d85bf760bdad0725f29f1488d7d5351145214006
Linux/Apache/mod_ssl.md
| ... | ... | @@ -216,14 +216,39 @@ CentOS 7 |
| 216 | 216 | # yum install certbot-apache python2-certbot-dns-rfc2136
|
| 217 | 217 | ```
|
| 218 | 218 | |
| 219 | +- 設定ファイル, スクリプト
|
|
| 220 | +
|
|
| 221 | + | パーミッション | オーナー | パス | 概要 |
|
|
| 222 | + | --- | --- | --- | --- |
|
|
| 223 | + | 640 | root:named | /etc/named.conf | BIND 設定ファイル |
|
|
| 224 | + | 644 | root:root | /etc/named/Kcertbot-key.+165+43987.key | BIND 用キーファイル |
|
|
| 225 | + | 600 | root:root | /etc/named/Kcertbot-key.+165+43987.private | BIND 用キーファイル |
|
|
| 226 | + | 600 | root:root | /etc/named/certbot_rfc2136.ini | RFC2136 用認証ファイル |
|
|
| 227 | + | 640 | root:named | /etc/named/named-multi-view.conf | 外部/内部問い合わせ両用設定 |
|
|
| 228 | + | 640 | root:named | /etc/named/named-external-view.conf | 外部問い合わせ専用設定 |
|
|
| 229 | + | 640 | root:named | /etc/named/common.conf | 共通設定 |
|
|
| 230 | + | 640 | root:named | /etc/named/internal.view | 内部問い合わせ用 view 設定 |
|
|
| 231 | + | 640 | root:named | /etc/named/external.view | 外部問い合わせ用 view 設定 |
|
|
| 232 | + | 644 | root:root | /etc/named/<ドメイン>.lan.zone | 内部問い合わせ用 zone 設定 |
|
|
| 233 | + | 644 | root:root | /etc/named/<ドメイン>.wan.zone | 外部問い合わせ用 zone 設定 |
|
|
| 234 | + | 644 | root:root | /etc/named/_acme-challenge.<ドメイン>.wan.zone | Let's Encrypt 問い合わせ用 zone 設定 |
|
|
| 235 | + | 644 | named:named | /var/named/<ドメイン>.lan.db | 内部問い合わせ用権威サーバ設定 |
|
|
| 236 | + | 644 | named:named | /var/named/<ドメイン>.wan.db | 外部問い合わせ用権威サーバ設定 |
|
|
| 237 | + | 644 | named:named | /var/named/_acme-challenge.<ドメイン>.wan.db | Let's Encrypt 問い合わせ用権威サーバ設定 |
|
|
| 238 | + | 750 | root:root | /etc/letsencrypt/renewal-hooks/pre/external-view.sh | 更新前処理スクリプト |
|
|
| 239 | + | 755 | root:root | /etc/letsencrypt/renewal-hooks/deploy/restartServices.sh | 更新成功時処理スクリプト |
|
|
| 240 | + | 750 | root:root | /etc/letsencrypt/renewal-hooks/post/multi-view.sh | 更新後処理スクリプト |
|
|
| 241 | +
|
|
| 219 | 242 | - BIND 用認証キーの作成
|
| 220 | 243 | Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファイルが作成される。
|
| 221 | 244 | ```
|
| 222 | 245 | # cd /etc/named/
|
| 223 | 246 | # dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST certbot-key
|
| 247 | + # cat Kcertbot-key.+165+43987.key
|
|
| 248 | + certbot-key. IN KEY 512 3 165 <ハッシュ値>
|
|
| 224 | 249 | ```
|
| 225 | 250 | |
| 226 | -- 認証ファイル /etc/named/certbot_rfc2136.ini , ファイルモード 600
|
|
| 251 | +- 認証ファイル /etc/named/certbot_rfc2136.ini
|
|
| 227 | 252 | ```
|
| 228 | 253 | # Target DNS server
|
| 229 | 254 | dns_rfc2136_server = 127.0.0.1
|
| ... | ... | @@ -232,39 +257,118 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
| 232 | 257 | # TSIG key name
|
| 233 | 258 | dns_rfc2136_name = certbot-key.
