When I send DNS request, I will get some response. At this time, I had some question if this answer come from cached information or not. Someone think like me.
When the DNS server can recurse (RA is set)
1. Even if the query is recursive or not, the DNS which recived refer to local cache to find out the A record.
2. If the DNS is not authoritative, it will be return cached.
Please Look at these Packets.
There are 2 answers. One is CNAME which has 300 TTL time, other is A which 30 TTL time. I try again. And then
Now, I can see CNAME which has 300 TTL time and A which 29 TTL time.
In my test environment, I have DNS and GSLB. It has the role each like below. I dig to Authoritative DNS.
Thus,
1. Authoritative DNS return the TTL time for CNAME. This is the configuration value.
- In the response packet, Authoritative flag is set.
2. Authoritative DNS recurse to GSLB and cache the answer and return to client. So this TTL time will be counted down.
- In the response packet, Recursion Available is set. (The DNS can recurse)
The best way to find out the answer come from cached is watching "TTL time will be counted down or not".
This is the other case, I will try dig to "8.8.8.8" which is google DNS server. Even if there are lots of DNS server behind 8.8.8.8.
In this result above, Recursion Available is set, so the DNS is expected to cache answer. However, this is not Authoritative. Therefore, the CNAME and A should be counted down.
So far, I send recursive query. However, I want to see the same result with iterative query. In this post, I explained how to generate iterative query. I will use "dig +norecurse". Please note below
1. "dig with norecurse" show the result by DNS properies.
- Some DNS show the next query information, even if it has cached record.
- Some DNS show the cached answer.
- Some DNS show "server failed" result
Because of this, I did not recommend to use "dig with norecurse". Anyway, I will show when it works. I used same DNS server target.
When dig with no-recurse works, It show CNAME with counted TTL time down and A with counted TTL time down. With result, this DNS server has cached record value.
I have already told that different type of result can be shown with "norecurse" option. I will send query "www.google.com" to different DNS servers.
At first, Cached A record information is returned from DNS server. At this time, I can expect this DNS server has the cache. Please look at the next case,
There is no Answer field. There are next DNS server information to query. This is the reason why I do not recommend this norecursion option. Sometime, I can see the server fail like below.
This is my result. It is OK to use "norecurse" option for checking the cached return. However, it can can show different result what I do not expect.
Sometimes, I need to use "dig trace" command. I have known that it trace the DNS hop by hop. In this post, I will see the Packet level with this command.
By 2 property. the DNS response NS answer. After then, the client start to send A and AAAA request to the same DNS.
In this case, Client send A and AAAA for m.root-servers.net. The DNS does not response. After 5 second, it will retry.
In the result, I can see "couldn't get address for m.root-server.net" (Anyway this is not normal case)
The below is normal case. It request A and AAAA requests to all of targets which the response of the first NS request.
There is the things important to see. In wireshark, I estimate the time from request and response.
The client choose the fastest one. In this sample, it will be "198.97.190.53".
2. Second Reqeust for target domain
I think this is first step for the domain what I lookup. I have known that "198.97.190.53" is the namesever for next step. Therefore, I send the A record request to this DNS server.
Please not that "This is A record request with no-recursion". The below is the response packet.
There is no answer field in this response. Also, this server does not recursion available and is not Authoritative.
The DNS response with "Authoritative nameserver" list to client. The client must request other DNS server to find out.
Client send the nameserver (8.8.8.8) to find out A record for this nameserver list received. This is almost same with first one.
During these step, the client also choose the fastest one. At this time, it is "210.101.60.1"
With this value, the client try again.
However, there is no answer filed at this time. There are "authoritative nameservers list" again. Client will repeate above step.
3. Finally Request for A record.
The client send the A record request without recursion to 211.188.180.21 name server. It response like below.
At this time, there is "answer filed". Becuse of this, dig trace will be stoped. However, this is not A record. It is CNAME record with "authoritative nameservers" for this CNAME.
(Please note that "Authoritative is set" even if the A record is not responsed.) This measn that CNAME is valuable like A record.
Client must repeat this CNAME domain request again. It is the same above step.
I will see the some packet in this post. It is much easier.
1. General DNS Standard Query (Default Reqeust)
Normally, the servers are set the "/etc/resolv.conf" file to customize DNS server. In my case, I set "8.8.8.8" as the resolver.
