d85bf760bdad0725f29f1488d7d5351145214006
Linux/Apache/mod_ssl.md
... | ... | @@ -216,14 +216,39 @@ CentOS 7 |
216 | 216 | # yum install certbot-apache python2-certbot-dns-rfc2136
|
217 | 217 | ```
|
218 | 218 | |
219 | +- 設定ファイル, スクリプト
|
|
220 | +
|
|
221 | + | パーミッション | オーナー | パス | 概要 |
|
|
222 | + | --- | --- | --- | --- |
|
|
223 | + | 640 | root:named | /etc/named.conf | BIND 設定ファイル |
|
|
224 | + | 644 | root:root | /etc/named/Kcertbot-key.+165+43987.key | BIND 用キーファイル |
|
|
225 | + | 600 | root:root | /etc/named/Kcertbot-key.+165+43987.private | BIND 用キーファイル |
|
|
226 | + | 600 | root:root | /etc/named/certbot_rfc2136.ini | RFC2136 用認証ファイル |
|
|
227 | + | 640 | root:named | /etc/named/named-multi-view.conf | 外部/内部問い合わせ両用設定 |
|
|
228 | + | 640 | root:named | /etc/named/named-external-view.conf | 外部問い合わせ専用設定 |
|
|
229 | + | 640 | root:named | /etc/named/common.conf | 共通設定 |
|
|
230 | + | 640 | root:named | /etc/named/internal.view | 内部問い合わせ用 view 設定 |
|
|
231 | + | 640 | root:named | /etc/named/external.view | 外部問い合わせ用 view 設定 |
|
|
232 | + | 644 | root:root | /etc/named/<ドメイン>.lan.zone | 内部問い合わせ用 zone 設定 |
|
|
233 | + | 644 | root:root | /etc/named/<ドメイン>.wan.zone | 外部問い合わせ用 zone 設定 |
|
|
234 | + | 644 | root:root | /etc/named/_acme-challenge.<ドメイン>.wan.zone | Let's Encrypt 問い合わせ用 zone 設定 |
|
|
235 | + | 644 | named:named | /var/named/<ドメイン>.lan.db | 内部問い合わせ用権威サーバ設定 |
|
|
236 | + | 644 | named:named | /var/named/<ドメイン>.wan.db | 外部問い合わせ用権威サーバ設定 |
|
|
237 | + | 644 | named:named | /var/named/_acme-challenge.<ドメイン>.wan.db | Let's Encrypt 問い合わせ用権威サーバ設定 |
|
|
238 | + | 750 | root:root | /etc/letsencrypt/renewal-hooks/pre/external-view.sh | 更新前処理スクリプト |
|
|
239 | + | 755 | root:root | /etc/letsencrypt/renewal-hooks/deploy/restartServices.sh | 更新成功時処理スクリプト |
|
|
240 | + | 750 | root:root | /etc/letsencrypt/renewal-hooks/post/multi-view.sh | 更新後処理スクリプト |
|
|
241 | +
|
|
219 | 242 | - BIND 用認証キーの作成
|
220 | 243 | Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファイルが作成される。
|
221 | 244 | ```
|
222 | 245 | # cd /etc/named/
|
223 | 246 | # dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST certbot-key
|
247 | + # cat Kcertbot-key.+165+43987.key
|
|
248 | + certbot-key. IN KEY 512 3 165 <ハッシュ値>
|
|
224 | 249 | ```
|
225 | 250 | |
226 | -- 認証ファイル /etc/named/certbot_rfc2136.ini , ファイルモード 600
|
|
251 | +- 認証ファイル /etc/named/certbot_rfc2136.ini
|
|
227 | 252 | ```
|
228 | 253 | # Target DNS server
|
229 | 254 | dns_rfc2136_server = 127.0.0.1
|
... | ... | @@ -232,39 +257,118 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
232 | 257 | # TSIG key name
|
233 | 258 | dns_rfc2136_name = certbot-key.
|
234 | 259 | # TSIG key secret
|
235 | - dns_rfc2136_secret = <Kcertbot-key.+165+43987.key のハッシュ値>
|
|
260 | + dns_rfc2136_secret = <Kcertbot-key.+165+43987.key の中のハッシュ値>
|
|
236 | 261 | # TSIG key algorithm
|
237 | 262 | dns_rfc2136_algorithm = HMAC-SHA512
|
238 | 263 | ```
|
239 | 264 | |
240 | -- /etc/named.conf に追加
|
|
265 | +- /etc/named/named-multi-view.conf
|
|
266 | + ```
|
|
267 | + include "/etc/named/common.conf";
|
|
268 | + include "/etc/named/internal.view";
|
|
269 | + include "/etc/named/external.view";
|
|
270 | + ```
|
|
271 | +
|
|
272 | +- /etc/named/named-external-view.conf
|
|
273 | + ```
|
|
274 | + include "/etc/named/common.conf";
|
|
275 | + include "/etc/named/external.view";
|
|
241 | 276 | ```
|
277 | +
|
|
278 | +- /etc/named/common.conf
|
|
279 | + ```
|
|
280 | + //
|
|
281 | + // named.conf
|
|
282 | + //
|
|
283 | + // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
|
284 | + // server as a caching only nameserver (as a localhost DNS resolver only).
|
|
285 | + //
|
|
286 | + // See /usr/share/doc/bind*/sample/ for example named configuration files.
|
|
287 | + //
|
|
288 | + // See the BIND Administrator's Reference Manual (ARM) for details about the
|
|
289 | + // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
|
|
290 | +
|
|
291 | + options {
|
|
292 | + # listen-on port 53 { 127.0.0.1; };
|
|
293 | + # listen-on-v6 port 53 { ::1; };
|
|
294 | + version "unknown";
|
|
295 | + directory "/var/named";
|
|
296 | + dump-file "/var/named/data/cache_dump.db";
|
|
297 | + statistics-file "/var/named/data/named_stats.txt";
|
|
298 | + memstatistics-file "/var/named/data/named_mem_stats.txt";
|
|
299 | + allow-query { localhost; localnets; };
|
|
300 | + allow-transfer { none; };
|
|
301 | +
|
|
302 | + /*
|
|
303 | + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
|
304 | + - If you are building a RECURSIVE (caching) DNS server, you need to enable
|
|
305 | + recursion.
|
|
306 | + - If your recursive DNS server has a public IP address, you MUST enable access
|
|
307 | + control to limit queries to your legitimate users. Failing to do so will
|
|
308 | + cause your server to become part of large scale DNS amplification
|
|
309 | + attacks. Implementing BCP38 within your network would greatly
|
|
310 | + reduce such attack surface
|
|
311 | + */
|
|
312 | + recursion no;
|
|
313 | +
|
|
314 | + dnssec-enable yes;
|
|
315 | + dnssec-validation yes;
|
|
316 | +
|
|
317 | + /* Path to ISC DLV key */
|
|
318 | + bindkeys-file "/etc/named.iscdlv.key";
|
|
319 | +
|
|
320 | + managed-keys-directory "/var/named/dynamic";
|
|
321 | +
|
|
322 | + pid-file "/run/named/named.pid";
|
|
323 | + session-keyfile "/run/named/session.key";
|
|
324 | +
|
|
325 | + forwarders {
|
|
326 | + 8.8.8.8;
|
|
327 | + 8.8.4.4;
|
|
328 | + };
|
|
329 | + };
|
|
330 | +
|
|
242 | 331 | key "certbot-key." {
|
243 | 332 | algorithm hmac-sha512;
|
244 | - secret "<Kcertbot-key.+165+43987.key のハッシュ値>";
|
|
333 | + secret "<Kcertbot-key.+165+43987.key の中のハッシュ値>";
