura powershell semutungamiri uye shandisa winacme. Tinofarira sarudzo dzinotevera:

  • M: Gadzira chitupa chitsva (zvakazara sarudzo)
  • 2:Kuisa nemaoko
  • 2: [dns-01] Gadzira marekodhi ekusimbisa ane acme-dns (https://github.com/joohoi/acme-dns)
  • Paunenge uchibvunzwa nezve chinongedzo kune ACME-DNS server, isa iyo URL yeyakagadzirwa server (https) mumhinduro. URL ye acme-dns server: https://acme.2nd.pp.ua

Mukuvhura, mutengi anoburitsa rekodhi inoda kuwedzerwa kune iripo DNS server (imwe-nguva maitiro):

[INFO] Creating new acme-dns registration for domain 1nd.pp.ua

Domain:              1nd.pp.ua
Record:               _acme-challenge.1nd.pp.ua
Type:                   CNAME
Content:              c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note:                   Some DNS control panels add the final dot automatically.
                           Only one is required.

Kusvika otomatiki yeSSL kuburitswa

Isu tinogadzira rekodhi inodiwa uye tinoita shuwa kuti yakagadzirwa nemazvo:

Kusvika otomatiki yeSSL kuburitswa

$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.

Isu tinosimbisa kuti isu takagadzira inodiwa yekupinda muwinacme, uye toenderera mberi nemaitiro ekugadzira chitupa:

Kusvika otomatiki yeSSL kuburitswa

Maitiro ekushandisa certbot semutengi anotsanangurwa pano.

Izvi zvinopedzisa maitiro ekugadzira chitupa; unogona kuchiisa pawebhu server uye woishandisa. Kana, paunenge uchigadzira chitupa, iwe zvakare unogadzira basa mune scheduler, saka mune ramangwana maitiro ekuvandudza chitupa achaitika otomatiki.

Source: www.habr.com

Voeg