星期六, 4月 30, 2022

使用 certbot 申請 SSL 憑證 with openSUSE Leap 15.3 in GCP 小記

使用 certbot 申請 SSL 憑證 with openSUSE Leap 15.3 in GCP 小記


OS: openSUSE Leap 15.3 in GCP ( Preemptible )

DNS provider: gandi.net


上次寫這篇文章已經是 2020/9


今天再次測試使用 certbot 這個 ACME 客戶端來進行 Let’s Encrypt 憑證的申請.

  • 因為要使用 certbot 配合 DNS 驗證來取得憑證, 之後要放在 GCP 的 Load Balancer 上面, 所以我在 GCP 上面建立 Preemptible GCE 來取得憑證, Preemptible 的好處就是費用便宜 :)


Let’s Encrypt  官網入門網頁


參考 Certbot 網頁上, openSUSE leap 15 與 nginx 的文件




首先登入到 GCP 上面的 openSUSE Leap 15.3

  • 因為是 Lab 文件, 然後 Preemptible 不會超過 24 小時, 我就先切換為 root

    • > sudo su -


要安裝 certbot 套件, 現在要使用 snapd


參考 snapd 的安裝網頁


新增 repository

# zypper  addrepo  --refresh  https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.3  snappy


匯入 GPG Key

# zypper  --gpg-auto-import-keys  refresh


Retrieving repository 'Update repository of openSUSE Backports' metadata .[done]

Building repository 'Update repository of openSUSE Backports' cache ......[done]

Retrieving repository 'Debug Repository' metadata ........................[done]

Building repository 'Debug Repository' cache .............................[done]

Retrieving repository 'Update Repository (Debug)' metadata ...............[done]

Building repository 'Update Repository (Debug)' cache ....................[done]

Retrieving repository 'Non-OSS Repository' metadata ......................[done]

Building repository 'Non-OSS Repository' cache ...........................[done]

Retrieving repository 'Main Repository' metadata .........................[done]

Building repository 'Main Repository' cache ..............................[done]

Retrieving repository 'Update repository with updates from SUSE Linux Ente[done]

Building repository 'Update repository with updates from SUSE Linux Enterpris[-]


  • 最近會遇到要 update SUSE Linux Enterprise 會比較久, 這個真的要看時段 QQ


# zypper  dup  --from  snappy


Loading repository data...

Reading installed packages...

Computing distribution upgrade...

Nothing to do.


安裝 snapd

# zypper  install  -y  snapd


設定 開機會啟動 snapd ( 我這個 case 其實不用, 但是也是紀錄一下 )


# systemctl  enable --now  snapd


Created symlink /etc/systemd/system/multi-user.target.wants/snapd.service → /usr/lib/systemd/system/snapd.service.


openSUSE Leap 15.3 以及 Tumbleweed 要多執行以下指令


# systemctl  enable --now  snapd.apparmor


Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service → /usr/lib/systemd/system/snapd.apparmor.service.


接下來確認 snapd 已經是最新


# snap  install  core;  snap  refresh  core


2022-04-30T14:38:36Z INFO Waiting for automatic snapd restart...

Warning: /snap/bin was not found in your $PATH. If you've not restarted your

         session since you installed snapd, try doing that. Please see

         https://forum.snapcraft.io/t/9469 for more details.


core 16-2.54.4 from Canonical* installed

snap "core" has no updates available



接下來安裝 Certbot

# snap  install  --classic  certbot


Warning: /snap/bin was not found in your $PATH. If you've not restarted your

         session since you installed snapd, try doing that. Please see

         https://forum.snapcraft.io/t/9469 for more details.


certbot 1.26.0 from Certbot Project (certbot-eff*) installed


處理上面提到的指令路徑

# ln  -s  /snap/bin/certbot  /usr/bin/certbot


因爲今天是要透過 certbot 來申請 SSL 憑證, 所以會執行 certonly 方式來執行


# certbot  certonly  --manual  --preferred-challenges=dns  -d   *.ines.tw


Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

 (Enter 'c' to cancel):  sakana@study-area.org ( 聯絡信件 )


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意協議)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意分享 email, 這個看個人)

Account registered.

Requesting a certificate for *.ines.tw


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name:


_acme-challenge.ines.tw.


with the following value:


pGNqhluMQ3u-ejpPOMOdUG-ZO2gPrptWzyGmxYNyKpA


Before continuing, verify the TXT record has been deployed. Depending on the DNS

provider, this may take some time, from a few seconds to multiple minutes. You can

check if it has finished deploying with aid of online tools, such as the Google

Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.ines.tw.