It is everything which I can do simply. And then I use without any recognization. This is the Request Packet
In DNS packet, there is flags field. "Recursion Desired is set". This is what I want to find. Because of this, the DNS server (the request packeted is received) will try to recurse.
In the received packet, there are lot of informations. I can estimate DNS properites such as "Authoritative" and "Recursion option".
This is the Default Reqeust Packet. Therefore, the DNS will do recursion and caching.
2. No Recursion DNS Reqeust (Iterative Request)
At this time, I want to send "no recursion DNS request". I mean iterative request. The simple way is to use "dig" command with "norecursion". Please look the manual page.
I will try "dig +norecurse" like below.
That is so strange. There is no answer for A record. "This imply that there is no cached A record for this domain", Becuase this DNS server does not do recursion. If the DNS has the cached A record. It looks like below.
In this case, the DNS has the cached A record. It returned the response. Look at the packet.
With "norecursion", "Recursion desired flag" is not set. This is the important factor to understand.
In the response, the flags values are same as the above. Please look at the Answer. This means that "DNS server (8.8.8.8) give me 2 types of answers, first is CNAME and second is A record for the CNAME". This A record is cached value. Because This DNS server can recursion by the flag.
In this post, I wrote how to configure DNS servers (Bind9). In this post, I will setup the DNSSEC to enforce DNS secrutiy from the attacker. In fact, I am not friendly with DNS element. So I will follow this instruction.
At first, I need to update master DNS server configuration to enable DNSSEC function. Open "/etc/bind/named.conf.option" and update like below (red text)
# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
recursion no;
listen-on port 53 { 10.10.0.124; };
allow-transfer { none; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
DNSSEC required the ZSK KEY (Zone Signing Key) and KSK KEY (Key Signing Key). Both key are called as DNSKEY. I have to generated these. To generate encryption key, I need entropy algorithm. "havedged" is good solution for this.
# apt-get install haveged
Now, I can generate. Please note that Key files should be located on the same directory of zone files.
# cd /var/cache/bind/zones
After run command to geneate, I can see the 2 files like below. These file are Zone Signing Key.
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE db.g.crenet.com
All of these step are for creating signed zone file. Therefore, I will update zone file from now. Open zone file what I make secure and Include the key files above.
Now, I am ready to sign the zone file. I will run "dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>". "<Salt>" value is the random number. I can generate like below
listen-on port 53 { 10.10.0.204; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
dump-file "/var/cache/bind/dumps/named_dump.db";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
5. Configure DS records with the registrar.
When I create Signed zone file, "dsset-g.crenet.com" file is also generated which include "DS" record.
# cat dsset-g.crenet.com.
g.crenet.com. IN DS 33324 7 1 CFE9B08DB55C9EF23AAE19979FB2A48467C1061E
g.crenet.com. IN DS 33324 7 2 1245F5EB80E7A2F6CE9A64A9C69A94EFBC800D60EA4065B96B7FF501 AB6816D2
To publish this DNS server with DNSSEC, I have to offer these DS record to my DNS registrar. (DNS registrar mean the represtative compay which has the role to register DNS, such as GoDaddy or Gabia.
How to configure DNS bind9 configuration in Ubuntu
Recently, I need to learn about DNS system. In fact, I have not considered about this system so far. To understand about this as the begineer. I will memorize how to configure simply.
1. Pre-requisite.
I have four servers with Ubuntu 16.04 in AWS. Each server has the Public IP address.
2. Installation of bind9 packages
In fact, I do not know anything at this time. I need some instructions. I will follow this instruction basically. At first I need to update hosts name.
# hostname ns1
# hostname ns2
# hostname ns3
And I will update repository and install the bind packages like below. I will repeate this step in each servers, ns2 and ns3 also.
# apt-get update
# sudo apt-get install bind9 bind9utils bind9-doc
Installation is completed. I can see the directory and files under /etc/binddirectory.
At first, I will edit "named.conf.options". In this file, I will add some options to work well as the DNS server. This configuration is not applied to only primary. I will edit all of servers.
In above, there is "acl" field. It is the represatative name for allow-recursion. "recursion yes" means enable the recurive query from other DNS servers which is defined in "allow-recursion". In this instrucion, It shows what the recursive query is.
In this instruction, it is more simple contexts comparing with "iterative request".
