OPS345 Lab 5

From CDOT Wiki
Revision as of 17:25, 18 February 2022 by Andrew (talk | contribs) (THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE)
Jump to: navigation, search

THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE

DNS

The Domain Name System converts human-friendly domain names to IP addresses. Computers on the internet can only communicate with each other using IP addresses. But people aren't very good at remembering long strings of numbers (up to 12 digits for ipv4) or even longer strings of numbers and characters mixed (24 characters for ipv6).

Therefore DNS is a critical part of the internet infrastructure, and just about everyone who has a website needs to do something with it. Some all-inclusive web hosts offer domain name registration and automatically connect their hosting service to the domain registration, but that comes at the cost of any flexibility. From a technical point of view your domain name registration has nothing to do with the server that your DNS records are pointing to.


  • what is DNS
  • how dns works
  • typical registrar process
  • running a private DNS server
  • requirements to run a public DNS server
  • you should have received an email about a Bindistrar account that's been created for you
  • set up an A record for yourmysenecaid.ops345.ca to point to your elastic IP (the one assigned to router)
  • set up a CNAME record for www
  • test the two records above using dig, and using firefox
  • fix nextcloud "Access through untrusted domain"
$ sudo su
root@p51:/home/andrew# certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): asmith15@myseneca.ca

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): asmith15.ops345.ca
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for asmith15.ops345.ca

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.asmith15.ops345.ca with the following value:

SUobA6iJARuujmCDhb-4I0m61Zdtqe_uBgyX1ExrCPg

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/asmith15.ops345.ca/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem
   Your cert will expire on 2022-02-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You have new mail in /var/mail/root

root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.cert.pem
root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.key.pem
root@p51:/home/andrew# chown andrew ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.*
root@p51:/home/andrew# exit
  • The file in /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem is what a CA would send you after you paid them. This one is free but it expires in 90 days, which is good enough for this course.
  • Get Apache to use the key:
    • /etc/httpd/conf/httpd.conf ServerName asmith15.ops345.ca:80
    • yum install mod_ssl
    • scp -P 2211 -i keys/ssh/ops345-all-aws-machines.pem keys/asmith15.ops345.ca.* andrew@34.202.103.43:~
    • [root@www andrew]# cp asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
    • [root@www andrew]# cp asmith15.ops345.ca.key.pem /etc/pki/tls/private/
    • /etc/httpd/conf.d/ssl.conf
      • SSLCertificateFile /etc/pki/tls/certs/asmith15.ops345.ca.cert.pem
      • SSLCertificateKeyFile /etc/pki/tls/private/asmith15.ops345.ca.key.pem
    • restart apache, confirm no errors
  • Edit ops345sgprivate, add https
  • Edit ops345sg, add https
  • On router: iptables -t nat -I PREROUTING 2 -p tcp --dport 443 -j DNAT --to 10.3.45.11:443
  • On www: iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
  • Test with firefox https. www gives a warning because the certificate is not for that FQDN. fix it for homework.