|
| 234 | 259 | # TSIG key secret
|
| 235 | - dns_rfc2136_secret = <Kcertbot-key.+165+43987.key のハッシュ値>
|
|
| 260 | + dns_rfc2136_secret = <Kcertbot-key.+165+43987.key の中のハッシュ値>
|
|
| 236 | 261 | # TSIG key algorithm
|
| 237 | 262 | dns_rfc2136_algorithm = HMAC-SHA512
|
| 238 | 263 | ```
|
| 239 | 264 | |
| 240 | -- /etc/named.conf に追加
|
|
| 265 | +- /etc/named/named-multi-view.conf
|
|
| 266 | + ```
|
|
| 267 | + include "/etc/named/common.conf";
|
|
| 268 | + include "/etc/named/internal.view";
|
|
| 269 | + include "/etc/named/external.view";
|
|
| 270 | + ```
|
|
| 271 | +
|
|
| 272 | +- /etc/named/named-external-view.conf
|
|
| 273 | + ```
|
|
| 274 | + include "/etc/named/common.conf";
|
|
| 275 | + include "/etc/named/external.view";
|
|
| 241 | 276 | ```
|
| 277 | +
|
|
| 278 | +- /etc/named/common.conf
|
|
| 279 | + ```
|
|
| 280 | + //
|
|
| 281 | + // named.conf
|
|
| 282 | + //
|
|
| 283 | + // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
|
| 284 | + // server as a caching only nameserver (as a localhost DNS resolver only).
|
|
| 285 | + //
|
|
| 286 | + // See /usr/share/doc/bind*/sample/ for example named configuration files.
|
|
| 287 | + //
|
|
| 288 | + // See the BIND Administrator's Reference Manual (ARM) for details about the
|
|
| 289 | + // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
|
|
| 290 | +
|
|
| 291 | + options {
|
|
| 292 | + # listen-on port 53 { 127.0.0.1; };
|
|
| 293 | + # listen-on-v6 port 53 { ::1; };
|
|
| 294 | + version "unknown";
|
|
| 295 | + directory "/var/named";
|
|
| 296 | + dump-file "/var/named/data/cache_dump.db";
|
|
| 297 | + statistics-file "/var/named/data/named_stats.txt";
|
|
| 298 | + memstatistics-file "/var/named/data/named_mem_stats.txt";
|
|
| 299 | + allow-query { localhost; localnets; };
|
|
| 300 | + allow-transfer { none; };
|
|
| 301 | +
|
|
| 302 | + /*
|
|
| 303 | + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
|
| 304 | + - If you are building a RECURSIVE (caching) DNS server, you need to enable
|
|
| 305 | + recursion.
|
|
| 306 | + - If your recursive DNS server has a public IP address, you MUST enable access
|
|
| 307 | + control to limit queries to your legitimate users. Failing to do so will
|
|
| 308 | + cause your server to become part of large scale DNS amplification
|
|
| 309 | + attacks. Implementing BCP38 within your network would greatly
|
|
| 310 | + reduce such attack surface
|
|
| 311 | + */
|
|
| 312 | + recursion no;
|
|
| 313 | +
|
|
| 314 | + dnssec-enable yes;
|
|
| 315 | + dnssec-validation yes;
|
|
| 316 | +
|
|
| 317 | + /* Path to ISC DLV key */
|
|
| 318 | + bindkeys-file "/etc/named.iscdlv.key";
|
|
| 319 | +
|
|
| 320 | + managed-keys-directory "/var/named/dynamic";
|
|
| 321 | +
|
|
| 322 | + pid-file "/run/named/named.pid";
|
|
| 323 | + session-keyfile "/run/named/session.key";
|
|
| 324 | +
|
|
| 325 | + forwarders {
|
|
| 326 | + 8.8.8.8;
|
|
| 327 | + 8.8.4.4;
|
|
| 328 | + };
|
|
| 329 | + };
|
|
| 330 | +
|
|
| 242 | 331 | key "certbot-key." {
|
| 243 | 332 | algorithm hmac-sha512;
|
| 244 | - secret "<Kcertbot-key.+165+43987.key のハッシュ値>";
|
|
| 333 | + secret "<Kcertbot-key.+165+43987.key の中のハッシュ値>";