Look for one or more bolded line(s) below the line ';ANSWER'. It should show the

value(s) you've just added.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)


Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/ines.tw/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/ines.tw/privkey.pem

This certificate expires on 2022-07-29.

These files will be updated when the certificate renews.


NEXT STEPS:

- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you like Certbot, please consider supporting our work by:

 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

 * Donating to EFF:                    https://eff.org/donate-le

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


  • certonly 只申請憑證

  • --manual  手動方式

  • --preferred-challenges=dns 

    • 使用 DNS 進行驗證 

  • -d   *.ines.tw

    • 要申請的網域名稱

  • 相關憑證會存放在 /etc/letsencrypt/live/你的網域下

  • 一次簽發 90 天


觀察相關資訊


# ls  -lh  /etc/letsencrypt/live/ines.tw/


total 4.0K

-rw-r--r-- 1 root root 692 Apr 30 14:50 README

lrwxrwxrwx 1 root root  31 Apr 30 14:50 cert.pem -> ../../archive/ines.tw/cert1.pem

lrwxrwxrwx 1 root root  32 Apr 30 14:50 chain.pem -> ../../archive/ines.tw/chain1.pem

lrwxrwxrwx 1 root root  36 Apr 30 14:50 fullchain.pem -> ../../archive/ines.tw/fullchain1.pem

lrwxrwxrwx 1 root root  34 Apr 30 14:50 privkey.pem -> ../../archive/ines.tw/privkey1.pem




主要有 4 個檔案


cert.pem: 申請的網域的SSL憑證 (Your domain's certificate)

  • 可以對應到之前sslforfree的 certificate.crt - 公鑰


chain.pem: Let's Encrypt 的 鏈證書 (The Let's Encrypt chain certificate)

  • 可以對應到之前sslforfree的ca_bundle.crt - 中繼憑證

 

fullchain.pem: 公鑰與中繼憑證合併 (cert.pem and chain.pem combined)

  • Nginx 如果要設定 ssl, 就會使用這個檔案 


privkey.pem: SSL憑證的私鑰 (Your certificate's private key)

  • 可以對應到之前sslforfree的private.key - 私鑰


這樣就算申請完畢, 但是要如何知道目前申請了那些憑證呢?

可以使用下列指令列出相關資訊


# certbot  certificates


Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

  Certificate Name: ines.tw

    Serial Number: 3b21ee0374642cba9403c35278cb94e5923

    Key Type: RSA

    Domains: *.ines.tw

    Expiry Date: 2022-07-29 13:50:52+00:00 (VALID: 89 days)

    Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



觀察憑證上面的資訊, 其實真正存放路徑是在  /etc/letsencrypt/archive/你的網域

# ls  -l  /etc/letsencrypt/archive/ines.tw/


total 20

-rw-r--r-- 1 root root 1830 Apr 30 14:50 cert1.pem

-rw-r--r-- 1 root root 3749 Apr 30 14:50 chain1.pem

-rw-r--r-- 1 root root 5579 Apr 30 14:50 fullchain1.pem

-rw------- 1 root root 1704 Apr 30 14:50 privkey1.pem


把相關憑證複製到使用者家目錄, 方便等等下載


# cp  /etc/letsencrypt/archive/ines.tw/*  /home/max


然後將 privkey1.pem 更改擁有人, 等等才有權限下載

# chown  max  /home/max/privkey1.pem


下載的方式有好幾種


回到自己的機器


方式 1: 使用 Web SSH 上面的下載按鈕


點選 GCE 服務頁面, 使用 WebSSH 登入後, 點選下載按鈕

輸入檔案名稱 , 點選 Download



  • 預設的下載目錄應該是 ~/下載


方式 2: 使用 gcloud 指令


> gcloud  compute  scp  test20220430:/home/max/cert1.pem  /tmp/cert1.pem  --zone  asia-east1-b  --project  speedy-bazaar-245112


  • test20220430:/home/max/cert1.pem 這邊請換成 你的GCE名稱:路徑/檔案名稱

  • 如果 zone 與 project 沒有預設設定, 請進行指定


方式 2 相對於方式 1 的好處是可以指定下載路徑



方式 3: 使用 scp 指令


> scp  -i  css_id_rsa  使用者@公共IP:/home/max/cert1.pem  /tmp/cert1.pem



下載檔案如下

> ls  -l


總用量 20

-rw-r--r-- 1 sakana users 1830  4月 30 23:27 cert1.pem

-rw-r--r-- 1 sakana users 3749  4月 30 23:27 chain1.pem

-rw-r--r-- 1 sakana users 5579  4月 30 23:28 fullchain1.pem

-rw------- 1 sakana users 1704  4月 30 23:29 privkey1.pem


下載完成後就可以關閉 / 刪除 GCE


接下來就可以後續放在 GCP Load Balancer 上使用了



又前進一步了 :)



