Lib.rs

密码学
#acme #letsencrypt #dnssec #tlsa #dane

app trust-acme

管理证书。通过Trust-DNS进行DNS挑战和TLSA记录。

Jan Andre Ikenmeyer

1 个不稳定版本

0.1.0 2019年3月1日

#1378密码学

MIT/Apache

45KB
948

尚未使用

Trust-ACME可订购和管理证书。DNS挑战和DANE通过Trust-DNS完成。

用户的信任应基于强大的默认设置和很少选择的依赖项。

目前它只是读取其配置文件,并订购所有配置的证书,而不进行其他逻辑。

待办事项

  • 验证此教程是否实际上可行
  • 清理代码
  • 只在处理完所有证书后重新加载服务
  • 更好的错误处理
  • 重新引入(一些)测试
  • 复用TCP连接到Trust-DNS
  • 订购URL应存储在certs/example.com.txt文件中,以便在每次运行时检查有效性/吊销状态。
  • example.com_next.crt应在常规到期前7天订购,以便平滑TLSA过渡。吊销仍会受到影响。
  • 提供手动生成的rsa密钥给postfix的选项
  • 清理配置文件中未知证书/密钥
  • 命令行参数
  • 拥有Trust-DNS系统服务以提供DNS-over-TLS
  • 重新考虑文件夹结构和一切

非目标

  • 依赖恐怖
  • 使用OpenSSL
  • 不安全的HTTP挑战
  • 难以阅读的代码

如何测试

首先,我们设置一个Trust-DNS服务器。警告:此配置是个人口味。

# curl https://sh.rustup.rs -sSf | sh
# source $HOME/.cargo/env
# cargo install kt -f
# cargo install trust-dns-server --git https://github.com/bluejekyll/trust-dns --features dnssec-ring -f
# mkdir /etc/trust-dns; mkdir /etc/trust-dns/zones; mkdir /etc/trust-dns/keys
# kt generate ed25519 --out /etc/trust-dns/keys/dns_auth.pk8
# kt generate p384 --out /etc/trust-dns/keys/example.com.pk8

nano /etc/trust-dns/config.toml

listen_addrs_ipv4 = ["your public ipv4 address"]
listen_addrs_ipv6 = ["::1", "your public ipv6 address"]
listen_port = 53

[[zones]]
zone = "example.com"
zone_type = "Master"
enable_dnssec = true
stores = { type = "sqlite", zone_file_path = "example.com", journal_file_path = "example.com.jrnl", allow_update = true }
keys = [{key_path="keys/example.com.pk8", algorithm="ECDSAP384SHA384", is_zone_signing_key=true}, {key_path="keys/dns_auth.pk8", algorithm="ED25519", is_zone_update_auth=true}]

(官方示例不使用内联表格为keys;我只是更喜欢紧凑的区域配置。)

nano /etc/trust-dns/zones/example.com

@ 86400 IN SOA ns1.example.com. hostmaster.example.com. (
  201903010 ; Serial
  3600      ; Refresh
  600       ; Retry
  86400     ; Expire
  600)      ; Negative TTL
@ 86400 IN NS ns1.example.com.
@ 86400 IN NS ns2.example.com.
@ 86400 IN MX 5 mail.example.com.
@ 86400 IN TXT "v=spf1 mx -all"
@ 86400 IN CAA 0 issue "letsencrypt.org; validationmethods=dns-01"
@ 86400 IN CAA 0 iodef "mailto:[email protected]"
@ 86400 IN AAAA ::1
www 86400 IN AAAA ::1
www 86400 IN MX 0 .
ns1 86400 IN AAAA ::1
ns1 86400 IN A 127.0.0.1
ns1 86400 IN MX 0 .
ns2 86400 IN AAAA ::1
ns2 86400 IN A 127.0.0.1
ns2 86400 IN MX 0 .
mail 86400 IN AAAA ::1
mail 86400 IN A 127.0.0.1

让我们看看结果如何

# cd /etc/trust-dns; named --config /etc/trust-dns/config.toml --zonedir /etc/trust-dns/zones

只要我们没有一个好的系统服务

# cat << EOF > /root/trust-dns.sh
#!/bin/bash
cd /etc/trust-dns; screen -dmS trust-dns named --config /etc/trust-dns/config.toml --zonedir /etc/trust-dns/zones
EOF
# chmod +x /root/trust-dns.sh

如何获取DNSKEY以使DNSSEC真正工作?

$ dig DNSKEY example.com @trust-dns-server-ip +short +nosplit

你只想尝试将其作为区域的一个子域,并需要生成DS记录?使用https://filippo.io/dnskey-to-ds/

继续并安装trust-acme

# cargo install trust-acme -f
# mkdir /etc/trust-acme; mkdir /etc/trust-acme/certs
# kt generate p384 --out /etc/trust-acme/letsencrypt_account.pk8

nano /etc/trust-acme/config.toml

[ca.letsencrypt]
directory = "https://acme-staging-v02.api.letsencrypt.org/directory"
account_key = "/etc/trust-acme/letsencrypt_account.pk8"
account_email = "[email protected]"

[trustdns.default]
server = "[::1]:53"
auth_key = "/etc/trust-dns/keys/dns_auth.pk8"

[[cert]]
zone = "example.com"
# whether there should be an additional openssl-style pem key (example.com.key)
pem_key = true
reload = ["nginx"]
san = [
    { name = "example.com", tcp = [443] },
    { name = "www.example.com", tcp = [443] },
]

#[[cert]]
#zone = "example.com"
#reload = ["trust-dns"]
#
#[[cert.san]]
#name = "ns.example.com"
#tcp = [853]
#udp = [853]

如果你取消注释directory,将使用真实的Let's Encrypt。为了简化TLSA记录,目前无法从不同的区域具有SAN条目。目前,仅支持ECDSA P-384证书。

要订购,只需运行

# trust-acme

证书的第一个SAN条目将用作其文件名

Certificate path: /etc/trust-acme/certs/example.com.crt
Key path (Rustls): /etc/trust-acme/certs/example.com.pk8
Key path (OpenSSL): /etc/trust-acme/certs/example.com.key

依赖关系

~33MB
~748K SLoC