|
|
245 | 334 | };
|
246 | 335 | |
247 | - view "internal" {
|
|
248 | - match-clients { localhost; localnets; };
|
|
249 | - match-destinations { localhost; localnets; };
|
|
250 | - recursion yes;
|
|
251 | -
|
|
252 | - zone "." IN {
|
|
253 | - type hint;
|
|
254 | - file "named.ca";
|
|
255 | - };
|
|
336 | + logging {
|
|
337 | + channel default_debug {
|
|
338 | + file "data/named.run";
|
|
339 | + severity dynamic;
|
|
340 | + };
|
|
341 | + category lame-servers { null; };
|
|
342 | + };
|
|
343 | + ```
|
|
256 | 344 | |
257 | - include "/etc/named.rfc1912.zones";
|
|
258 | - include "/etc/named.root.key";
|
|
259 | - include "/etc/named/<ドメイン>.lan.zone";
|
|
345 | +- /etc/named/internal.view
|
|
346 | + ```
|
|
347 | + view "internal" {
|
|
348 | + match-clients { localhost; localnets; };
|
|
349 | + match-destinations { localhost; localnets; };
|
|
350 | + recursion yes;
|
|
351 | +
|
|
352 | + zone "." IN {
|
|
353 | + type hint;
|
|
354 | + file "named.ca";
|
|
355 | + };
|
|
356 | +
|
|
357 | + include "/etc/named.rfc1912.zones";
|
|
358 | + include "/etc/named.root.key";
|
|
359 | + include "/etc/named/<ドメイン>.lan.zone";
|
|
260 | 360 | };
|
361 | + ```
|
|
261 | 362 | |
363 | +- /etc/named/external.view
|
|
364 | + ```
|
|
262 | 365 | view "external" {
|
263 | - match-clients { any; };
|
|
264 | - match-destinations { any; };
|
|
265 | - recursion no;
|
|
266 | - include "/etc/named/<ドメイン>.wan.zone";
|
|
267 | - include "/etc/named/_acme-challenge.<ドメイン>.wan.zone";
|
|
366 | + match-clients { any; };
|
|
367 | + match-destinations { any; };
|
|
368 | + allow-query { any; };
|
|
369 | + recursion no;
|
|
370 | + include "/etc/named/_acme-challenge.<ドメイン>.wan.zone";
|
|
371 | + include "/etc/named/<ドメイン>.wan.zone";
|
|
268 | 372 | };
|
269 | 373 | ```
|
270 | 374 | |
... | ... | @@ -273,9 +377,6 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
273 | 377 | zone "<ドメイン>" {
|
274 | 378 | type master;
|
275 | 379 | file "<ドメイン>.lan.db";
|
276 | - update-policy {
|
|
277 | - grant certbot-key. name _acme-challenge.<ドメイン>. txt;
|
|
278 | - };
|
|
279 | 380 | };
|
280 | 381 | ```
|
281 | 382 | |
... | ... | @@ -284,10 +385,6 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
284 | 385 | zone "<ドメイン>" {
|
285 | 386 | type master;
|
286 | 387 | file "<ドメイン>.wan.db";
|
287 | - allow-query { any; };
|
|
288 | - update-policy {
|
|
289 | - grant certbot-key. name _acme-challenge.<ドメイン>. txt;
|
|
290 | - };
|
|
291 | 388 | };
|
292 | 389 | ```
|
293 | 390 | |
... | ... | @@ -296,13 +393,32 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
296 | 393 | zone "_acme-challenge.<ドメイン>" {
|
297 | 394 | type master;
|
298 | 395 | file "_acme-challenge.<ドメイン>.wan.db";
|
299 | - allow-query { any; };
|
|
300 | 396 | update-policy {
|
301 | 397 | grant certbot-key. name _acme-challenge.<ドメイン>. txt;
|
302 | 398 | };
|
303 | 399 | };
|
304 | 400 | ```
|
305 | 401 | |
402 | +- /var/named/<ドメイン>.lan.db
|
|
403 | + ```
|
|
404 | + $ORIGIN .
