I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Ibheke ku-automation yokukhishwa kwe-SSL

Ibheke ku-automation yokukhishwa kwe-SSL

Imvamisa kufanele sisebenze nezitifiketi ze-SSL. Masikhumbule inqubo yokudala nokufaka isitifiketi (esimweni esivamile kwabaningi).

  • Thola umhlinzeki (isayithi lapho singathenga khona i-SSL).
  • Khiqiza i-CSR.
  • Ithumele kumhlinzeki wakho.
  • Qinisekisa ubunikazi besizinda.
  • Thola isitifiketi.
  • Guqula isitifiketi sibe yifomu elidingekayo (uyazikhethela). Isibonelo, ukusuka ku-pem ukuya ku-PKCS #12.
  • Faka isitifiketi kuseva yewebhu.

Iyashesha uma iqhathaniswa, ayiyona inkimbinkimbi futhi iyaqondakala. Le nketho ifaneleka impela uma sinomkhawulo wamaphrojekthi ayishumi. Kuthiwani uma kuneziningi zazo, futhi zinezindawo okungenani ezintathu? I-Classic dev - isiteji - ukukhiqizwa. Kulokhu, kufanelekile ukucabanga ngokuzenzakalelayo le nqubo. Ngiphakamisa ukuthi ngijule kancane enkingeni futhi ngithole isisombululo esizoqhubeka sinciphisa isikhathi esichithwa ekudaleni nasekugcineni izitifiketi. I-athikili izoqukatha ukuhlaziywa kwenkinga kanye nomhlahlandlela omncane wokuphindaphinda.

Ake ngenze ukubhuka kusenesikhathi: okukhethekile okuyinhloko kwenkampani yethu yi-.net, futhi, ngokufanelekile, i-IIS neminye imikhiqizo ehlobene ne-Windows. Ngakho-ke, iklayenti le-ACME nazo zonke izenzo zalo nazo zizochazwa ngombono wokusebenzisa iWindows.

Lokhu kuqondene nobani kanye nedatha ethile yokuqala

Inkampani K emelwe umbhali. I-URL (isibonelo): company.tld

I-Project X ingenye yezinhlelo zethu, ngenkathi ngisebenza lapho ngathola khona isiphetho sokuthi sisadinga ukudlulela ekongeni isikhathi esiphezulu lapho sisebenza ngezitifiketi. Le phrojekthi inezindawo ezine: i-dev, isivivinyo, isiteji nokukhiqiza. I-Dev kanye nokuhlola kuseceleni kwethu, isiteji nokukhiqiza kusohlangothini lweklayenti.

Isici esikhethekile sephrojekthi ukuthi inenani elikhulu lamamojula atholakala njengezizinda ezingaphansi.

Okungukuthi, sinesithombe esilandelayo:

I-Dev
test
Isiteji
Production

projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
iphrojekthiX.tld

module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld

module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld

...
...
...
...

moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld

Ukukhiqiza, isitifiketi se-wildcard esithengiwe siyasetshenziswa, akukho mibuzo ephakamayo lapha. Kodwa ihlanganisa kuphela izinga lokuqala lesizinda esingaphansi. Ngokufanelekile, uma kukhona isitifiketi se-*.projectX.tld, sizobe sesisebenzela i-staging.projectX.tld, kodwa hhayi i-module1.staging.projectX.tld. Kodwa ngandlela-thile angifuni ukuthenga ehlukile.

Futhi lokhu kusekelwe kuphela esibonelweni sephrojekthi eyodwa yenkampani eyodwa. Futhi, kunjalo, kunephrojekthi engaphezu kweyodwa.

