= THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE = = DNS = The Domain Name System converts human-friendly domain names to IP addresses. Computers on the internet can only communicate with each other using IP addresses. But people aren't very good at remembering long strings of numbers (up to 12 digits for ipv4) or even longer strings of numbers and characters mixed (24 characters for ipv6). Therefore DNS is a critical part of the internet infrastructure, and just about everyone who has a website needs to do something with it. Some all-inclusive web hosts offer domain name registration and automatically connect their hosting service to the domain registration, but that comes at the cost of any flexibility. From a technical point of view your domain name registration has nothing to do with the server that your DNS records are pointing to. * what is DNS* how dns works* typical registrar process** caching time: https[http://wwwwiki.whatsmydns.net/* running a private DNS server* requirements to run a public DNS server* you should have received an email about a Bindistrar account that's been created for you* set up an A record for yourmysenecaid.ops345littlesvr.ca to point to your elastic IP (the one assigned to router)* set up a CNAME record for www* test the two records above using dig, and using firefox* fix nextcloud "Access through untrusted domain" * certificates, CAs, relationship with DNS* CA-signed certs cost money. we have to use let's encrypt which is lame because it expires quickly unless you run their software on your server. but it's free* follow this except the deploy part: https:/wiki/help.datica.com/hc/en-us/articles/360044373551-Creating-and-Deploying-a-LetsEncrypt-Certificate-Manually* install certbot in your workstation using apt or the software manager<source>$ sudo suroot@p51:/home/andrew# certbot certonly --manual --preferred-challenges dnsSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneEnter email address (used for urgent renewal and security notices) (Enter 'c' tocancel): asmith15@myseneca.ca - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server athttps://acme-v02.api.letsencrypt.org/directory- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about our workencrypting the web, EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: nPlease enter in your domain name(s) (comma and/or space separated) (Enter 'c'to cancel): asmith15.ops345.caObtaining a new certificatePerforming the following challenges:dns-01 challenge for asmith15.ops345.ca - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -NOTE: The IP of this machine will be publicly logged as having requested thiscertificate. If you're running certbot in manual mode on a machine that is notyour server, please ensure you're okay with that. Are you OK with your IP being logged?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please deploy a DNS TXT record under the name_acme-challenge.asmith15.ops345.ca with the following value: SUobA6iJARuujmCDhb-4I0m61Zdtqe_uBgyX1ExrCPg Before continuing, verify the record is deployed.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Press Enter to ContinueWaiting for verification...Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/asmith15.ops345.ca/fullchain.pem Your key file OPS345_Lab_5 This page has been saved at: /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem Your cert will expire on 2022-02-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le You have new mail in /var/mail/root root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.cert.pemroot@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.camoved.key.pemroot@p51:/home/andrew# chown andrew ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.*root@p51:/home/andrew# exit</source>* The file in /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem is what a CA would send you after you paid them. This one is free but it expires in 90 days, which is good enough for this course.* Get Apache to use the key:** /etc/httpd/conf/httpd.conf ServerName asmith15.ops345.ca:80** yum install mod_ssl** scp -P 2211 -i keys/ssh/ops345-all-aws-machines.pem keys/asmith15.ops345.ca.* andrew@34.202.103.43:~** [root@www andrew]# cp asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/** [root@www andrew]# cp asmith15.ops345.ca.key.pem /etc/pki/tls/private/** /etc/httpd/conf.d/ssl.conf*** SSLCertificateFile /etc/pki/tls/certs/asmith15.ops345.ca.cert.pem*** SSLCertificateKeyFile /etc/pki/tls/private/asmith15.ops345.ca.key.pem** restart apache, confirm no errors* Edit ops345sgprivate, add https* Edit ops345sg, add https* On router: iptables -t nat -I PREROUTING 2 -p tcp --dport 443 -j DNAT --to 10.3.45.11:443* On www: iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT* Test with firefox https. www gives a warning because the certificate is not for that FQDN. fix it for homework. [[Category:OPS345]]
