|
|
| (25 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| − | = THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE =
| + | [http://wiki.littlesvr.ca/wiki/OPS345_Lab_5 This page has moved.] |
| − | | |
| − | = DNS =
| |
| − | | |
| − | The Domain Name System converts human-friendly domain names to IP addresses. Computers on the internet can only communicate with each other using IP addresses. But people aren't very good at remembering long strings of numbers (up to 12 digits for ipv4) or even longer strings of numbers and characters mixed (24 characters for ipv6).
| |
| − | | |
| − | Therefore DNS is a critical part of the internet infrastructure, and just about everyone who has a website needs to do something with it. Some all-inclusive web hosts offer domain name registration and automatically connect their hosting service to the domain registration, but that comes at the cost of any flexibility. From a technical point of view your domain name registration has nothing to do with the server that your DNS records are pointing to.
| |
| − | | |
| − | | |
| − | | |
| − | * what is DNS
| |
| − | * how dns works
| |
| − | * typical registrar process
| |
| − | ** caching time: https://www.whatsmydns.net/
| |
| − | * running a private DNS server
| |
| − | * requirements to run a public DNS server
| |
| − | * you should have received an email about a Bindistrar account that's been created for you
| |
| − | * set up an A record for yourmysenecaid.ops345.ca to point to your elastic IP (the one assigned to router)
| |
| − | * set up a CNAME record for www
| |
| − | * test the two records above using dig, and using firefox
| |
| − | * fix nextcloud "Access through untrusted domain"
| |
| − | | |
| − | * certificates, CAs, relationship with DNS
| |
| − | * CA-signed certs cost money. we have to use let's encrypt which is lame because it expires quickly unless you run their software on your server. but it's free
| |
| − | * follow this except the deploy part: https://help.datica.com/hc/en-us/articles/360044373551-Creating-and-Deploying-a-LetsEncrypt-Certificate-Manually
| |
| − | * install certbot in your workstation using apt or the software manager
| |
| − | <source>$ sudo su
| |
| − | root@p51:/home/andrew# certbot certonly --manual --preferred-challenges dns
| |
| − | Saving debug log to /var/log/letsencrypt/letsencrypt.log
| |
| − | Plugins selected: Authenticator manual, Installer None
| |
| − | Enter email address (used for urgent renewal and security notices) (Enter 'c' to
| |
| − | cancel): asmith15@myseneca.ca
| |
| − | | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | Please read the Terms of Service at
| |
| − | https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
| |
| − | agree in order to register with the ACME server at
| |
| − | https://acme-v02.api.letsencrypt.org/directory
| |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | (A)gree/(C)ancel: a
| |
| − | | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | Would you be willing to share your email address with the Electronic Frontier
| |
| − | Foundation, a founding partner of the Let's Encrypt project and the non-profit
| |
| − | organization that develops Certbot? We'd like to send you email about our work
| |
| − | encrypting the web, EFF news, campaigns, and ways to support digital freedom.
| |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | (Y)es/(N)o: n
| |
| − | Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
| |
| − | to cancel): asmith15.ops345.ca
| |
| − | Obtaining a new certificate
| |
| − | Performing the following challenges:
| |
| − | dns-01 challenge for asmith15.ops345.ca
| |
| − | | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | NOTE: The IP of this machine will be publicly logged as having requested this
| |
| − | certificate. If you're running certbot in manual mode on a machine that is not
| |
| − | your server, please ensure you're okay with that.
| |
| − | | |
| − | Are you OK with your IP being logged?
| |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | (Y)es/(N)o: y
| |
| − | | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | Please deploy a DNS TXT record under the name
| |
| − | _acme-challenge.asmith15.ops345.ca with the following value:
| |
| − | | |
| − | SUobA6iJARuujmCDhb-4I0m61Zdtqe_uBgyX1ExrCPg
| |
| − | | |
| − | Before continuing, verify the record is deployed.
| |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | Press Enter to Continue
| |
| − | Waiting for verification...
| |
| − | Cleaning up challenges
| |
| − | | |
| − | IMPORTANT NOTES:
| |
| − | - Congratulations! Your certificate and chain have been saved at:
| |
| − | /etc/letsencrypt/live/asmith15.ops345.ca/fullchain.pem
| |
| − | Your key file has been saved at:
| |
| − | /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem
| |
| − | Your cert will expire on 2022-02-16. To obtain a new or tweaked
| |
| − | version of this certificate in the future, simply run certbot
| |
| − | again. To non-interactively renew *all* of your certificates, run
| |
| − | "certbot renew"
| |
| − | - Your account credentials have been saved in your Certbot
| |
| − | configuration directory at /etc/letsencrypt. You should make a
| |
| − | secure backup of this folder now. This configuration directory will
| |
| − | also contain certificates and private keys obtained by Certbot so
| |
| − | making regular backups of this folder is ideal.
| |
| − | - If you like Certbot, please consider supporting our work by:
| |
| − | | |
| − | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
| |
| − | Donating to EFF: https://eff.org/donate-le
| |
| − | | |
| − | You have new mail in /var/mail/root
| |
| − | | |
| − | root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.cert.pem
| |
| − | root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.key.pem
| |
| − | root@p51:/home/andrew# chown andrew ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.*
| |
| − | root@p51:/home/andrew# exit
| |
| − | </source>
| |
| − | * The file in /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem is what a CA would send you after you paid them. This one is free but it expires in 90 days, which is good enough for this course.
| |
| − | * Get Apache to use the key:
| |
| − | ** /etc/httpd/conf/httpd.conf ServerName asmith15.ops345.ca:80
| |
| − | ** yum install mod_ssl
| |
| − | ** scp -P 2211 -i keys/ssh/ops345-all-aws-machines.pem keys/asmith15.ops345.ca.* andrew@34.202.103.43:~
| |
| − | ** [root@www andrew]# cp asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
| |
| − | ** [root@www andrew]# cp asmith15.ops345.ca.key.pem /etc/pki/tls/private/
| |
| − | ** /etc/httpd/conf.d/ssl.conf
| |
| − | *** SSLCertificateFile /etc/pki/tls/certs/asmith15.ops345.ca.cert.pem
| |
| − | *** SSLCertificateKeyFile /etc/pki/tls/private/asmith15.ops345.ca.key.pem
| |
| − | ** restart apache, confirm no errors
| |
| − | * Edit ops345sgprivate, add https
| |
| − | * Edit ops345sg, add https
| |
| − | * On router: iptables -t nat -I PREROUTING 2 -p tcp --dport 443 -j DNAT --to 10.3.45.11:443
| |
| − | * On www: iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
| |
| − | * Test with firefox https. www gives a warning because the certificate is not for that FQDN. fix it for homework.
| |
| − | | |
| − | [[Category:OPS345]]
| |
