自签名证书以及DNS服务器搭建
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了自签名证书以及DNS服务器搭建相关的知识,希望对你有一定的参考价值。
1.TSL链路通信
TLS: Transport Layer Security 安全传输协议,在应用层 传输层之间主要应用https 协议,ftps 协议等
https大体流程
客户端A 服务端B
A ————》 (连接请求 ) B
A《———— (发送CA私钥加密过B的公钥,也就是安全证书)B
A (用CA公钥解开证书得到B的公钥)
A (生成对称秘钥key,并用B的公钥加密)
A ————》(加密的秘钥key) B
B (B用自己的私钥解密得到对称私钥key)
A B后续通讯使用对称私钥加密通讯
2.自签证书
搭建私有CA,用于自签名
- 安装openssl
- 生成CA 私钥
[[email protected] ~]#(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .................................................................................................+++ ..........+++ e is 65537 (0x10001)注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
dir = /etc/pki/CA # Where everything is kept
private_key = $dir/private/cakey.pem# The private key
而且生成文件权限为600 - CA服务器用自己私钥自签名生成证书
[[email protected] ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7200 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:gd Locality Name (eg, city) [Default City]:gz Organization Name (eg, company) [Default Company Ltd]:nvliu Organizational Unit Name (eg, section) []:dcrfan Common Name (eg, your name or your server‘s hostname) []:centos7 Email Address []:注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
certificate = $dir/cacert.pem # The CA certificate
定义一些国家省份信息 - 把该证书传输到windows客户端添加信任
- 更改后缀为.cer
- 打开证书发现不受信任,点击安装证书
- 选择证书存储路径
- 选择受信任根证书
- 然后点击是确定安装
- 再次打开证书,已经被系统信任了
- 更改后缀为.cer
- 在应用服务器上生成密钥,放在要使用应用文件下
[[email protected] ~]# (umask 066; openssl genrsa -out /data/app.key 2048) Generating RSA private key, 2048 bit long modulus ............................................+++ ........................+++ e is 65537 (0x10001)而且生成文件权限为600
[[email protected] ~]# (umask 066; openssl genrsa -out /data/app.key 2048)
Generating RSA private key, 2048 bit long modulus
............................................+++
........................+++
e is 65537 (0x10001) - 在应用服务器生成证书申请文件,然后上传给CA服务器
[[email protected] ~]# openssl req -new -key /data/app.key -out /data/app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:gd Locality Name (eg, city) [Default City]:gz Organization Name (eg, company) [Default Company Ltd]:nvliu Organizational Unit Name (eg, section) []:dcrfan1 Common Name (eg, your name or your server‘s hostname) []:centos7.1 Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: - 在CA服务器手动生成两个文件
[[email protected] ~]#echo 01 > /etc/pki/CA/serial [[email protected] ~]#touch /etc/pki/CA/index.txt这两个位置在/etc/pki/tls/openssl.cnf 均有定义
database = $dir/index.txt # database index file.
serial = $dir/serial # The current serial number - 在CA服务器对刚刚应用服务器传过来申请审批,生成证书
[[email protected] ~]#openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 160 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 8 11:23:04 2019 GMT Not After : Jun 17 11:23:04 2019 GMT Subject: countryName = cn stateOrProvinceName = gd organizationName = nvliu organizationalUnitName = dcrfan1 commonName = centos7.1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2C:54:95:C8:30:80:97:89:7E:4A:40:50:F9:64:CB:2F:2E:D9:97:EA X509v3 Authority Key Identifier: keyid:48:8F:FB:78:84:50:F0:B0:AB:6F:2C:10:B6:03:9F:21:03:03:20:70 Certificate is to be certified until Jun 17 11:23:04 2019 GMT (160 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
certs = $dir/certs # Where the issued certs are kept - 把生成的app,crt 拷贝会应用服务器使用
3.搭建DNS架构
实验分别准备8台实验机器,
192.168.0.108 远程访问客服端
192.168.0.109 缓存dns服务器
192.168.0.112 dcrfan.com dns主服务器
192.168.0.113 dcrfan.com dns 从服务器
192.168.0.114 com dns服务器
192.168.0.115 根dns 服务器
192.168.0.116 web 服务器
192.168.0.117 web 服务器
- 先搭建dns主服务器192.168.0.112 ,安装bind服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 allow-query { 192.168.0.0/24; }; # 修改改行,允许该网段的ip使用dns服务器 allow-transfer { 192.168.0.113; }; #新增改行,只允许从dns服务器拉取数据 }; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析dcrfan.com域
zone "dcrfan.com" IN { type master;#定义类型为主dns服务器 file "dcrfan.com.zone";#定义该域数据文件位置 }; - 新增dns数据记录文件dcrfan.com.zone,注意权限,让named账户能读取该文件,文件在/var/named 目录下
-rw-r-----. 1 root named 152 Jun 21 2007 dcrfan.com.zone@ IN SOA dns1.dcrfan.com. admin.dcrfan.com. ( 0 1D 1H 1W 3H ) NS dns1 NS dns2 dns1 A 192.168.0.112 dns2 A 192.168.0.113 srv A 192.168.0.116 srv A 192.168.0.117 www CNAME srv - 启动服务,在远程客户端使用dig 命令测试
[[email protected] ~]# dig www.dcrfan.com @192.168.0.112 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.112 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60001 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.dcrfan.com. IN A ;; ANSWER SECTION: www.dcrfan.com. 86400 IN CNAME srv.dcrfan.com. srv.dcrfan.com. 86400 IN A 192.168.0.117 srv.dcrfan.com. 86400 IN A 192.168.0.116 ;; AUTHORITY SECTION: dcrfan.com. 86400 IN NS dns2.dcrfan.com. dcrfan.com. 86400 IN NS dns1.dcrfan.com. ;; ADDITIONAL SECTION: dns1.dcrfan.com. 86400 IN A 192.168.0.112 dns2.dcrfan.com. 86400 IN A 192.168.0.113 ;; Query time: 1 msec ;; SERVER: 192.168.0.112#53(192.168.0.112) ;; WHEN: Thu Jan 10 16:09:29 2019 ;; MSG SIZE rcvd: 152 - 搭建从dns服务器192.168.0.113 ,安装dns服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 allow-query { 192.168.0.0/24; }; # 修改改行,允许该网段的ip使用dns服务器 allow-transfer { none; }; #新增改行,不允许任何dns服务器拉取数据 }; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析dcrfan.com域
zone "dcrfan.com" IN { type slave;#定义类型是从dns服务器 masters { 192.168.0.112; }; #指定主dns服务器 file "slaves/dcrfan.com.slave.zone"; #dns记录数据存放位置 }; - 启动dns服务,查看dns数据文件已经同步到slaves文件夹下
[[email protected] ~]# ll /var/named/slaves/dcrfan.com.slave.zone -rw-r--r--. 1 named named 371 Jan 10 16:38 /var/named/slaves/dcrfan.com.slave.zone - 在远程客户端使用dig 命令测试
[[email protected] ~]# dig www.dcrfan.com @192.168.0.113 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.113 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38752 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.dcrfan.com. IN A ;; ANSWER SECTION: www.dcrfan.com. 86400 IN CNAME srv.dcrfan.com. srv.dcrfan.com. 86400 IN A 192.168.0.117 srv.dcrfan.com. 86400 IN A 192.168.0.116 ;; AUTHORITY SECTION: dcrfan.com. 86400 IN NS dns2.dcrfan.com. dcrfan.com. 86400 IN NS dns1.dcrfan.com. ;; ADDITIONAL SECTION: dns1.dcrfan.com. 86400 IN A 192.168.0.112 dns2.dcrfan.com. 86400 IN A 192.168.0.113 ;; Query time: 4 msec ;; SERVER: 192.168.0.113#53(192.168.0.113) ;; WHEN: Thu Jan 10 16:41:18 2019 ;; MSG SIZE rcvd: 152 - 配置com dns服务器192.168.0.114 ,安装dns服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 //allow-query { 192.168.0.0/24; }; # 注释改行,允许所有ip使用dns服务器 dnssec-enable no; dnssec-validation no; #都修改为no }; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析com域和指派dcrfan.com域(使用dns转发)
zone "dcrfan.com" IN { type forward; forward first; forwarders { 192.168.0.112; 192.168.0.113;}; }; - 启动服务,在远程客户端使用dig 命令测试
[[email protected] ~]# dig www.dcrfan.com @192.168.0.114 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.114 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26492 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.dcrfan.com. IN A ;; ANSWER SECTION: www.dcrfan.com. 86400 IN CNAME srv.dcrfan.com. srv.dcrfan.com. 86400 IN A 192.168.0.117 srv.dcrfan.com. 86400 IN A 192.168.0.116 ;; AUTHORITY SECTION: dcrfan.com. 86400 IN NS dns2.dcrfan.com. dcrfan.com. 86400 IN NS dns1.dcrfan.com. ;; ADDITIONAL SECTION: dns1.dcrfan.com. 86400 IN A 192.168.0.112 dns2.dcrfan.com. 86400 IN A 192.168.0.113 ;; Query time: 14 msec ;; SERVER: 192.168.0.114#53(192.168.0.114) ;; WHEN: Thu Jan 10 17:18:21 2019 ;; MSG SIZE rcvd: 152 - 配置根 dns服务器192.168.0.115 ,安装dns服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 //allow-query { 192.168.0.0/24; }; # 注释改行,允许所有ip使用dns服务器 dnssec-enable no; dnssec-validation no; #都修改为no }; zone "." IN { #删除这个根zone type hint; file "named.ca"; }; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析根域