Reference:



星期日, 4月 17, 2022

三大雲平台工具容器升級小記 - ansible 2.11.10 / AWS Cli 2.5.6 / gcloud 381.0

三大雲平台工具容器升級小記 - ansible 2.11.10 / AWS Cli 2.5.6 / gcloud 381.0


OS: container with openSUSE Leap 15.3



上次升級是 2021/12/5 , 這次會來升級的原因是 



同步紀錄一下目前 Azure CloudShell 上面的 Ansible 資訊

  • Ansible: 2.10.2 / python 3.7.3 




先整理結果


升級前

OS: openSUSE Leap 15.3

awscli:  aws-cli/2.4.5 Python/3.8.8

gcloud: Google Cloud SDK 365.0.0

azure-cli: 2.30.0 (目前有 bug)

ansible: 2.11.6


升級後

OS: openSUSE Leap 15.3

awscli:  aws-cli/2.5.6 Python/3.9.11

gcloud: Google Cloud SDK 381.0.0

azure-cli: 2.35.0 (目前有 bug)

ansible: 2.11.10


AWS CLI v2 安裝文件


GCP Cloud SDK 版本


另外執行 ansible --version 也會收到之後 ansible 需要 python 3.8 以上的告警, 訊息如下


[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 23

 2021, 15:41:43) [GCC]. This feature will be removed from ansible-core in 

version 2.12. Deprecation warnings can be disabled by setting 

deprecation_warnings=False in ansible.cfg.



這次的做法還是會透過 docker build 指令來進行

  • 我有比較過 docker build 以及使用現有的 docker image 修改後再使用 docker commit 建立的 image 大小還是很有差異的


Dockerfile 的部分我是拿之前的 Dockerfile 來修改目前是  openSUSE Leap 15.3 


修改細節

  • Update time

  • Google SDK 版本還有下載的檔案路徑以及檔案名稱



列出 diff 的結果給大家參考


> diff opensuseLeap153_ansible_20220417_Dockerfile  opensuseLeap153_ansible_20211205_Dockerfile 


6c6

< # update time: 20211205

---

> # update time: 20220417

76c76

< # Install google cloud SDK 365.0.0

---

> # Install google cloud SDK 381.0.0

78,79c78,79

< RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-365.0.0-linux-x86_64.tar.gz && \

<   tar zxvf google-cloud-sdk-365.0.0-linux-x86_64.tar.gz && \

---

> RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-381.0.0-linux-x86_64.tar.gz && \

>   tar zxvf google-cloud-sdk-381.0.0-linux-x86_64.tar.gz && \



Dockerfile 內容如下




# openSUSE Leap 15.3 with ansible, azure-cli, aws cli, gcloud

FROM opensuse/leap:15.3


# Author

# MAINTAINER 已經棄用, 之後要使用 LABEL 方式

# update time: 20220417

LABEL maintainer="sakana@cycu.org.tw"


# Set LANG for UTF-8 - for Chinese

ENV LANG C.UTF-8


# Install python3-pip, upgrade pip, ansible, boto, boto3

RUN zypper refresh && \

  zypper install -y python3-pip && \

  pip3 install --upgrade pip && \

  pip3 install ansible && \

  pip3 install boto boto3


# Install openssh, set ls alias

RUN zypper install -y openssh

RUN echo "alias ls='ls --color=tty'" >> /root/.bashrc


# Install wget, download azure_rm.py, set permission

RUN zypper install -y wget


# azure_rm.py no need to download 

# Starting with Ansible 2.8, Ansible provides an Azure dynamic-inventory plug-in

# https://docs.ansible.com/ansible/latest/plugins/inventory/azure_rm.html

# old azure_rm.py URL https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/azure_rm.py


# Create working directory in /root

RUN mkdir /root/.azure && \

  mkdir /root/.aws && \

  mkdir /root/playbook && \

  mkdir -p /root/.config/gcloud && \

  wget https://raw.githubusercontent.com/sakanamax/LearnAnsible/master/template/ansible.cfg && \

  mv /ansible.cfg /root && \

  wget https://raw.githubusercontent.com/sakanamax/LearnAnsible/master/template/hosts && \

  mv /hosts /root


#### Azure #### 

# Install azure-cli

# 2020/11/29 Still have az login issue in Github https://github.com/Azure/azure-cli/issues/13209

RUN zypper install -y curl && \

  rpm --import https://packages.microsoft.com/keys/microsoft.asc && \

  zypper addrepo --name 'Azure CLI' --check https://packages.microsoft.com/yumrepos/azure-cli azure-cli && \

