自签名证书以及DNS服务器搭建

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了自签名证书以及DNS服务器搭建相关的知识,希望对你有一定的参考价值。

1.TSL链路通信

TLS: Transport Layer Security 安全传输协议,在应用层 传输层之间主要应用https 协议,ftps 协议等
https大体流程
客户端A 服务端B
A ————》 (连接请求 ) B
A《———— (发送CA私钥加密过B的公钥,也就是安全证书)B
A (用CA公钥解开证书得到B的公钥)
A (生成对称秘钥key,并用B的公钥加密)
A ————》(加密的秘钥key) B
B (B用自己的私钥解密得到对称私钥key)
A B后续通讯使用对称私钥加密通讯

2.自签证书

搭建私有CA,用于自签名

  1. 安装openssl
  2. 生成CA 私钥
    [[email protected] ~]#(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus
    .................................................................................................+++
    ..........+++
    e is 65537 (0x10001)

    注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
    dir = /etc/pki/CA # Where everything is kept
    private_key = $dir/private/cakey.pem# The private key
    而且生成文件权限为600

  3. CA服务器用自己私钥自签名生成证书
    [[email protected] ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -days 7200 -out /etc/pki/CA/cacert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.‘, the field will be left blank.
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:gd
    Locality Name (eg, city) [Default City]:gz
    Organization Name (eg, company) [Default Company Ltd]:nvliu
    Organizational Unit Name (eg, section) []:dcrfan
    Common Name (eg, your name or your server‘s hostname) []:centos7
    Email Address []:

    注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
    certificate = $dir/cacert.pem # The CA certificate
    定义一些国家省份信息

  4. 把该证书传输到windows客户端添加信任
    1. 更改后缀为.cer
      技术分享图片
    2. 打开证书发现不受信任,点击安装证书
      技术分享图片
    3. 选择证书存储路径
      技术分享图片
    4. 选择受信任根证书
      技术分享图片
    5. 然后点击是确定安装
      技术分享图片
    6. 再次打开证书,已经被系统信任了
      技术分享图片
  5. 在应用服务器上生成密钥,放在要使用应用文件下
    [[email protected] ~]# (umask 066; openssl genrsa -out /data/app.key 2048)
    Generating RSA private key, 2048 bit long modulus
    ............................................+++
    ........................+++
    e is 65537 (0x10001)

    而且生成文件权限为600
    [[email protected] ~]# (umask 066; openssl genrsa -out /data/app.key 2048)
    Generating RSA private key, 2048 bit long modulus
    ............................................+++
    ........................+++
    e is 65537 (0x10001)

  6. 在应用服务器生成证书申请文件,然后上传给CA服务器
    [[email protected] ~]# openssl req -new -key /data/app.key  -out /data/app.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.‘, the field will be left blank.
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:gd
    Locality Name (eg, city) [Default City]:gz
    Organization Name (eg, company) [Default Company Ltd]:nvliu   
    Organizational Unit Name (eg, section) []:dcrfan1
    Common Name (eg, your name or your server‘s hostname) []:centos7.1
    Email Address []:
    Please enter the following ‘extra‘ attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
  7. 在CA服务器手动生成两个文件
    [[email protected] ~]#echo 01 > /etc/pki/CA/serial
    [[email protected] ~]#touch /etc/pki/CA/index.txt

    这两个位置在/etc/pki/tls/openssl.cnf 均有定义
    database = $dir/index.txt # database index file.
    serial = $dir/serial # The current serial number

  8. 在CA服务器对刚刚应用服务器传过来申请审批,生成证书
    [[email protected] ~]#openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 160
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan  8 11:23:04 2019 GMT
            Not After : Jun 17 11:23:04 2019 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = gd
            organizationName          = nvliu
            organizationalUnitName    = dcrfan1
            commonName                = centos7.1
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2C:54:95:C8:30:80:97:89:7E:4A:40:50:F9:64:CB:2F:2E:D9:97:EA
            X509v3 Authority Key Identifier: 
                keyid:48:8F:FB:78:84:50:F0:B0:AB:6F:2C:10:B6:03:9F:21:03:03:20:70
    Certificate is to be certified until Jun 17 11:23:04 2019 GMT (160 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
    certs = $dir/certs # Where the issued certs are kept

  9. 把生成的app,crt 拷贝会应用服务器使用

3.搭建DNS架构

实验分别准备8台实验机器,
192.168.0.108 远程访问客服端
192.168.0.109 缓存dns服务器
192.168.0.112 dcrfan.com dns主服务器
192.168.0.113 dcrfan.com dns 从服务器
192.168.0.114 com dns服务器
192.168.0.115 根dns 服务器
192.168.0.116 web 服务器
192.168.0.117 web 服务器

