Difference between revisions of "OPS345 Lab 5"

From CDOT Wiki
Jump to: navigation, search
(THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE)
(Replaced content with "[http://wiki.littlesvr.ca/wiki/OPS345_Lab_5 This page has moved.]")
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
= THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE =
+
[http://wiki.littlesvr.ca/wiki/OPS345_Lab_5 This page has moved.]
 
 
= DNS =
 
 
 
The Domain Name System converts human-friendly domain names to IP addresses. Computers on the internet can only communicate with each other using IP addresses. But people aren't very good at remembering long strings of numbers (up to 12 digits for ipv4) or even longer strings of numbers and characters mixed (24 characters for ipv6).
 
 
 
Therefore DNS is a critical part of the internet infrastructure, and just about everyone who has a website needs to do something with it. Some all-inclusive web hosts offer domain name registration and automatically connect their hosting service to the domain registration, but that comes at the cost of any flexibility. From a technical point of view your domain name registration has nothing to do with the server that your DNS records are pointing to.
 
 
 
 
 
 
 
* what is DNS
 
* how dns works
 
* typical registrar process
 
** caching time: https://www.whatsmydns.net/
 
* running a private DNS server
 
* requirements to run a public DNS server
 
* you should have received an email about a Bindistrar account that's been created for you
 
* set up an A record for yourmysenecaid.ops345.ca to point to your elastic IP (the one assigned to router)
 
* set up a CNAME record for www
 
* test the two records above using dig, and using firefox
 
* fix nextcloud "Access through untrusted domain"
 
 
 
* certificates, CAs, relationship with DNS
 
* CA-signed certs cost money. we have to use let's encrypt which is lame because it expires quickly unless you run their software on your server. but it's free
 
* follow this except the deploy part: https://help.datica.com/hc/en-us/articles/360044373551-Creating-and-Deploying-a-LetsEncrypt-Certificate-Manually
 
* install certbot in your workstation using apt or the software manager
 
<source>$ sudo su
 
root@p51:/home/andrew# certbot certonly --manual --preferred-challenges dns
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
Plugins selected: Authenticator manual, Installer None
 
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 
cancel): asmith15@myseneca.ca
 
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Please read the Terms of Service at
 
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
 
agree in order to register with the ACME server at
 
https://acme-v02.api.letsencrypt.org/directory
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
(A)gree/(C)ancel: a
 
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Would you be willing to share your email address with the Electronic Frontier
 
Foundation, a founding partner of the Let's Encrypt project and the non-profit
 
organization that develops Certbot? We'd like to send you email about our work
 
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
(Y)es/(N)o: n
 
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
 
to cancel): asmith15.ops345.ca
 
Obtaining a new certificate
 
Performing the following challenges:
 
dns-01 challenge for asmith15.ops345.ca
 
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
NOTE: The IP of this machine will be publicly logged as having requested this
 
certificate. If you're running certbot in manual mode on a machine that is not
 
your server, please ensure you're okay with that.
 
 
 
Are you OK with your IP being logged?
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
(Y)es/(N)o: y
 
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Please deploy a DNS TXT record under the name
 
_acme-challenge.asmith15.ops345.ca with the following value:
 
 
 
SUobA6iJARuujmCDhb-4I0m61Zdtqe_uBgyX1ExrCPg
 
 
 
Before continuing, verify the record is deployed.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Press Enter to Continue
 
Waiting for verification...
 
Cleaning up challenges
 
 
 
IMPORTANT NOTES:
 
- Congratulations! Your certificate and chain have been saved at:
 
  /etc/letsencrypt/live/asmith15.ops345.ca/fullchain.pem
 
  Your key file has been saved at:
 
  /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem
 
  Your cert will expire on 2022-02-16. To obtain a new or tweaked
 
  version of this certificate in the future, simply run certbot
 
  again. To non-interactively renew *all* of your certificates, run
 
  "certbot renew"
 
- Your account credentials have been saved in your Certbot
 
  configuration directory at /etc/letsencrypt. You should make a
 
  secure backup of this folder now. This configuration directory will
 
  also contain certificates and private keys obtained by Certbot so
 
  making regular backups of this folder is ideal.
 
- If you like Certbot, please consider supporting our work by:
 
 
 
  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
 
  Donating to EFF:                    https://eff.org/donate-le
 
 
 
You have new mail in /var/mail/root
 
 
 
root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.cert.pem
 
root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.key.pem
 
root@p51:/home/andrew# chown andrew ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.*
 
root@p51:/home/andrew# exit
 
</source>
 
* The file in /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem is what a CA would send you after you paid them. This one is free but it expires in 90 days, which is good enough for this course.
 
* Get Apache to use the key:
 
** /etc/httpd/conf/httpd.conf ServerName asmith15.ops345.ca:80
 
** yum install mod_ssl
 
** scp -P 2211 -i keys/ssh/ops345-all-aws-machines.pem keys/asmith15.ops345.ca.* andrew@34.202.103.43:~
 
** [root@www andrew]# cp asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
 
** [root@www andrew]# cp asmith15.ops345.ca.key.pem /etc/pki/tls/private/
 
** /etc/httpd/conf.d/ssl.conf
 
*** SSLCertificateFile /etc/pki/tls/certs/asmith15.ops345.ca.cert.pem
 
*** SSLCertificateKeyFile /etc/pki/tls/private/asmith15.ops345.ca.key.pem
 
** restart apache, confirm no errors
 
* Edit ops345sgprivate, add https
 
* Edit ops345sg, add https
 
* On router: iptables -t nat -I PREROUTING 2 -p tcp --dport 443 -j DNAT --to 10.3.45.11:443
 
* On www: iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
 
* Test with firefox https. www gives a warning because the certificate is not for that FQDN. fix it for homework.
 
 
 
[[Category:OPS345]]
 

Latest revision as of 02:42, 28 February 2022