|
|
405 | + $TTL 86400 ; 1 day
|
|
406 | + <ドメイン> IN SOA ns1.<ドメイン>. root.<ドメイン>. (
|
|
407 | + 2018090900 ; serial
|
|
408 | + 28800 ; refresh (8 hours)
|
|
409 | + 14400 ; retry (4 hours)
|
|
410 | + 2592000 ; expire (4 weeks 2 days)
|
|
411 | + 86400 ; minimum (1 day)
|
|
412 | + )
|
|
413 | + NS <ドメイン>.net.
|
|
414 | + A 192.168.1.1
|
|
415 | + MX 10 mail.<ドメイン>.
|
|
416 | + $ORIGIN <ドメイン>.
|
|
417 | + ns1 A 192.168.1.1
|
|
418 | + mail A 192.168.1.1
|
|
419 | + * A 192.168.1.1
|
|
420 | + ```
|
|
421 | +
|
|
306 | 422 | - /var/named/<ドメイン>.wan.db
|
307 | 423 | ```
|
308 | 424 | $TTL 86400
|
... | ... | @@ -337,7 +453,50 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
337 | 453 | IN NS ns1.<ドメイン>.
|
338 | 454 | ```
|
339 | 455 | |
340 | -- `<ドメイン>.jnl: create: permission denied`(/var/named/data/named.run) 対策
|
|
456 | +- /etc/letsencrypt/renewal-hooks/pre/external-view.sh
|
|
457 | + ```bash
|
|
458 | + #!/bin/bash
|
|
459 | +
|
|
460 | + /bin/systemctl stop named-chroot
|
|
461 | + cp -f /etc/named/named-external-view.conf /etc/named.conf
|
|
462 | + /bin/systemctl start named-chroot
|
|
463 | + echo "external view"
|
|
464 | + ```
|
|
465 | +
|
|
466 | +- /etc/letsencrypt/renewal-hooks/deploy/restartServices.sh
|
|
467 | + ```bash
|
|
468 | + #!/bin/bash
|
|
469 | +
|
|
470 | + LANG=en_us.UTF-8
|
|
471 | + services="httpd postfix dovecot"
|
|
472 | +
|
|
473 | + if [ $(/bin/id -u) != 0 ]; then
|
|
474 | + echo "This command requires root previlege." 1>&2
|
|
475 | + exit 1
|
|
476 | + fi
|
|
477 | +
|
|
478 | + echo "RENEWED_LINEAGE: ${RENEWED_LINEAGE}"
|
|
479 | + echo "RENEWED_DOMAINS: ${RENEWED_DOMAINS}"
|
|
480 | +
|
|
481 | + for service in ${services}; do
|
|
482 | + echo "restart ${service}"
|
|
483 | + /bin/systemctl restart ${service} || exit $?
