搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟
使用OpenSSL创建私有CA的步骤:
1、生成私钥2、生成自签证书
(1) 私钥用于签发证书时,向证书添加数字签名使用;
(2) 证书:每个通信方都导入此证书至“受信任的证书颁发机构”
涉及的配置文件:/etc/pki/tls/openssl.cnf
工作目录:CA
Hostname:node1 IP:10.2.10.56 服务端,
Hostname:node2 IP:10.2.10.57 客户端。
服务器端:
创建私有CA:
1.创建CA的数据库索引文件
# touch CA/{serial,index.txt} # 索引文件
# echo 01 > CA/serial # 索引文件编号
[root@node1 ~]#touch CA/{index.txt,serial}
[root@node1 ~]#echo 01 > CA/serial
[root@node1 ~]#cd /etc/pki/CA/1
[root@node1 CA]# ls
crl private index.txt certs newcerts serial
2.生成私钥与自签证书:cakey.pem –> cacert.pem
[root@node1 ~]#(umask 077; openssl genrsa -out CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...............+++
........+++
e is 65537 (0x10001)
[root@node1 ~]# cd /etc/pki/tls/
[root@node1 tls]# vim openssl.cnf
[root@node1 ~]#openssl req -new -x509 -key CA/private/cakey.pem -out CA/cacert.pem -days 365
注:在bash命令行上在小括号中执行的命令,其实是通过打开一个子shell进程进行的!
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Nanjing]:
Organization Name (eg, company) [Wangsir.com]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:[email protected]
-new: 生成新证书签署请求;
-x509: 专用于CA生成自签证书;
-key: 生成请求时用到的私钥文件;-
days n:证书的有效期限;
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
________________________________________
给节点颁发证书:
客户端:
1、生成私钥与证书签署请求
2、把请求发送给CA
注:a. 其中subject部分要与CA一致;
b. Common Name要使用此主机的真实名字
在需要使用证书的主机生成证书请求,譬如给给web服务器生成私钥
1.生成私钥与证书签署请求
[root@node2 ~]#mkdir /etc/httpd/ssl
[root@node2 ~]#(umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................................................+++
.......................+++
e is 65537 (0x10001)
[root@node2 ~]#
[root@node2 ~]#openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Nanjing]:
Organization Name (eg, company) [Wangsir.com]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注意证书签署请求时没有 -x509选项。且国家、州、公司名必须要一致!
2.把请求发送给CA
[root@node2 ~]#scp /etc/httpd/ssl/httpd.csr 10.2.10.56:CA/
[email protected]'s password:
httpd.csr 100% 1070 1.0KB/s 00:00
[root@node2 ~]#
________________________________________
服务器端:签发证书
(1) 验证请求者信息
(2) 签署证书
(3) 把签署好的证书还给请求者
1.签署证书:
[root@node1 ~]#openssl ca -in CA/httpd.csr -out CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 2 09:29:03 2018 GMT
Not After : Mar 2 09:29:03 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Jiangsu
organizationName = Wangsir.com
organizationalUnitName = Tech
commonName = localhost.localdomain
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C5:29:56:4F:A6:77:D1:9B:25:0E:85:25:68:08:DF:90:B8:7E:6F:01
X509v3 Authority Key Identifier:
keyid:F9:81:4D:D3:C1:D2:50:3E:F0:BF:AF:5E:06:B9:AA:EE:A4:7A:C3:16
Certificate is to be certified until Mar 2 09:29:03 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看签署的证书:
[root@node1 ~]# openssl x509 -in CA/certs/httpd.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Jiangsu, L=Nanjing, O=Wangsir.com, OU=Tech, CN=localhost.localdomain/[email protected]
Validity
Not Before: Mar 2 09:29:03 2018 GMT
Not After : Mar 2 09:29:03 2019 GMT
Subject: C=CN, ST=Jiangsu, O=Wangsir.com, OU=Tech, CN=localhost.localdomain/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:e4:68:27:68:fb:6a:20:4d:66:ed:8e:3d:1d:
e7:f3:96:45:4c:22:2b:45:38:65:a4:8a:42:94:92:
ac:0a:d0:5c:a0:a8:ed:13:ca:8c:69:2f:45:ff:71:
ad:0c:e4:3b:6c:58:4c:b2:3e:01:36:b8:17:7a:10:
e9:33:91:ee:b5:13:8c:61:35:cc:f4:c9:5a:f2:c2:
54:f9:9a:e1:ef:bb:47:ba:56:7b:a1:01:2e:62:76:
5b:39:29:8a:17:6c:c1:e8:e3:4e:1b:d2:91:ff:d2:
08:ae:5e:7c:c5:cf:4a:cc:9c:25:da:f8:8f:00:39:
b1:42:33:6f:5d:cf:9d:c0:27:48:b2:fe:1e:df:7d:
63:09:7a:d5:97:b5:dc:e8:f6:b9:13:09:27:1e:a0:
bb:fb:c5:ac:b4:ee:b1:af:ae:5e:f0:b8:82:02:93:
ff:cc:b1:db:98:9f:82:ef:e3:b5:8d:8b:22:df:52:
7c:6b:4a:95:61:2b:d0:67:61:a8:f5:97:3c:4f:42:
01:b6:c8:f5:de:02:40:69:fb:3a:44:c3:11:9b:16:
b7:05:b9:19:25:99:7c:e6:8a:cd:f3:e2:a4:da:da:
d4:d7:1c:2f:40:44:fc:54:0f:e3:fb:86:a4:fd:25:
c4:ec:a9:50:15:8d:ef:5d:ad:08:3e:cd:41:b6:82:
f1:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C5:29:56:4F:A6:77:D1:9B:25:0E:85:25:68:08:DF:90:B8:7E:6F:01
X509v3 Authority Key Identifier:
keyid:F9:81:4D:D3:C1:D2:50:3E:F0:BF:AF:5E:06:B9:AA:EE:A4:7A:C3:16
Signature Algorithm: sha256WithRSAEncryption
7e:f7:73:a3:de:c9:c6:c6:e2:fd:44:de:a7:ff:a5:3c:95:dc:
85:da:ae:82:40:a5:27:f3:9c:61:1f:b2:2f:b8:22:8a:19:b7:
83:82:dd:bc:34:90:af:36:b9:17:06:02:03:dc:8a:72:51:f6:
47:63:41:41:db:c4:91:6d:bd:be:db:9f:66:58:03:2e:da:52:
7b:c0:69:50:fe:31:2d:cc:9c:a3:5c:fd:d2:6c:7b:d2:5c:12:
de:1e:da:fe:a1:d4:e5:41:b7:6a:1c:61:9c:0f:b3:b3:50:8d:
05:0d:38:74:fa:f3:e7:f4:c4:43:8e:d5:40:81:60:b3:61:9b:
c9:35:60:d4:d2:11:2f:83:5f:a3:97:a8:67:a7:d0:05:9f:c4:
a1:a3:90:8c:69:af:16:a1:79:6c:87:8f:a3:49:00:e8:45:fc:
70:64:98:c3:6e:6a:d1:40:0b:a2:af:a0:55:b5:86:ab:2e:86:
9d:c2:44:9b:74:b8:2d:b8:60:90:04:af:32:16:32:13:2b:ee:
cf:e1:59:93:12:f5:8f:a7:62:d9:f1:88:7e:78:9c:4f:19:04:
93:f6:79:20:2c:42:09:66:f6:dc:ec:95:c5:cc:e5:5e:24:92:
fa:8d:39:0d:0e:aa:21:da:46:0b:c2:2f:06:a7:ef:9e:12:23:
5c:3a:27:c6
2.把签署好的证书发给请求者
[root@node1 ~]#scp CA/certs/httpd.crt 10.2.10.54:/etc/httpd/ssl
[email protected]'s password:
httpd.crt 100% 4677 4.6KB/s 00:00
[root@node1~]#
查看数据库文件是否更新:
[root@node1 ~]# cd CA/
[root@node1 CA]# cat index.txt
V 190302092903Z 01 unknown /C=CN/ST=Jiangsu/O=Wangsir.com/OU=Tech/CN=localhost.localdomain/[email protected]
[root@node1 CA]#
________________________________________
吊销证书
1.在客户端获取要吊销的证书的serial
[root@node2 ~]#openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject=/C=CN/ST=Jiangsu/O=Wangsir.com/OU=Tech/CN=localhost.localdomain/[email protected]
[root@node2 ~]#
2.在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,然后吊销证书
[root@node1 CA]#openssl ca -revoke certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@node1 CA]#
查看吊销证书后的数据库状态:
[root@node1 CA]# cat index.txt
R 190302092903Z 180302134637Z 01 unknown /C=CN/ST=Jiangsu/O=Wangsir.com/OU=Tech/CN=localhost.localdomain/[email protected]
[root@node1 CA]#
3.生成吊销证书的编号
[root@node1 CA]#touch crlnumber
[root@node1 CA]#echo 01 > crlnumber
4.更新证书吊销列表
[root@node1 CA]#openssl ca -gencrl -out ./crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
[root@node1 CA]#
[root@node1 CA]# cat ./crl/ca.crl
-----BEGIN X509 CRL-----
MIICCDCB8QIBATANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB0ppYW5nc3UxEDAOBgNVBAcMB05hbmppbmcxFDASBgNVBAoMC1dhbmdzaXIu
Y29tMQ0wCwYDVQQLDARUZWNoMR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxkb21h
aW4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQFdhbmdzaXIuY29tFw0xODAzMDIxMzUy
MDZaFw0xODA0MDExMzUyMDZaMBQwEgIBARcNMTgwMzAyMTM0NjM3WqAOMAwwCgYD
VR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBABzuMF0xuSEIb+464+P0CoJSYcE1
Xt0XVwiLL8X+9LnsNFfIPlwO8uwJns1VtJ3l0LPd+6WGmjN06X+xMJODZT+FerZM
hJjSvp5SNlBca48OcmrYnA9OoTCgKAlKLHR050hdf/zR9UwQJTgI5jJKDAUduJmX
zXebIFWsbeq0ec5463C7ZRchbvzeZeyrvxuUL8cYBLr6Fk7ocNUFrn2ZtrTqIUsl
80v2t4qgi5w8G1AstYZUd+lvUveoMiTSx+dy53lDbNzVtUUFKw3p/PrXAbNa+Fg2
DmAP0V8cV34xV1UUUYxr0KCZmBBX/YgMJhM7k4+P5bkz2n0dtWdi5Oy7gmk=
-----END X509 CRL-----
部署DNS主从服务器
作为重要的互联网基础设施服务,保证DNS域名解析服务的正常运转至关重要,只有这样才能提供稳定、快速且不间断的域名查询服务。在DNS域名解析服务中,从服务器可以从主服务器上获取指定的区域数据文件,从而起到备份解析记录与负载均衡的作用,因此通过部署从服务器可以减轻主服务器的负载压力,还可以提升用户的查询效率。
在本实验中,主服务器与从服务器分别使用的操作系统和IP地址。
主机名称 操作系统 IP地址
master服务器 RHEL 7 192.168.170.8
slave服务器 RHEL 7 192.168.170.9
首先在2台服务器安装Bind服务程序
[root@Master ~]# yum -y install bind
主配置文件(/etc/named.conf):这些参数用来定义bind服务程序的运行。
区域配置文件(/etc/named.rfc1912.zones):用来保存域名和IP地址对应关系的所在位置。
数据配置文件目录(/var/named):该目录用来保存域名和IP地址真实对应关系的数据配置文件。
[root@Master ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
第1步:在主服务器的区域配置文件中允许该从服务器的更新请求。
[root@Master ~]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
allow-update { 192.168.170.9; }; #允许更新区域信息的主机地址
};
zone "8.168.192.in-addr.arpa" IN {
type master;
file "192.168.8.zone";
allow-update { 192.168.170.9; };
};
[root@Master named]# vim test.com.zone
$TTL 1D
@ IN SOA test.com. root.test.com. (
#授权信息开始: #DNS区域的地址 #域名管理员的邮箱
0;serial #更新序列号
1D;refresh #更新时间
1H;retry #重试延时
1W;expire #失效时间
3H;)minimum #无效解析记录的缓存时间
NS ns.test.com. #域名服务器记录
ns IN A 192.168.170.8 #地址记录(ns.test.com.)
IN MX 8 mail.test.com. #邮箱交换记录
mail IN A 192.168.170.8 #地址记录(mail.test.com.)
www IN A 192.168.170.8 #地址记录(www.test.com.)
bbs IN A 192.168.170.9 #地址记录(bbs.test.com.)
[root@Master ~]# chgrp named /var/named/test.com.zone
[root@Master ~]# chmod o= /var/named/test.com.zone
[root@Master named]# named-checkzone test.com /var/named/test.com.zone
[root@Master named]# named-checkconf
[root@Master named]# systemctl restart named
测试正向解析:
[root@test ~]#vi /etc/sysconfig/network-scripts/ifcfg-ens192
添加主从DNS服务器的ip地址
DNS1="192.168.170.8"
DNS2="192.168.170.9
[root@test named]# yum -y install bind-utils //安装bind客户端程序
[root@test ~]# nslookup www.test.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: www.test.com
Address: 192.168.170.8
[root@Master named]# vim 192.168.170.zone
$TTL 1D
@ IN SOA test.com. root.test.com. (
0;serial
1D;refresh
1H;retry
1W;expire
3H);minimum
NS ns.test.com.
ns A 192.168.170.8
8 PTR ns.test.com. #PTR为指针记录,仅用于反向解析中。
8 PTR mail.test.com.
8 PTR www.test.com.
9 PTR bbs.test.com.
[root@Master named]# chgrp named /var/named/192.168.170.zone
[root@Master named]# chmod o= /var/named/192.168.170.zone
[root@Master named]# named-checkzone 192.168.170.in-addr.arpa /var/named/192.168.170.zone
[root@Master named]# named-checkconf
[root@Master named]# systemctl restart named
测试反向解析:
[root@test named]# nslookup 192.168.170.9
Server: 192.168.170.9
Address: 192.168.170.9#53
9.170.168.192.in-addr.arpa name = bbs.test.com.