  1. 先搭建dns主服务器192.168.0.112 ,安装bind服务
  2. 修改主配置文件/etc/named.conf中文件
    options {
        //listen-on port 53 { 127.0.0.1; };     #注释该行,让本服务器ip监听53端口
        allow-query     { 192.168.0.0/24; };   # 修改改行,允许该网段的ip使用dns服务器
        allow-transfer { 192.168.0.113; };  #新增改行,只允许从dns服务器拉取数据
                };
  3. 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析dcrfan.com域
    zone "dcrfan.com" IN {
            type master;#定义类型为主dns服务器
            file "dcrfan.com.zone";#定义该域数据文件位置
    };
  4. 新增dns数据记录文件dcrfan.com.zone,注意权限,让named账户能读取该文件,文件在/var/named 目录下
    -rw-r-----. 1 root named 152 Jun 21 2007 dcrfan.com.zone
    @       IN SOA  dns1.dcrfan.com. admin.dcrfan.com. (
                                        0       
                                        1D      
                                        1H      
                                        1W      
                                        3H )    
        NS      dns1
        NS      dns2
    dns1    A       192.168.0.112
    dns2    A       192.168.0.113
    srv     A       192.168.0.116
    srv     A       192.168.0.117
    www     CNAME   srv
  5. 启动服务,在远程客户端使用dig 命令测试
    [[email protected] ~]# dig www.dcrfan.com @192.168.0.112
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.112
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60001
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
    ;; QUESTION SECTION:
    ;www.dcrfan.com.                        IN      A
    ;; ANSWER SECTION:
    www.dcrfan.com.         86400   IN      CNAME   srv.dcrfan.com.
    srv.dcrfan.com.         86400   IN      A       192.168.0.117
    srv.dcrfan.com.         86400   IN      A       192.168.0.116
    ;; AUTHORITY SECTION:
    dcrfan.com.             86400   IN      NS      dns2.dcrfan.com.
    dcrfan.com.             86400   IN      NS      dns1.dcrfan.com.
    ;; ADDITIONAL SECTION:
    dns1.dcrfan.com.        86400   IN      A       192.168.0.112
    dns2.dcrfan.com.        86400   IN      A       192.168.0.113
    ;; Query time: 1 msec
    ;; SERVER: 192.168.0.112#53(192.168.0.112)
    ;; WHEN: Thu Jan 10 16:09:29 2019
    ;; MSG SIZE  rcvd: 152
  6. 搭建从dns服务器192.168.0.113 ,安装dns服务
  7. 修改主配置文件/etc/named.conf中文件
    options {
        //listen-on port 53 { 127.0.0.1; };     #注释该行,让本服务器ip监听53端口
        allow-query     { 192.168.0.0/24; };   # 修改改行,允许该网段的ip使用dns服务器
        allow-transfer { none; };  #新增改行,不允许任何dns服务器拉取数据
                };
  8. 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析dcrfan.com域
    zone "dcrfan.com" IN {
        type slave;#定义类型是从dns服务器
        masters { 192.168.0.112; }; #指定主dns服务器
        file "slaves/dcrfan.com.slave.zone"; #dns记录数据存放位置
    };
  9. 启动dns服务,查看dns数据文件已经同步到slaves文件夹下
    [[email protected] ~]# ll /var/named/slaves/dcrfan.com.slave.zone  
    -rw-r--r--. 1 named named 371 Jan 10 16:38 /var/named/slaves/dcrfan.com.slave.zone
  10. 在远程客户端使用dig 命令测试
    [[email protected] ~]# dig www.dcrfan.com @192.168.0.113
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.113
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38752
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
    ;; QUESTION SECTION:
    ;www.dcrfan.com.                        IN      A
    ;; ANSWER SECTION:
    www.dcrfan.com.         86400   IN      CNAME   srv.dcrfan.com.
    srv.dcrfan.com.         86400   IN      A       192.168.0.117
    srv.dcrfan.com.         86400   IN      A       192.168.0.116
    ;; AUTHORITY SECTION:
    dcrfan.com.             86400   IN      NS      dns2.dcrfan.com.
    dcrfan.com.             86400   IN      NS      dns1.dcrfan.com.
    ;; ADDITIONAL SECTION:
    dns1.dcrfan.com.        86400   IN      A       192.168.0.112
    dns2.dcrfan.com.        86400   IN      A       192.168.0.113
    ;; Query time: 4 msec
    ;; SERVER: 192.168.0.113#53(192.168.0.113)
    ;; WHEN: Thu Jan 10 16:41:18 2019
    ;; MSG SIZE  rcvd: 152
  11. 配置com dns服务器192.168.0.114 ,安装dns服务
  12. 修改主配置文件/etc/named.conf中文件
    options {
        //listen-on port 53 { 127.0.0.1; };     #注释该行,让本服务器ip监听53端口
        //allow-query     { 192.168.0.0/24; };   # 注释改行,允许所有ip使用dns服务器
        dnssec-enable no;     
        dnssec-validation no;   #都修改为no
                };
  13. 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析com域和指派dcrfan.com域(使用dns转发)
    zone "dcrfan.com" IN {
        type forward;
        forward first;
        forwarders { 192.168.0.112; 192.168.0.113;};
    };
  14. 启动服务,在远程客户端使用dig 命令测试
    [[email protected] ~]# dig www.dcrfan.com @192.168.0.114
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.114
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26492
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
    ;; QUESTION SECTION:
    ;www.dcrfan.com.                        IN      A
    ;; ANSWER SECTION:
    www.dcrfan.com.         86400   IN      CNAME   srv.dcrfan.com.
    srv.dcrfan.com.         86400   IN      A       192.168.0.117