Izizathu ezijwayelekile zokuthi wonke umuntu abhekane nalolu daba zibukeka kanje:

  • Muva nje I-Google ihlongoze ukwehlisa isikhathi esiphezulu sokuqinisekisa sezitifiketi ze-SSL. Nayo yonke imiphumela.
  • Yenza kube lula inqubo yokukhipha nokugcina i-SSL yezidingo zangaphakathi zamaphrojekthi kanye nenkampani iyonke.
  • Isitoreji esimaphakathi samarekhodi esitifiketi, esixazulula kancane inkinga yokuqinisekiswa kwesizinda kusetshenziswa i-DNS nokuvuselela okuzenzakalelayo okulandelayo, futhi kuphinde kuxazulule udaba lokwethenjwa kwekhasimende. Noma kunjalo, i-CNAME kuseva yozakwethu/inkampani eyenza umsebenzi ithembeke kakhulu kunesisetshenziswa esivela eceleni.
  • Ekugcineni, kulokhu inkulumo ethi β€œkungcono ukuba nayo kunokungabi nayo” ihambisana kahle.

Ukukhetha umhlinzeki we-SSL kanye nezinyathelo zokulungiselela

Phakathi kwezinketho ezitholakalayo zezitifiketi zamahhala ze-SSL, kucatshangelwe i-cloudflare ne-letsencrypt. I-DNS yalokhu (kanye namanye amaphrojekthi) isingathwe yi-cloudflare, kodwa angiyena umuntu othanda ukusebenzisa izitifiketi zabo. Ngakho-ke, kunqunywe ukusebenzisa i-letsencrypt.
Ukuze udale isitifiketi se-SSL se-wildcard, udinga ukuqinisekisa ubunikazi besizinda. Le nqubo ihlanganisa ukudala irekhodi elithile le-DNS (i-TXT noma i-CNAME), bese liyaliqinisekisa lapho ukhipha isitifiketi. I-Linux inensiza - i-certbot, okukuvumela ukuthi wenze ngokuzenzakalelayo le nqubo (noma ngokuphelele kwabanye abahlinzeki be-DNS). OkweWindows kusuka kutholwe futhi kwaqinisekiswa Izinketho zeklayenti ze-ACME engizinze kuzo WinACME.

Futhi irekhodi lesizinda selidaliwe, ake siqhubekele phambili ekudaleni isitifiketi:

Ibheke ku-automation yokukhishwa kwe-SSL

Sithanda isiphetho sokugcina, okungukuthi, izinketho ezitholakalayo zokuqinisekisa ubunikazi besizinda sokukhipha isitifiketi se-wildcard:

  1. Dala amarekhodi e-DNS ngesandla (isibuyekezo esizenzakalelayo asisekelwe)
  2. Ukudala amarekhodi e-DNS usebenzisa iseva ye-acme-dns (ungafunda kabanzi mayelana lapha.
  3. Ukudala amarekhodi e-DNS usebenzisa esakho iskripthi (esifana ne-plugin ye-cloudflare ye-certbot).

Uma uthi nhlΓ‘, iphuzu lesithathu lifaneleka ngempela, kodwa kuthiwani uma umhlinzeki we-DNS engakusekeli lokhu kusebenza? Kodwa sidinga icala elijwayelekile. Kodwa isimo esijwayelekile amarekhodi e-CNAME, ngoba wonke umuntu uyawasekela. Ngakho-ke, simisa endaweni yesi-2 bese siya ukumisa iseva yethu ye-ACME-DNS.

Isetha iseva ye-ACME-DNS kanye nenqubo yokukhishwa kwesitifiketi

Isibonelo, ngidale isizinda esithi 2nd.pp.ua, futhi ngizosisebenzisa ngokuzayo.

Imfuneko eyisibopho Ukuze iseva isebenze kahle, kuyadingeka ukudala amarekhodi e-NS kanye ne-A esizinda sayo. Futhi umzuzu wokuqala ongemnandi engahlangabezana nakho ukuthi i-cloudflare (okungenani kumodi yokusetshenziswa kwamahhala) ayikuvumeli ukuthi udale kanyekanye i-NS kanye nerekhodi le-host host efanayo. Hhayi ukuthi lokhu kuyinkinga, kodwa ekubopheni kungenzeka. Abasekeli baphendule ngokuthi iphaneli yabo ayikuvumeli ukwenza lokhu. Akunankinga, masidale amarekhodi amabili:

acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.

Kulesi sigaba, umphathi wethu kufanele anqume acmens.2nd.pp.ua.

$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data

Kodwa acme.2nd.pp.ua ngeke ixazulule, njengoba iseva ye-DNS eyisebenzelayo ayikasebenzi.

Amarekhodi adaliwe, siqhubeka nokusetha nokwethula iseva ye-ACME-DNS. Izophila ku-ubuntu server yami ku i-docker isiqukathi, kodwa ungasisebenzisa noma yikuphi lapho i-golang itholakala khona. IWindows nayo ifanelekile, kepha ngisakhetha iseva yeLinux.

Dala uhla lwemibhalo namafayela adingekayo:

$ mkdir config
$ mkdir data
$ touch config/config.cfg

Masisebenzise i-vim nesihleli sakho sombhalo osithandayo futhi sinamathisele isampula ku-config.cfg ukumisa.

Ukuze usebenze ngempumelelo, kwanele ukulungisa izingxenye ezijwayelekile kanye ne-api:

[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua" 
nsadmin = "admin.2nd.pp.ua" 
records = 
    "acme.2nd.pp.ua. A 35.237.128.147",
    "acme.2nd.pp.ua. NS acmens.2nd.pp.ua.",                                                                                                                                                                                                  ]
...
[api]
...
tls = "letsencrypt"
…

Futhi, uma sifisa, sizodala ifayela le-docker-compose kunkomba yesevisi enkulu:

version: '3.7'
services:
  acmedns:
    image: joohoi/acme-dns:latest
    ports:
      - "443:443"
      - "53:53"
      - "53:53/udp"
      - "80:80"
    volumes:
      - ./config:/etc/acme-dns:ro
      - ./data:/var/lib/acme-dns

Ilungile. Ungakwazi ukuyiqhuba.

$ docker-compose up -d

Kulesi sigaba, umphathi kufanele aqale ukuxazulula acme.2nd.pp.ua, bese kuvela okuthi 404 https://acme.2nd.pp.ua

$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.

$ curl https://acme.2nd.pp.ua
404 page not found

Uma lokhu kungaveli - docker logs -f <container_name> ukusiza, ngenhlanhla, izingodo ziyafundeka impela.

Singaqala ukudala isitifiketi. Vula i-powershell njengomlawuli bese usebenzisa i-winacme. Sinentshisekelo okhethweni:

  • M: Dala isitifiketi esisha (izinketho ezigcwele)
  • 2:Okufakwayo mathupha
  • 2: [dns-01] Dala amarekhodi okuqinisekisa nge-acme-dns (https://github.com/joohoi/acme-dns)
  • Uma ubuzwa ngesixhumanisi seseva ye-ACME-DNS, faka i-URL yeseva edaliwe (https) empendulweni. I-URL yeseva ye-acme-dns: https://acme.2nd.pp.ua

Ekuvuleni, iklayenti likhipha irekhodi elidinga ukungezwa kuseva ye-DNS ekhona (inqubo yesikhathi esisodwa):

[INFO] Creating new acme-dns registration for domain 1nd.pp.ua

Domain:              1nd.pp.ua
Record:               _acme-challenge.1nd.pp.ua
Type:                   CNAME
Content:              c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note:                   Some DNS control panels add the final dot automatically.
                           Only one is required.

Ibheke ku-automation yokukhishwa kwe-SSL

Sakha irekhodi elidingekayo futhi siqinisekisa ukuthi lakhiwe ngendlela efanele:

Ibheke ku-automation yokukhishwa kwe-SSL

$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.

Siyaqinisekisa ukuthi sidale ukufakwa okudingekayo ku-winacme, futhi siqhubeke nenqubo yokudala isitifiketi:

Ibheke ku-automation yokukhishwa kwe-SSL

Indlela yokusebenzisa i-certbot njengeklayenti ichaziwe lapha.

Lokhu kuqeda inqubo yokudala isitifiketi; ungasifaka kuseva yewebhu futhi usisebenzise. Uma, lapho udala isitifiketi, futhi udala umsebenzi kumhleli, khona-ke ngokuzayo inqubo yokuvuselela isitifiketi izokwenzeka ngokuzenzakalelayo.

Source: www.habr.com

Engeza amazwana