第2步:在从服务器中填写主服务器的IP地址与要抓取的区域信息,然后重启服务。
[root@Slave ~]#vi /etc/sysconfig/network-scripts/ifcfg-ens192
添加主从DNS ip地址
DNS1="192.168.170.8"
DNS2="192.168.170.9
[root@Slave ~]# yum -y install bind
[root@Slave ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
[root@Slave ~]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type slave;
masters { 192.168.170.8; };
file "slaves/test.com.zone";
};
zone "170.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.170.8; };
file "slaves/192.168.170.arpa";
};
第3步:检验解析结果。当从服务器的DNS服务程序在重启后,一般就已经自动从主服务器上同步了数据配置文件,而且该文件默认会放置在区域配置文件中所定义的目录位置中。
[root@Slave ~]# cd /var/named/slaves
[root@Slave slaves]# ls
192.168.8.arpa test.com.zone
[root@test slaves]# nslookup
> www.test.com
Server: 192.168.170.9
Address: 192.168.170.9#53
Name: www.test.com
Address: 192.168.170.8
5、实现智能DNS
要实现DNS服务器的智能DNS解析,首先需要了解view的概念:view就是将不同IP地址段发来的查询响应到不同的DNS解析。如需要对两个不同的IP地址段进行配置,就需要明确这些IP地址段的范围,这样view才能生效。需要注意的是,一旦使用了view,所有域都必须定义在view中。
我这里以192.168.0.189/32代表电信网络,192.168.0.190/32代表联通网络,进行模拟测试:
配置修改此前实例DNS主服务器的named.conf:
acl "telecom"{
192.168.170.8;
};
acl "unicom"{
192.168.170.9;
};
options{
...
};
logging{
...
};
view telecom {
match-clients { telecom;};
zone "." IN {
type hint;
file "named.ca";
};
zone "charlie.com" IN {
type master;
file "charlie.com.zone.telecom";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view unicom {
match-clients { unicom;};
zone "." IN {
type hint;
file "named.ca";
};
zone "charlie.com" IN {
type master;
file "charlie.com.zone.unicom";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view others {
match-clients { any;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
新建charlie.com.zone.telecom:
[root@Master ~]# vim /var/named/charlie.com.zone.telecom
$TTL 3600
@ IN SOA ns.charlie.com. admin.charlie.com (
00
1D
1H
1W
3H )
IN NS ns.charlie.com.
ns IN A 192.168.170.8
IN MX 8 mx.charlie.com.
mx IN A 192.168.170.8
www IN A 1.1.1.1
blog IN A 1.1.1.2
新建charlie.com.zone.unicom:
[root@Master ~]# vim /var/named/charlie.com.zone.unicom
$TTL 3600
@ IN SOA ns.charlie.com. admin.charlie..com. (
00
1D
1H
1W
3H )
IN NS ns.charlie.com.
ns IN A 192.168.170.8
IN MX 8 mx.charlie.com.
mx IN A 192.168.170.8
www IN A 2.2.2.1
blog IN A 2.2.2.2
检查相应的配置文件:
[root@Master ~]# named-checkconf /etc/named.conf
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.telecom
zone charlie.com/IN: loaded serial 0
OK
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.unicom
zone charlie.com/IN: loaded serial 0
OK
重启或重载named服务:
[root@Master ~]# systemctl restart named
在192.168.0.189从服务器上验证解析结果:
[root@slave1 ~]# nslookup
> server 192.168.170.8
Default server: 192.168.170.8
Address: 192.168.170.8#53
> set q=A
> www.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: www.charlie.com
Address: 1.1.1.1 #能正确解析出指定的telecomIP;
> blog.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: blog.charlie.com
Address: 1.1.1.2 #能正确解析出指定的telecomIP;
> ns1.magedu.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: ns1.magedu.com
Address: 192.168.170.8
在192.168.170.9从服务器上验证解析结果:
[root@slave2 ~]# nslookup
> server 192.168.170.8
Default server: 192.168.170.8
Address: 192.168.170.8#53
> set q=A
> www.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: www.charlie.com
Address: 2.2.2.1 #能正确解析出指定的unicomIP;
> blog.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: blog.charlie.com
Address: 2.2.2.2 #能正确解析出指定的unicomIP;
> ns1.magedu.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: ns1.magedu.com
Address: 192.168.170.8
到此为止智能DNS解析完成!!!