|
|
| 245 | 334 | };
|
| 246 | 335 | |
| 247 | - view "internal" {
|
|
| 248 | - match-clients { localhost; localnets; };
|
|
| 249 | - match-destinations { localhost; localnets; };
|
|
| 250 | - recursion yes;
|
|
| 251 | -
|
|
| 252 | - zone "." IN {
|
|
| 253 | - type hint;
|
|
| 254 | - file "named.ca";
|
|
| 255 | - };
|
|
| 336 | + logging {
|
|
| 337 | + channel default_debug {
|
|
| 338 | + file "data/named.run";
|
|
| 339 | + severity dynamic;
|
|
| 340 | + };
|
|
| 341 | + category lame-servers { null; };
|
|
| 342 | + };
|
|
| 343 | + ```
|
|
| 256 | 344 | |
| 257 | - include "/etc/named.rfc1912.zones";
|
|
| 258 | - include "/etc/named.root.key";
|
|
| 259 | - include "/etc/named/<ドメイン>.lan.zone";
|
|
| 345 | +- /etc/named/internal.view
|
|
| 346 | + ```
|
|
| 347 | + view "internal" {
|
|
| 348 | + match-clients { localhost; localnets; };
|
|
| 349 | + match-destinations { localhost; localnets; };
|
|
| 350 | + recursion yes;
|
|
| 351 | +
|
|
| 352 | + zone "." IN {
|
|
| 353 | + type hint;
|
|
| 354 | + file "named.ca";
|
|
| 355 | + };
|
|
| 356 | +
|
|
| 357 | + include "/etc/named.rfc1912.zones";
|
|
| 358 | + include "/etc/named.root.key";
|
|
| 359 | + include "/etc/named/<ドメイン>.lan.zone";
|
|
| 260 | 360 | };
|
| 361 | + ```
|
|
| 261 | 362 | |
| 363 | +- /etc/named/external.view
|
|
| 364 | + ```
|
|
| 262 | 365 | view "external" {
|
| 263 | - match-clients { any; };
|
|
| 264 | - match-destinations { any; };
|
|
| 265 | - recursion no;
|
|
| 266 | - include "/etc/named/<ドメイン>.wan.zone";
|
|
| 267 | - include "/etc/named/_acme-challenge.<ドメイン>.wan.zone";
|
|
| 366 | + match-clients { any; };
|
|
| 367 | + match-destinations { any; };
|
|
| 368 | + allow-query { any; };
|
|
| 369 | + recursion no;
|
|
| 370 | + include "/etc/named/_acme-challenge.<ドメイン>.wan.zone";
|
|
| 371 | + include "/etc/named/<ドメイン>.wan.zone";
|
|
| 268 | 372 | };
|
| 269 | 373 | ```
|
| 270 | 374 | |
| ... | ... | @@ -273,9 +377,6 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
| 273 | 377 | zone "<ドメイン>" {
|
| 274 | 378 | type master;
|
| 275 | 379 | file "<ドメイン>.lan.db";
|
| 276 | - update-policy {
|
|
| 277 | - grant certbot-key. name _acme-challenge.<ドメイン>. txt;
|
|
| 278 | - };
|
|
| 279 | 380 | };
|
| 280 | 381 | ```
|
| 281 | 382 | |
| ... | ... | @@ -284,10 +385,6 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
| 284 | 385 | zone "<ドメイン>" {
|
| 285 | 386 | type master;
|
| 286 | 387 | file "<ドメイン>.wan.db";
|
| 287 | - allow-query { any; };
|
|
| 288 | - update-policy {
|
|
| 289 | - grant certbot-key. name _acme-challenge.<ドメイン>. txt;
|
|
| 290 | - };
|
|
| 291 | 388 | };
|
| 292 | 389 | ```
|
| 293 | 390 | |
| ... | ... | @@ -296,13 +393,32 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
| 296 | 393 | zone "_acme-challenge.<ドメイン>" {
|
| 297 | 394 | type master;
|
| 298 | 395 | file "_acme-challenge.<ドメイン>.wan.db";
|
| 299 | - allow-query { any; };
|
|
| 300 | 396 | update-policy {
|
| 301 | 397 | grant certbot-key. name _acme-challenge.<ドメイン>. txt;
|
| 302 | 398 | };
|
| 303 | 399 | };
|
| 304 | 400 | ```
|
| 305 | 401 | |
| 402 | +- /var/named/<ドメイン>.lan.db
|
|
| 403 | + ```
|
|
| 404 | + $ORIGIN .
|
|
| 405 | + $TTL 86400 ; 1 day
|
|
| 406 | + <ドメイン> IN SOA ns1.<ドメイン>. root.<ドメイン>. (
|
|
| 407 | + 2018090900 ; serial
|
|
| 408 | + 28800 ; refresh (8 hours)
|
|
| 409 | + 14400 ; retry (4 hours)
|
|
| 410 | + 2592000 ; expire (4 weeks 2 days)
|
|
| 411 | + 86400 ; minimum (1 day)
|
|
| 412 | + )
|
|
| 413 | + NS <ドメイン>.net.
|
|
| 414 | + A 192.168.1.1
|
|
| 415 | + MX 10 mail.<ドメイン>.
|
|
| 416 | + $ORIGIN <ドメイン>.
|
|
| 417 | + ns1 A 192.168.1.1
|
|
| 418 | + mail A 192.168.1.1
|
|
| 419 | + * A 192.168.1.1
|
|
| 420 | + ```
|
|
| 421 | +
|
|
| 306 | 422 | - /var/named/<ドメイン>.wan.db
|
| 307 | 423 | ```
|
| 308 | 424 | $TTL 86400
|
| ... | ... | @@ -337,7 +453,50 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
| 337 | 453 | IN NS ns1.<ドメイン>.
|
| 338 | 454 | ```
|
| 339 | 455 | |
| 340 | -- `<ドメイン>.jnl: create: permission denied`(/var/named/data/named.run) 対策
|
|
| 456 | +- /etc/letsencrypt/renewal-hooks/pre/external-view.sh
|
|
| 457 | + ```bash
|
|
| 458 | + #!/bin/bash
|
|
| 459 | +
|
|
| 460 | + /bin/systemctl stop named-chroot
|
|
| 461 | + cp -f /etc/named/named-external-view.conf /etc/named.conf
|
|
| 462 | + /bin/systemctl start named-chroot
|
|
| 463 | + echo "external view"
|
|
| 464 | + ```
|
|
| 465 | +
|
|
| 466 | +- /etc/letsencrypt/renewal-hooks/deploy/restartServices.sh
|
|
| 467 | + ```bash
|
|
| 468 | + #!/bin/bash
|
|
| 469 | +
|
|
| 470 | + LANG=en_us.UTF-8
|
|
| 471 | + services="httpd postfix dovecot"
|
|
| 472 | +
|
|
| 473 | + if [ $(/bin/id -u) != 0 ]; then
|
|
| 474 | + echo "This command requires root previlege." 1>&2
|
|
| 475 | + exit 1
|
|
| 476 | + fi
|
|
| 477 | +
|
|
| 478 | + echo "RENEWED_LINEAGE: ${RENEWED_LINEAGE}"
|
|
| 479 | + echo "RENEWED_DOMAINS: ${RENEWED_DOMAINS}"
|
|
| 480 | +
|
|
| 481 | + for service in ${services}; do
|
|
| 482 | + echo "restart ${service}"
|
|
| 483 | + /bin/systemctl restart ${service} || exit $?
