Imvamisa kufanele sisebenze nezitifiketi ze-SSL. Masikhumbule inqubo yokudala nokufaka isitifiketi (esimweni esivamile kwabaningi).
- Thola umhlinzeki (isayithi lapho singathenga khona i-SSL).
- Khiqiza i-CSR.
- Ithumele kumhlinzeki wakho.
- Qinisekisa ubunikazi besizinda.
- Thola isitifiketi.
- Guqula isitifiketi sibe yifomu elidingekayo (uyazikhethela). Isibonelo, ukusuka ku-pem ukuya ku-PKCS #12.
- Faka isitifiketi kuseva yewebhu.
Iyashesha uma iqhathaniswa, ayiyona inkimbinkimbi futhi iyaqondakala. Le nketho ifaneleka impela uma sinomkhawulo wamaphrojekthi ayishumi. Kuthiwani uma kuneziningi zazo, futhi zinezindawo okungenani ezintathu? I-Classic dev - isiteji - ukukhiqizwa. Kulokhu, kufanelekile ukucabanga ngokuzenzakalelayo le nqubo. Ngiphakamisa ukuthi ngijule kancane enkingeni futhi ngithole isisombululo esizoqhubeka sinciphisa isikhathi esichithwa ekudaleni nasekugcineni izitifiketi. I-athikili izoqukatha ukuhlaziywa kwenkinga kanye nomhlahlandlela omncane wokuphindaphinda.
Ake ngenze ukubhuka kusenesikhathi: okukhethekile okuyinhloko kwenkampani yethu yi-.net, futhi, ngokufanelekile, i-IIS neminye imikhiqizo ehlobene ne-Windows. Ngakho-ke, iklayenti le-ACME nazo zonke izenzo zalo nazo zizochazwa ngombono wokusebenzisa iWindows.
Lokhu kuqondene nobani kanye nedatha ethile yokuqala
Inkampani K emelwe umbhali. I-URL (isibonelo): company.tld
I-Project X ingenye yezinhlelo zethu, ngenkathi ngisebenza lapho ngathola khona isiphetho sokuthi sisadinga ukudlulela ekongeni isikhathi esiphezulu lapho sisebenza ngezitifiketi. Le phrojekthi inezindawo ezine: i-dev, isivivinyo, isiteji nokukhiqiza. I-Dev kanye nokuhlola kuseceleni kwethu, isiteji nokukhiqiza kusohlangothini lweklayenti.
Isici esikhethekile sephrojekthi ukuthi inenani elikhulu lamamojula atholakala njengezizinda ezingaphansi.
Okungukuthi, sinesithombe esilandelayo:
I-Dev
test
Isiteji
Production
projectX.dev.company.tld
projectX.test.company.tld
staging.projectX.tld
iphrojekthiX.tld
module1.projectX.dev.company.tld
module1.projectX.test.company.tld
module1.staging.projectX.tld
module1.projectX.tld
module2.projectX.dev.company.tld
module2.projectX.test.company.tld
module2.staging.projectX.tld
module2.projectX.tld
...
...
...
...
moduleN.projectX.dev.company.tld
moduleN.projectX.test.company.tld
moduleN.staging.projectX.tld
moduleN.projectX.tld
Ukukhiqiza, isitifiketi se-wildcard esithengiwe siyasetshenziswa, akukho mibuzo ephakamayo lapha. Kodwa ihlanganisa kuphela izinga lokuqala lesizinda esingaphansi. Ngokufanelekile, uma kukhona isitifiketi se-*.projectX.tld, sizobe sesisebenzela i-staging.projectX.tld, kodwa hhayi i-module1.staging.projectX.tld. Kodwa ngandlela-thile angifuni ukuthenga ehlukile.
Futhi lokhu kusekelwe kuphela esibonelweni sephrojekthi eyodwa yenkampani eyodwa. Futhi, kunjalo, kunephrojekthi engaphezu kweyodwa.
Izizathu ezijwayelekile zokuthi wonke umuntu abhekane nalolu daba zibukeka kanje:
- Muva nje
I-Google ihlongoze ukwehlisa isikhathi esiphezulu sokuqinisekisa sezitifiketi ze-SSL . Nayo yonke imiphumela. - Yenza kube lula inqubo yokukhipha nokugcina i-SSL yezidingo zangaphakathi zamaphrojekthi kanye nenkampani iyonke.
- Isitoreji esimaphakathi samarekhodi esitifiketi, esixazulula kancane inkinga yokuqinisekiswa kwesizinda kusetshenziswa i-DNS nokuvuselela okuzenzakalelayo okulandelayo, futhi kuphinde kuxazulule udaba lokwethenjwa kwekhasimende. Noma kunjalo, i-CNAME kuseva yozakwethu/inkampani eyenza umsebenzi ithembeke kakhulu kunesisetshenziswa esivela eceleni.
- Ekugcineni, kulokhu inkulumo ethi βkungcono ukuba nayo kunokungabi nayoβ ihambisana kahle.
Ukukhetha umhlinzeki we-SSL kanye nezinyathelo zokulungiselela
Phakathi kwezinketho ezitholakalayo zezitifiketi zamahhala ze-SSL, kucatshangelwe i-cloudflare ne-letsencrypt. I-DNS yalokhu (kanye namanye amaphrojekthi) isingathwe yi-cloudflare, kodwa angiyena umuntu othanda ukusebenzisa izitifiketi zabo. Ngakho-ke, kunqunywe ukusebenzisa i-letsencrypt.