    srv.dcrfan.com.         86400   IN      A       192.168.0.116
    ;; AUTHORITY SECTION:
    dcrfan.com.             86400   IN      NS      dns2.dcrfan.com.
    dcrfan.com.             86400   IN      NS      dns1.dcrfan.com.
    ;; ADDITIONAL SECTION:
    dns1.dcrfan.com.        86400   IN      A       192.168.0.112
    dns2.dcrfan.com.        86400   IN      A       192.168.0.113
    ;; Query time: 14 msec
    ;; SERVER: 192.168.0.114#53(192.168.0.114)
    ;; WHEN: Thu Jan 10 17:18:21 2019
    ;; MSG SIZE  rcvd: 152
  15. 配置根 dns服务器192.168.0.115 ,安装dns服务
  16. 修改主配置文件/etc/named.conf中文件
    options {
        //listen-on port 53 { 127.0.0.1; };     #注释该行,让本服务器ip监听53端口
        //allow-query     { 192.168.0.0/24; };   # 注释改行,允许所有ip使用dns服务器
        dnssec-enable no;     
        dnssec-validation no;   #都修改为no
                };
                zone "." IN {            #删除这个根zone
        type hint;
        file "named.ca";
    };
  17. 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析根域
    zone "." IN {
            type master;#定义类型为主dns服务器
            file "root.zone";#定义该域数据文件位置
    };
  18. 新增dns数据记录文件root.zone,注意权限,让named账户能读取该文件
    文件在新增dns数据记录文件dcrfan.com.zone,注意权限,让named账户能读取该文件,文件在/var/named下
    $TTL 1D
    @       IN SOA  dns1. admin. (
                                        0       
                                        1D      
                                        1H      
                                        1W      
                                        3H )    
        NS      dns1
    com     NS      dns2           #指派com域到192.168.0.114管理
    dns1    A       192.168.0.115
    dns2    A       192.168.0.114
  19. 启动服务,在远程客户端使用dig 命令测试
    [[email protected] ~]# dig www.dcrfan.com @192.168.0.115
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.115
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51669
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
    ;; QUESTION SECTION:
    ;www.dcrfan.com.                        IN      A
    ;; ANSWER SECTION:
    www.dcrfan.com.         84281   IN      CNAME   srv.dcrfan.com.
    srv.dcrfan.com.         86400   IN      A       192.168.0.117
    srv.dcrfan.com.         86400   IN      A       192.168.0.116
    ;; AUTHORITY SECTION:
    dcrfan.com.             84281   IN      NS      dns2.dcrfan.com.
    dcrfan.com.             84281   IN      NS      dns1.dcrfan.com.
    ;; ADDITIONAL SECTION:
    dns1.dcrfan.com.        84281   IN      A       192.168.0.112
    dns2.dcrfan.com.        84281   IN      A       192.168.0.113
    ;; Query time: 14 msec
    ;; SERVER: 192.168.0.115#53(192.168.0.115)
    ;; WHEN: Thu Jan 10 17:53:40 2019
    ;; MSG SIZE  rcvd: 152
    `
  20. 配置缓存服务器192.168.0.108 ,安装named服务
  21. 修改主配置文件/etc/named.conf中文件
    options {
        //listen-on port 53 { 127.0.0.1; };     #注释该行,让本服务器ip监听53端口
        //allow-query     { 192.168.0.0/24; };   # 注释改行,允许所有ip使用dns服务器
        dnssec-enable no;     
        dnssec-validation no;   #都修改为no
                };
  22. 修改named.ca文件,让它的根指向我们搭建跟服务器192.168.0.115
    .                       518400  IN      NS      a.root-servers.net.
    a.root-servers.net.     3600000 IN      A       192.168.0.115
  23. 启动服务,在远程客户端使用dig 命令测试
    [[email protected] ~]# dig www.dcrfan.com @192.168.0.109
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.109
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41909
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
    ;; QUESTION SECTION:
    ;www.dcrfan.com.                        IN      A
    ;; ANSWER SECTION:
    www.dcrfan.com.         83143   IN      CNAME   srv.dcrfan.com.
    srv.dcrfan.com.         86400   IN      A       192.168.0.116
    srv.dcrfan.com.         86400   IN      A       192.168.0.117
    ;; AUTHORITY SECTION:
    dcrfan.com.             83143   IN      NS      dns1.dcrfan.com.
    dcrfan.com.             83143   IN      NS      dns2.dcrfan.com.
    ;; ADDITIONAL SECTION:
    dns2.dcrfan.com.        83143   IN      A       192.168.0.113
    dns1.dcrfan.com.        83143   IN      A       192.168.0.112
    ;; Query time: 16 msec
    ;; SERVER: 192.168.0.109#53(192.168.0.109)
    ;; WHEN: Thu Jan 10 18:12:37 2019
    ;; MSG SIZE  rcvd: 152
  24. 然后搭建两个web服务器测试,分别安装httpd服务,并修改主页,启动服务测试
    echo dcrfan1 > /var/www/html/index.html
    echo dcrfan2 > /var/www/html/index.html
  25. 分别用ip正常访问
    [[email protected] ~]# curl 192.168.0.116
    dcrfan1
    [[email protected] ~]# curl 192.168.0.117
    dcrfan2
  26. 修改客服端的dns指向缓存dns服务器192.168.0.109
    网卡中加入DNS1=192.168.0.109,重启网络服务测试
    [[email protected] ~]# curl www.dcrfan.com
    dcrfan2
    [[email protected] ~]# curl www.dcrfan.com
    dcrfan1
  27. 清理dns缓存,在各个dns服务器执行rndc flush命令
    停掉主dns的服务,继续测试,从服务器可以使用
    [[email protected] ~]# curl www.dcrfan.com
    dcrfan2
    [[email protected] ~]# curl www.dcrfan.com
    dcrfan2
    [[email protected] ~]# curl www.dcrfan.com
    dcrfan1