zone "." IN { type master;#定义类型为主dns服务器 file "root.zone";#定义该域数据文件位置 }; - 新增dns数据记录文件root.zone,注意权限,让named账户能读取该文件
文件在新增dns数据记录文件dcrfan.com.zone,注意权限,让named账户能读取该文件,文件在/var/named下
$TTL 1D@ IN SOA dns1. admin. ( 0 1D 1H 1W 3H ) NS dns1 com NS dns2 #指派com域到192.168.0.114管理 dns1 A 192.168.0.115 dns2 A 192.168.0.114 - 启动服务,在远程客户端使用dig 命令测试
[[email protected] ~]# dig www.dcrfan.com @192.168.0.115 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.115 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51669 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.dcrfan.com. IN A ;; ANSWER SECTION: www.dcrfan.com. 84281 IN CNAME srv.dcrfan.com. srv.dcrfan.com. 86400 IN A 192.168.0.117 srv.dcrfan.com. 86400 IN A 192.168.0.116 ;; AUTHORITY SECTION: dcrfan.com. 84281 IN NS dns2.dcrfan.com. dcrfan.com. 84281 IN NS dns1.dcrfan.com. ;; ADDITIONAL SECTION: dns1.dcrfan.com. 84281 IN A 192.168.0.112 dns2.dcrfan.com. 84281 IN A 192.168.0.113 ;; Query time: 14 msec ;; SERVER: 192.168.0.115#53(192.168.0.115) ;; WHEN: Thu Jan 10 17:53:40 2019 ;; MSG SIZE rcvd: 152 ` - 配置缓存服务器192.168.0.108 ,安装named服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 //allow-query { 192.168.0.0/24; }; # 注释改行,允许所有ip使用dns服务器 dnssec-enable no; dnssec-validation no; #都修改为no }; - 修改named.ca文件,让它的根指向我们搭建跟服务器192.168.0.115
. 518400 IN NS a.root-servers.net. a.root-servers.net. 3600000 IN A 192.168.0.115 - 启动服务,在远程客户端使用dig 命令测试
[[email protected] ~]# dig www.dcrfan.com @192.168.0.109 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.109 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41909 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.dcrfan.com. IN A ;; ANSWER SECTION: www.dcrfan.com. 83143 IN CNAME srv.dcrfan.com. srv.dcrfan.com. 86400 IN A 192.168.0.116 srv.dcrfan.com. 86400 IN A 192.168.0.117 ;; AUTHORITY SECTION: dcrfan.com. 83143 IN NS dns1.dcrfan.com. dcrfan.com. 83143 IN NS dns2.dcrfan.com. ;; ADDITIONAL SECTION: dns2.dcrfan.com. 83143 IN A 192.168.0.113 dns1.dcrfan.com. 83143 IN A 192.168.0.112 ;; Query time: 16 msec ;; SERVER: 192.168.0.109#53(192.168.0.109) ;; WHEN: Thu Jan 10 18:12:37 2019 ;; MSG SIZE rcvd: 152 - 然后搭建两个web服务器测试,分别安装httpd服务,并修改主页,启动服务测试
echo dcrfan1 > /var/www/html/index.html
echo dcrfan2 > /var/www/html/index.html - 分别用ip正常访问
[[email protected] ~]# curl 192.168.0.116
dcrfan1
[[email protected] ~]# curl 192.168.0.117
dcrfan2 - 修改客服端的dns指向缓存dns服务器192.168.0.109
网卡中加入DNS1=192.168.0.109,重启网络服务测试[[email protected] ~]# curl www.dcrfan.com dcrfan2 [[email protected] ~]# curl www.dcrfan.com dcrfan1 - 清理dns缓存,在各个dns服务器执行rndc flush命令
停掉主dns的服务,继续测试,从服务器可以使用[[email protected] ~]# curl www.dcrfan.com dcrfan2 [[email protected] ~]# curl www.dcrfan.com dcrfan2 [[email protected] ~]# curl www.dcrfan.com dcrfan1
4.dnspod解析类型
- 在dnspod中的记录,一般有主机记录,记录类型,线路类型,记录值,MX优先值,TTL
主机记录:
www 表示 解析后域名为 www
@表示 直接解析主域名
表示泛解析 .域名 - 记录类型
A记录:用来指定域名的IPv4地址,如果需要将域名指向一个IP地址需要一个A记录
CNAME:(别名) 如果需要将域名指向另一个域名,再由另一个域名提供ip地址,就需要添加CNAME记录。
TXT:在这里可以填写任何东西,长度限制255。绝大多数的TXT记录是用来做SPF记录(反垃圾邮件)。
NS:dns服务器记录,如果需要把子域名交给其他DNS服务器解析,就需要添加NS记录。
AAAA:ipv6 的A记录
MX:设置邮箱服务器地址解析,就需要添加MX记录。
显性URL:从一个地址301重定向到另一个地址的时候,就需要添加显性URL记录(注:DNSPod目前只支持301重定向)。
隐性URL:类似于显性URL,区别在于隐性URL不会改变地址栏中的域名。
SRV:记录了哪台计算机提供了哪个服务。格式为:服务的名字、点、协议的类型 - 记录值:
A记录填写相应ip地址
CNAME 填写别名的域名
MX 邮件服务器ip地址
NS dns服务器域名(需要配合A记录来指定ip地址) - MX邮件记录还要记录MX优先值
以上是关于自签名证书以及DNS服务器搭建的主要内容,如果未能解决你的问题,请参考以下文章