  zypper install --from azure-cli -y azure-cli


# Install Ansible azure module

# After ansible 2.10, some module move to ansible collect, change install method

RUN zypper install -y curl && \ 

  curl -O https://raw.githubusercontent.com/ansible-collections/azure/dev/requirements-azure.txt && \

  pip3 install -r requirements-azure.txt && \

  rm -f requirements-azure.txt && \

  ansible-galaxy collection install azure.azcollection




#install vim tar gzip jq unzip less bind-utils iputils groff

RUN zypper install -y vim tar gzip jq unzip less bind-utils iputils groff

RUN echo "set encoding=utf8" > /root/.vimrc


#### AWS ####

# Install awscli v1

#RUN pip3 install awscli

#RUN echo "source /usr/bin/aws_bash_completer" >> /root/.bashrc


# Install awscli v2

RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \

  unzip awscliv2.zip && \

  /aws/install

RUN echo "complete -C '/usr/local/bin/aws_completer' aws" >> /root/.bashrc


#### GCP ####

# Install google cloud SDK 381.0.0

ENV CLOUDSDK_CORE_DISABLE_PROMPTS 1

RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-381.0.0-linux-x86_64.tar.gz && \

  tar zxvf google-cloud-sdk-381.0.0-linux-x86_64.tar.gz && \

  /google-cloud-sdk/install.sh && \

  echo "if [ -f '/google-cloud-sdk/path.bash.inc' ]; then . '/google-cloud-sdk/path.bash.inc'; fi" >> /root/.bashrc && \

  echo "if [ -f '/google-cloud-sdk/completion.bash.inc' ]; then . '/google-cloud-sdk/completion.bash.inc'; fi" >> /root/.bashrc



使用 docker build 指令建立 image


> docker build  -t  sakana/ansible_opensuse153:20220417  -f  ./opensuseLeap153_ansible_20220417_Dockerfile   .


  • 使用 -f 指定 Dockerfile 名稱

  • 最後是 ” . “ 目前的目錄

  • 這邊有個網路問題自己小記一下, 不知為何, 在家中如果是用固定 IP, 可能是有走 IPv6, 在執行 docker build 就有連線問題, 切成浮動 IP 就沒有相關問題, 日後再研究



測試 container image


> docker  run  -v  ~/.aws:/root/.aws  -v  ~/.azure:/root/.azure  -v ~/.config/gcloud:/root/.config/gcloud  -it  sakana/ansible_opensuse153:20220417  /bin/bash


測試結果 OK, 建立  tag


  • 這邊目前因為 openSUSE Leap 15 使用舊的 azure cli 以及相依性, 所以現在 az 指令會有問題, 已經 update issue 以及花了很多時間調整, 目前還是要等 openSUSE and Azure 看是否會有後續更新

  • 目前 az 指令可能會暫時透過 Azure cloud shell, ansible with Azure 目前有問題, 後面要再測試


觀察資訊

> docker  images


REPOSITORY                           TAG            IMAGE ID          CREATED          SIZE

sakana/ansible_opensuse153   20220417   a1567b366f49   28 minutes ago   3.24GB

opensuse/leap                            15.3            c3465720f52c   4 days ago          109MB




建立 tag 

> docker  tag  a1567b366f49  sakana/ansible_opensuse153:latest


登入 docker

> docker  login


上傳 image

> docker  push  sakana/ansible_opensuse153:20220417


> docker  push  sakana/ansible_opensuse153:latest


完工, 以後使用就用


> docker  run  -v  ~/.aws:/root/.aws  -v  ~/.azure:/root/.azure  -v ~/.config/gcloud:/root/.config/gcloud  -it  sakana/ansible_opensuse153  /bin/bash



額外小記: 又碰到 Azure 的認證資訊快超過一年了, 參考之前自己的筆記

  • http://sakananote2.blogspot.com/2020/05/azure-dynamic-inventory-with-ansible.html

  • 使用 az  ad  sp list  --all --output table | grep azure-cli 找出舊的認證, 

  • 刪除他 ex: # az  ad  sp delete --id d06f8905-ad21-425b-9da5-3e0bcf22a853 

  • 然後建立新的認證 ex: # az  ad  sp  create-for-rbac --query  '{"client_id": appId, "secret": password, "tenant": tenant}'

  • 查詢 subscription_id, ex: # az  account  show  --query  "{ subscription_id: id }"

  • 更新  ~/.azure/credentials 內的 client_id 以及 secret



~ enjoy it


Reference: