THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE

what is DNS
how dns works
typical registrar process
- caching time: https://www.whatsmydns.net/
running a private DNS server
requirements to run a public DNS server
you should have received an email about a Bindistrar account that's been created for you
set up an A record for yourmysenecaid.ops345.ca to point to your elastic IP (the one assigned to router)
set up a CNAME record for www
test the two records above using dig, and using firefox
fix nextcloud "Access through untrusted domain"

certificates, CAs, relationship with DNS
CA-signed certs cost money. we have to use let's encrypt which is lame because it expires quickly unless you run their software on your server. but it's free
follow this except the deploy part: https://help.datica.com/hc/en-us/articles/360044373551-Creating-and-Deploying-a-LetsEncrypt-Certificate-Manually
install certbot in your workstation using apt or the software manager

$ sudo su
root@p51:/home/andrew# certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): asmith15@myseneca.ca

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): asmith15.ops345.ca
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for asmith15.ops345.ca

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.asmith15.ops345.ca with the following value:

SUobA6iJARuujmCDhb-4I0m61Zdtqe_uBgyX1ExrCPg

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/asmith15.ops345.ca/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem
   Your cert will expire on 2022-02-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You have new mail in /var/mail/root

root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.cert.pem
root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.key.pem
root@p51:/home/andrew# chown andrew ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.*
root@p51:/home/andrew# exit

The file in /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem is what a CA would send you after you paid them. This one is free but it expires in 90 days, which is good enough for this course.
Get Apache to use the key:
- /etc/httpd/conf/httpd.conf ServerName asmith15.ops345.ca:80
- yum install mod_ssl
- scp -P 2211 -i keys/ssh/ops345-all-aws-machines.pem keys/asmith15.ops345.ca.* andrew@34.202.103.43:~
- [root@www andrew]# cp asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
- [root@www andrew]# cp asmith15.ops345.ca.key.pem /etc/pki/tls/private/
- /etc/httpd/conf.d/ssl.conf
  - SSLCertificateFile /etc/pki/tls/certs/asmith15.ops345.ca.cert.pem
  - SSLCertificateKeyFile /etc/pki/tls/private/asmith15.ops345.ca.key.pem
- restart apache, confirm no errors
Edit ops345sgprivate, add https
Edit ops345sg, add https
On router: iptables -t nat -I PREROUTING 2 -p tcp --dport 443 -j DNAT --to 10.3.45.11:443
On www: iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
Test with firefox https. www gives a warning because the certificate is not for that FQDN. fix it for homework.

OPS345 Lab 5

THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools