Procházet zdrojové kódy

How to install an 'official' domain and SSL certificate

Bob Mottram před 11 roky
rodič
revize
f435b2f9e5
1 změnil soubory, kde provedl 73 přidání a 0 odebrání
  1. 73
    0
      beaglebone.txt

+ 73
- 0
beaglebone.txt Zobrazit soubor

@@ -6416,6 +6416,79 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
6416 6416
 52             6 1   *   *   root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
6417 6417
 #+END_SRC
6418 6418
 
6419
+** Using your own domain
6420
+Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead.
6421
+
6422
+Remove any existing nameservers for your domain (or select "custom" nameservers), then add:
6423
+
6424
+#+BEGIN_SRC: bash
6425
+NS1.AFRAID.ORG
6426
+NS2.AFRAID.ORG
6427
+NS3.AFRAID.ORG
6428
+NS4.AFRAID.ORG
6429
+#+END_SRC
6430
+
6431
+It might take a few minutes for the above change to take effect.  Within freedns click on "Domains" and add your domains (this might only be available to paid members).  Make sure that they're marked as "private".
6432
+
6433
+Select "Subdomains" from the menu on the left then select the MX entry for your domain and change the destination to *10:mydomainname* rather than *10:mail.mydomainname*.
6434
+
6435
+To route email to one of your freedns domains:
6436
+
6437
+#+BEGIN_SRC: bash
6438
+emacs /etc/mailname
6439
+#+END_SRC
6440
+
6441
+Add any extra domains which you own, then save and exit.
6442
+
6443
+#+BEGIN_SRC: bash
6444
+emacs /etc/exim4/update-exim4.conf.conf
6445
+#+END_SRC
6446
+
6447
+Within dc_other_hostnames add your extra domain names, separated by a colon ':' character.
6448
+
6449
+Save and exit, then restart exim.
6450
+
6451
+#+BEGIN_SRC: bash
6452
+update-exim4.conf.template -r
6453
+update-exim4.conf
6454
+service exim4 restart
6455
+#+END_SRC
6456
+
6457
+You should now be able to send an email from /postmaster@mynewdomainname/ and it should arrive in your inbox.
6458
+
6459
+** Obtaining an "official" SSL certificate
6460
+You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]].  You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that.  You should also have tested that you can send email to the domain and receive it on the BBB (via Mutt or any other email client).
6461
+
6462
+When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the BBB /and remain there/.  Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods.  So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key.
6463
+
6464
+Firstly under the validations wizard validate your domain, which means sending an email to it and confirming a code.
6465
+
6466
+Now we can generate the certificate request as follows.
6467
+
6468
+#+BEGIN_SRC: bash
6469
+export HOSTNAME=mydomainname
6470
+openssl genrsa -out /etc/ssl/private/$HOSTNAME.key 2048
6471
+chown root:ssl-cert /etc/ssl/private/$HOSTNAME.key
6472
+chmod 440 /etc/ssl/private/$HOSTNAME.key
6473
+mkdir /etc/ssl/requests
6474
+#+END_SRC
6475
+
6476
+Now make a certificate request as follows.  You should copy and paste the whole of this, not just line by line.
6477
+
6478
+#+BEGIN_SRC: bash
6479
+openssl req -new -key /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/requests/$HOSTNAME.csr
6480
+#+END_SRC
6481
+
6482
+For the email address it's a good idea to use postmaster@mydomainname.
6483
+
6484
+View the request with:
6485
+
6486
+#+BEGIN_SRC: bash
6487
+cat /etc/ssl/requests/$HOSTNAME.csr
6488
+#+END_SRC
6489
+
6490
+You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box.  A confirmation will be emailed back to you normally within a few hours.
6491
+
6419 6492
 * Deprecated
6420 6493
 
6421 6494
 The following items have been deprecated until such time as a successful installation is achieved.