ProHoster > Блог > Isakoso > Automation ti Jẹ ki ká Encrypt SSL ijẹrisi isakoso lilo DNS-01 ipenija ati AWS
Automation ti Jẹ ki ká Encrypt SSL ijẹrisi isakoso lilo DNS-01 ipenija ati AWS
Ifiweranṣẹ naa ṣe apejuwe awọn igbesẹ lati ṣe adaṣe adaṣe iṣakoso ti awọn iwe-ẹri SSL lati Jẹ ki a Encrypt CA lilo DNS-01 ipenija и Aws.
acme-dns-route53 jẹ ọpa ti yoo gba wa laaye lati ṣe ẹya ara ẹrọ yii. O le ṣiṣẹ pẹlu awọn iwe-ẹri SSL lati Jẹ ki Encrypt, fi wọn pamọ sinu Oluṣakoso Ijẹrisi Amazon, lo Route53 API lati ṣe imuse ipenija DNS-01, ati, nikẹhin, Titari awọn iwifunni si SNS. IN acme-dns-route53 Iṣẹ ṣiṣe tun wa fun lilo inu AWS Lambda, ati pe eyi ni ohun ti a nilo.
A pin nkan yii si awọn apakan mẹrin:
ṣiṣẹda zip faili;
ṣiṣẹda ipa IAM;
ṣiṣẹda iṣẹ lambda ti o nṣiṣẹ acme-dns-route53;
ṣiṣẹda aago CloudWatch ti o nfa iṣẹ kan ni igba 2 ni ọjọ kan;
akiyesi: Ṣaaju ki o to bẹrẹ o nilo lati fi sori ẹrọ GoLang 1.9+ и Aws CLI
Ṣiṣẹda faili zip kan
acme-dns-route53 jẹ kikọ ni GoLang ati pe o ṣe atilẹyin ẹya ko kere ju 1.9.
A nilo lati ṣẹda faili zip pẹlu alakomeji acme-dns-route53 inu. Lati ṣe eyi o nilo lati fi sori ẹrọ acme-dns-route53 lati ibi ipamọ GitHub nipa lilo aṣẹ naa go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53
Alakomeji ti fi sori ẹrọ ni $GOPATH/bin liana. Jọwọ ṣe akiyesi pe lakoko fifi sori ẹrọ a ṣalaye awọn agbegbe meji ti o yipada: GOOS=linux и GOARCH=amd64. Wọn jẹ ki o yege si Go alakojo pe o nilo lati ṣẹda alakomeji o dara fun Linux OS ati amd64 faaji - eyi ni ohun ti nṣiṣẹ lori AWS.
AWS nireti pe ki a gbe eto wa sinu faili zip kan, nitorinaa jẹ ki a ṣẹda acme-dns-route53.zip ile-ipamọ eyiti yoo ni alakomeji ti a fi sori ẹrọ tuntun ninu:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53
akiyesi: Alakomeji yẹ ki o wa ni gbongbo ti ibi ipamọ zip. Fun eyi a lo -j asia.
Bayi orukọ apeso zip wa ti ṣetan fun imuṣiṣẹ, gbogbo ohun ti o ku ni lati ṣẹda ipa kan pẹlu awọn ẹtọ to ṣe pataki.
Ṣiṣẹda ipa IAM kan
A nilo lati ṣeto ipa IAM kan pẹlu awọn ẹtọ ti o nilo nipasẹ lambda wa lakoko ipaniyan rẹ.
Jẹ ki a pe eto imulo yii lambda-acme-dns-route53-executor ati lẹsẹkẹsẹ fun u ni ipa ipilẹ AWSLambdaBasicExecutionRole. Eyi yoo gba lambda wa laaye lati ṣiṣẹ ati kọ awọn akọọlẹ si iṣẹ AWS CloudWatch.
Ni akọkọ, a ṣẹda faili JSON kan ti o ṣapejuwe awọn ẹtọ wa. Eyi yoo gba awọn iṣẹ lambda laaye lati lo ipa naa lambda-acme-dns-route53-executor:
Bayi jẹ ki a ṣiṣẹ aṣẹ naa aws iam create-role lati ṣẹda ipa kan:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.json
akiyesi: ranti eto imulo ARN (Orukọ Oro orisun Amazon) - a yoo nilo rẹ ni awọn igbesẹ atẹle.
Ipa lambda-acme-dns-route53-executor ṣẹda, bayi a nilo lati pato awọn igbanilaaye fun o. Ọna to rọọrun lati ṣe eyi ni lati lo aṣẹ naa aws iam attach-role-policy, Ilana ti o kọja ARN AWSLambdaBasicExecutionRole ni ọna atẹle:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
akiyesi: akojọ pẹlu awọn eto imulo miiran le ṣee ri nibi.
Ṣiṣẹda iṣẹ lambda ti o nṣiṣẹ acme-dns-route53
Hooray! Bayi o le mu iṣẹ wa lọ si AWS nipa lilo aṣẹ naa aws lambda create-function. Lambda gbọdọ wa ni tunto nipa lilo awọn oniyipada ayika wọnyi:
AWS_LAMBDA - o ṣe kedere acme-dns-route53 pe ipaniyan waye inu AWS Lambda.
DOMAINS - atokọ ti awọn ibugbe ti o yapa nipasẹ aami idẹsẹ.