Ukuze udale isitifiketi se-SSL se-wildcard, udinga ukuqinisekisa ubunikazi besizinda. Le nqubo ihlanganisa ukudala irekhodi elithile le-DNS (i-TXT noma i-CNAME), bese liyaliqinisekisa lapho ukhipha isitifiketi. I-Linux inensiza -
Futhi irekhodi lesizinda selidaliwe, ake siqhubekele phambili ekudaleni isitifiketi:
Sithanda isiphetho sokugcina, okungukuthi, izinketho ezitholakalayo zokuqinisekisa ubunikazi besizinda sokukhipha isitifiketi se-wildcard:
- Dala amarekhodi e-DNS ngesandla (isibuyekezo esizenzakalelayo asisekelwe)
- Ukudala amarekhodi e-DNS usebenzisa iseva ye-acme-dns (ungafunda kabanzi mayelana
lapha . - Ukudala amarekhodi e-DNS usebenzisa esakho iskripthi (esifana ne-plugin ye-cloudflare ye-certbot).
Uma uthi nhlΓ‘, iphuzu lesithathu lifaneleka ngempela, kodwa kuthiwani uma umhlinzeki we-DNS engakusekeli lokhu kusebenza? Kodwa sidinga icala elijwayelekile. Kodwa isimo esijwayelekile amarekhodi e-CNAME, ngoba wonke umuntu uyawasekela. Ngakho-ke, simisa endaweni yesi-2 bese siya ukumisa iseva yethu ye-ACME-DNS.
Isetha iseva ye-ACME-DNS kanye nenqubo yokukhishwa kwesitifiketi
Isibonelo, ngidale isizinda esithi 2nd.pp.ua, futhi ngizosisebenzisa ngokuzayo.
acmens.2nd.pp.ua. IN A 35.237.128.147
acme.2nd.pp.ua. IN NS acmens.2nd.pp.ua.
Kulesi sigaba, umphathi wethu kufanele anqume acmens.2nd.pp.ua
.
$ ping acmens.2nd.pp.ua
PING acmens.2nd.pp.ua (35.237.128.147) 56(84) bytes of data
Kodwa acme.2nd.pp.ua
ngeke ixazulule, njengoba iseva ye-DNS eyisebenzelayo ayikasebenzi.
Amarekhodi adaliwe, siqhubeka nokusetha nokwethula iseva ye-ACME-DNS. Izophila ku-ubuntu server yami ku
Dala uhla lwemibhalo namafayela adingekayo:
$ mkdir config
$ mkdir data
$ touch config/config.cfg
Masisebenzise i-vim nesihleli sakho sombhalo osithandayo futhi sinamathisele isampula ku-config.cfg
Ukuze usebenze ngempumelelo, kwanele ukulungisa izingxenye ezijwayelekile kanye ne-api:
[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "acme.2nd.pp.ua"
nsname = "acmens.2nd.pp.ua"
nsadmin = "admin.2nd.pp.ua"
records =
"acme.2nd.pp.ua. A 35.237.128.147",
"acme.2nd.pp.ua. NS acmens.2nd.pp.ua.", ]
...
[api]
...
tls = "letsencrypt"
β¦
Futhi, uma sifisa, sizodala ifayela le-docker-compose kunkomba yesevisi enkulu:
version: '3.7'
services:
acmedns:
image: joohoi/acme-dns:latest
ports:
- "443:443"
- "53:53"
- "53:53/udp"
- "80:80"
volumes:
- ./config:/etc/acme-dns:ro
- ./data:/var/lib/acme-dns
Ilungile. Ungakwazi ukuyiqhuba.
$ docker-compose up -d
Kulesi sigaba, umphathi kufanele aqale ukuxazulula acme.2nd.pp.ua
, bese kuvela okuthi 404 https://acme.2nd.pp.ua
$ ping acme.2nd.pp.ua
PING acme.2nd.pp.ua (35.237.128.147) 56(84) bytes of data.
$ curl https://acme.2nd.pp.ua
404 page not found
Uma lokhu kungaveli - docker logs -f <container_name>
ukusiza, ngenhlanhla, izingodo ziyafundeka impela.
Singaqala ukudala isitifiketi. Vula i-powershell njengomlawuli bese usebenzisa i-winacme. Sinentshisekelo okhethweni:
- M: Dala isitifiketi esisha (izinketho ezigcwele)
- 2:Okufakwayo mathupha
- 2: [dns-01] Dala amarekhodi okuqinisekisa nge-acme-dns (
https://github.com/joohoi/acme-dns ) - Uma ubuzwa ngesixhumanisi seseva ye-ACME-DNS, faka i-URL yeseva edaliwe (https) empendulweni. I-URL yeseva ye-acme-dns:
https://acme.2nd.pp.ua
Ekuvuleni, iklayenti likhipha irekhodi elidinga ukungezwa kuseva ye-DNS ekhona (inqubo yesikhathi esisodwa):
[INFO] Creating new acme-dns registration for domain 1nd.pp.ua
Domain: 1nd.pp.ua
Record: _acme-challenge.1nd.pp.ua
Type: CNAME
Content: c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Note: Some DNS control panels add the final dot automatically.
Only one is required.
Sakha irekhodi elidingekayo futhi siqinisekisa ukuthi lakhiwe ngendlela efanele:
$ dig CNAME _acme-challenge.1nd.pp.ua +short
c82a88a5-499f-464f-96e4-be7f606a3b47.acme.2nd.pp.ua.
Siyaqinisekisa ukuthi sidale ukufakwa okudingekayo ku-winacme, futhi siqhubeke nenqubo yokudala isitifiketi:
Indlela yokusebenzisa i-certbot njengeklayenti ichaziwe
Lokhu kuqeda inqubo yokudala isitifiketi; ungasifaka kuseva yewebhu futhi usisebenzise. Uma, lapho udala isitifiketi, futhi udala umsebenzi kumhleli, khona-ke ngokuzayo inqubo yokuvuselela isitifiketi izokwenzeka ngokuzenzakalelayo.
Source: www.habr.com