|
|
| 484 | + done
|
|
| 485 | + exit 0
|
|
| 486 | + ```
|
|
| 487 | +
|
|
| 488 | +- /etc/letsencrypt/renewal-hooks/post/multi-view.sh
|
|
| 489 | + ```bash
|
|
| 490 | + #!/bin/bash
|
|
| 491 | +
|
|
| 492 | + /bin/systemctl stop named-chroot
|
|
| 493 | + cp -f /etc/named/named-multi-view.conf /etc/named.conf
|
|
| 494 | + /bin/systemctl start named-chroot
|
|
| 495 | + echo "multi view"
|
|
| 496 | + ```
|
|
| 497 | +
|
|
| 498 | +- `<ドメイン>.jnl: create: permission denied` 対策
|
|
| 499 | +/var/named/chroot/var/named/data/named.run
|
|
| 341 | 500 | ```
|
| 342 | 501 | # chmod 770 /var/named/
|
| 343 | 502 | # setsebool -P named_write_master_zones 1
|
| ... | ... | @@ -345,38 +504,21 @@ Kcertbot-key.+165+43987.key, Kcertbot-key.+165+43987.private の2つのファ |
| 345 | 504 | |
| 346 | 505 | - 証明書取得
|
| 347 | 506 | ```
|
| 507 | + # /etc/letsencrypt/renewal-hooks/pre/external-view.sh
|
|
| 348 | 508 | # certbot certonly \
|
| 349 | 509 | --dns-rfc2136 \
|
| 350 | 510 | --dns-rfc2136-credentials /etc/named/certbot_rfc2136.ini \
|
| 351 | 511 | -d "*.<ドメイン>" -d <ドメイン>
|
| 512 | + # /etc/letsencrypt/renewal-hooks/post/multi-view.sh
|
|
| 352 | 513 | ```
|
| 353 | 514 | |
| 354 | -- /etc/letsencrypt/renewal-hooks/deploy/restartServices.sh
|
|
| 355 | -```bash
|
|
| 356 | -#!/bin/bash
|
|
| 357 | -
|
|
| 358 | -LANG=en_us.UTF-8
|
|
| 359 | -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
|
|
| 360 | -services="httpd postfix dovecot"
|
|
| 361 | -
|
|
| 362 | -if [ $(id -u) != 0 ]; then
|
|
| 363 | - echo "This command requires root previlege." 1>&2
|
|
| 364 | - exit 1
|
|
| 365 | -fi
|
|
| 366 | -
|
|
| 367 | -for service in ${services}; do
|
|
| 368 | - echo "restart ${service}"
|
|
| 369 | - systemctl restart ${service} || exit $?
|
|
| 370 | -done
|
|
| 371 | -exit 0
|
|
| 372 | -```
|
|
| 373 | -
|
|
| 374 | 515 | - サービス登録
|
| 375 | -```
|
|
| 376 | -# systemctl start certbot-renew
|
|
| 377 | -# systemctl enable certbot-renew
|
|
| 378 | -# systemctl status certbot-renew
|
|
| 379 | -```
|
|
| 516 | + ```
|
|
| 517 | + # systemctl status certbot-renew
|
|
| 518 | + # systemctl start certbot-renew
|
|
| 519 | + # systemctl enable certbot-renew
|
|
| 520 | + # systemctl status certbot-renew
|
|
| 521 | + ```
|
|
| 380 | 522 | |
| 381 | 523 | # 動作確認
|
| 382 | 524 | |
| ... | ... | @@ -404,6 +546,7 @@ echo ${NotAfter} |
| 404 | 546 | $ openssl s_client -connect <ホスト>:443
|
| 405 | 547 | ```
|
| 406 | 548 | ### 設定失敗
|
| 549 | +指定したホスト(バーチャルホスト)に SSL 証明書が適用されていない。
|
|
| 407 | 550 | ```
|
| 408 | 551 | CONNECTED(00000003)
|
| 409 | 552 | 140139752064912:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
|
| ... | ... | @@ -458,7 +601,7 @@ MIIGETCCBPmgAwIBAgISA3VBvI0cSyzAQGtpIaQKQRZxMA0GCSqGSIb3DQEBCwUA |
| 458 | 601 | |
| 459 | 602 | # リンク
|
| 460 | 603 | - [Let's Encrypt](https://letsencrypt.org/) Free SSL/TLS Certificates
|
| 461 | - - [Certbot](https://certbot.eff.org/) / [DNS Plugins](https://certbot.eff.org/docs/using.html#dns-plugins) / [certbot-dns-rfc2136](https://certbot-dns-rfc2136.readthedocs.io/en/latest/)
|
|
| 604 | + - [Certbot](https://certbot.eff.org/) / [DNS Plugins](https://certbot.eff.org/docs/using.html#dns-plugins) / [certbot-dns-rfc2136](https://certbot-dns-rfc2136.readthedocs.io/en/latest/) / [GitHub:certbot/certbot](https://github.com/certbot/certbot)
|
|
| 462 | 605 | |
| 463 | 606 | - [Webサーバー間通信内容暗号化(Apache+mod_SSL+Certbot) - CentOSで自宅サーバー構築](http://centossrv.com/apache-certbot.shtml)
|
| 464 | 607 | - [CertbotとBINDの組み合わせでLet's Encryptのワイルドカード証明書を取得・更新する](https://qiita.com/yasuhirokimura/items/3a95e169f806b3772e06)
|