4.dnspod解析类型

  1. 在dnspod中的记录,一般有主机记录,记录类型,线路类型,记录值,MX优先值,TTL
    主机记录:
    www 表示 解析后域名为 www
    @表示 直接解析主域名
    表示泛解析 .域名
  2. 记录类型
    A记录:用来指定域名的IPv4地址,如果需要将域名指向一个IP地址需要一个A记录
    CNAME:(别名) 如果需要将域名指向另一个域名,再由另一个域名提供ip地址,就需要添加CNAME记录。
    TXT:在这里可以填写任何东西,长度限制255。绝大多数的TXT记录是用来做SPF记录(反垃圾邮件)。
    NS:dns服务器记录,如果需要把子域名交给其他DNS服务器解析,就需要添加NS记录。
    AAAA:ipv6 的A记录
    MX:设置邮箱服务器地址解析,就需要添加MX记录。
    显性URL:从一个地址301重定向到另一个地址的时候,就需要添加显性URL记录(注:DNSPod目前只支持301重定向)。
    隐性URL:类似于显性URL,区别在于隐性URL不会改变地址栏中的域名。
    SRV:记录了哪台计算机提供了哪个服务。格式为:服务的名字、点、协议的类型
  3. 记录值:
    A记录填写相应ip地址
    CNAME 填写别名的域名
    MX 邮件服务器ip地址
    NS dns服务器域名(需要配合A记录来指定ip地址)
  4. MX邮件记录还要记录MX优先值

以上是关于自签名证书以及DNS服务器搭建的主要内容,如果未能解决你的问题,请参考以下文章

wss 连接中忽略的自签名证书 SAN

CA和证书(企业内网搭建CA服务器生成自签名证书,CA签署,实现企业内网基于key验证访问服务器)

如何在 Alamofire 中实现自签名证书?

Linux搭建CA服务

Nodejs搭建wss服务器

搭建私有CA服务器