|
|
484 | + done
|
|
485 | + exit 0
|
|
486 | + ```
|
|
487 | +
|
|
488 | +- /etc/letsencrypt/renewal-hooks/post/multi-view.sh
|
|
489 | + ```bash
|
|
490 | + #!/bin/bash
|
|
491 | +
|
|
492 | + /bin/systemctl stop named-chroot
|
|
493 | + cp -f /etc/named/named-multi-view.conf /etc/named.conf
|
|
494 | + /bin/systemctl start named-chroot
|
|
495 | + echo "multi view"
|
|
496 | + ```
|
|
497 | +
|
|
498 | +- `<ドメイン>.jnl: create: permission denied` 対策
|
|
499 | +/var/named/chroot/var/named/data/named.run
|
|
341 | 500 | ```
|
342 | 501 | # chmod 770 /var/named/
|
343 | 502 | # setsebool -P named_write_master_zones 1
|
... | ... | @@ -345,38 +504,21 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
345 | 504 | |
346 | 505 | - 証明書取得
|
347 | 506 | ```
|
507 | + # /etc/letsencrypt/renewal-hooks/pre/external-view.sh
|
|
348 | 508 | # certbot certonly \
|
349 | 509 | --dns-rfc2136 \
|
350 | 510 | --dns-rfc2136-credentials /etc/named/certbot_rfc2136.ini \
|
351 | 511 | -d "*.<ドメイン>" -d <ドメイン>
|
512 | + # /etc/letsencrypt/renewal-hooks/post/multi-view.sh
|
|
352 | 513 | ```
|
353 | 514 | |
354 | -- /etc/letsencrypt/renewal-hooks/deploy/restartServices.sh
|
|
355 | -```bash
|
|
356 | -#!/bin/bash
|
|
357 | -
|
|
358 | -LANG=en_us.UTF-8
|
|
359 | -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
|
|
360 | -services="httpd postfix dovecot"
|
|
361 | -
|
|
362 | -if [ $(id -u) != 0 ]; then
|
|
363 | - echo "This command requires root previlege." 1>&2
|
|
364 | - exit 1
|
|
365 | -fi
|
|
366 | -
|
|
367 | -for service in ${services}; do
|
|
368 | - echo "restart ${service}"
|
|
369 | - systemctl restart ${service} || exit $?
|
|
370 | -done
|
|
371 | -exit 0
|
|
372 | -```
|
|
373 | -
|
|
374 | 515 | - サービス登録
|
375 | -```
|
|
376 | -# systemctl start certbot-renew
|
|
377 | -# systemctl enable certbot-renew
|
|
378 | -# systemctl status certbot-renew
|
|
379 | -```
|
|
516 | + ```
|
|
517 | + # systemctl status certbot-renew
|
|
518 | + # systemctl start certbot-renew
|
|
519 | + # systemctl enable certbot-renew
|
|
520 | + # systemctl status certbot-renew
|
|
521 | + ```
|
|
380 | 522 | |
381 | 523 | # 動作確認
|
382 | 524 | |
... | ... | @@ -404,6 +546,7 @@ echo ${NotAfter} |
404 | 546 | $ openssl s_client -connect <ホスト>:443
|
405 | 547 | ```
|
406 | 548 | ### 設定失敗
|
549 | +指定したホスト(バーチャルホスト)に SSL 証明書が適用されていない。
|
|
407 | 550 | ```
|
408 | 551 | CONNECTED(00000003)
|
409 | 552 | 140139752064912:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
|
... | ... | @@ -458,7 +601,7 @@ MIIGETCCBPmgAwIBAgISA3VBvI0cSyzAQGtpIaQKQRZxMA0GCSqGSIb3DQEBCwUA |
458 | 601 | |
459 | 602 | # リンク
|
460 | 603 | - [Let's Encrypt](https://letsencrypt.org/) Free SSL/TLS Certificates
|
461 | - - [Certbot](https://certbot.eff.org/) / [DNS Plugins](https://certbot.eff.org/docs/using.html#dns-plugins) / [certbot-dns-rfc2136](https://certbot-dns-rfc2136.readthedocs.io/en/latest/)
|
|
604 | + - [Certbot](https://certbot.eff.org/) / [DNS Plugins](https://certbot.eff.org/docs/using.html#dns-plugins) / [certbot-dns-rfc2136](https://certbot-dns-rfc2136.readthedocs.io/en/latest/) / [GitHub:certbot/certbot](https://github.com/certbot/certbot)
|
|
462 | 605 | |
463 | 606 | - [Webサーバー間通信内容暗号化(Apache+mod_SSL+Certbot) - CentOSで自宅サーバー構築](http://centossrv.com/apache-certbot.shtml)
|
464 | 607 | - [CertbotとBINDの組み合わせでLet's Encryptのワイルドカード証明書を取得・更新する](https://qiita.com/yasuhirokimura/items/3a95e169f806b3772e06)
|