If I do not want to use this recursion, I can change to "recursion no;" In my case, my authoritative DNS servers will be end of step for Domain. So I will disable the recursion. "allow-transfer { 10.10.0.99; 10.10.0.39; };" means transfering zone file to listed DNS servers which are refered as slave servers.
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
# Slave DNS (AuthoritativeDNS) servers
options { directory "/var/cache/bind";
recursion no; listen-on port 53 { 10.10.0.72; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
After these configurations, I can check the configuration is correct or not.
# service bind9 restart
# # named-checkconf named.conf.options
If I do not get any answer or failed message, It works correct. In above, I defined "allow-transfer" like "allow-transfer { 10.10.0.99; 10.10.0.39; };". This parameter is the global value. Therefore, it is applied for all of zone files. It need to be limited sometimes. In the instruction, allow-transfer { none; }; is recommended.
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
# Slave DNS (AuthoritativeDNS) servers
options { directory "/var/cache/bind";
recursion no; listen-on port 53 { 10.10.0.72; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
I will define "allow-transfer" in "named.conf.local" individually in every zone difinition. I will edit the "named.conf.local". It looks like below.
# Master DNS (AuthoritativeDNS) server
zone "dizigo.shop" { type master; file "/etc/bind/zones/db.dizigo.shop"; allow-transfer { 10.10.0.99; 10.10.0.39; }; }; zone "10.10.in-addr.arpa" { type master; file "/etc/bind/zones/db.10.10"; allow-transfer { 10.10.0.99; 10.10.0.39; }; };
# Slave DNS (Authoritative DNS) servers
zone "dizigo.shop" { type slave; file "db.dizigo.shop"; masters { 10.10.0.72; }; }; zone "10.10.in-addr.arpa" { type slave; file "db.10.10"; masters { 10.10.0.72; }; };
In above, I defined "forward zone" and "reverse zone". (Please this does not mean zone file) I suppose the one of 10.10.0.0/16 ip addresses will be mapped with Domain. In this file, It show how many zone file are existed and the each properties. I wrote 2 types of configuration for master and slave. In this "master", I can define "allow-transfer { 10.10.0.99; 10.10.0.39; };" in each zone definition. (Even if I will explain later in this post) In "slave", I can define "masters" as the source.
I will locate the zone file under "/etc/bind/zones". If you do not have zone directory, I need to create before.
# mkdir -r /etc/bind/zones
After these configurations, I can check the configuration is correct or not.
# service bind9 restart
# named-checkconf named.conf.local
# named-checkconf
3. Createing the Forward and reverse zone files.
Under the "/etc/bind" directory, there is the sample file for these.
# Forward zone file sample
root@ns1:/etc/bind# cat /etc/bind/db.local $TTL 604800 @ IN SOA localhost. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. @ IN A 127.0.0.1 @ IN AAAA ::1
# Reverse zone file sample
root@ns1:/etc/bind# cat /etc/bind/db.127 $TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. 1.0.0 IN PTR localhost.
I will copy and edit this files for my zone file. This step is depends on your environments. It will be different from me
# cp db.local /etc/bind/zones/db.dizigo.shop
# cp db.127 /etc/bind/zones/db.10.10
Open the forward zone file and edit at first. It looks like below.
$TTL 60
@ IN SOA ns1.dizigo.shop admin.dizigo.shop. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers - NS records
IN NS ns1.dizigo.shop.
IN NS ns2.dizigo.shop.
IN NS ns3.dizigo.shop.
; name servers - A records
ns1.dizigo.shop. IN A 10.10.0.72
ns2.dizigo.shop. IN A 10.10.0.99
ns3.dizigo.shop. IN A 10.10.0.39
; sample - A records
www.dizigo.shop. IN A 10.128.100.101
ftp.dizigo.shop. IN A 10.128.200.101
I edit the TTL time for caching. If there is the caching DNS server in front of these authoritative DNS servers, the Caching server does not ask again during this time. I will adjust for 60 seconds. Serail number is increased. Every time, I edit zone file, I have to increase this number. This number is used for the slave servers to determince download zone file or not. I added all of name servers in end of SOA field. For reverse zone file, it is similar with forward zone file. It looks like below.
$TTL 60 @ IN SOA ns1.dizigo.shop. admin.dizigo.shop. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
; name servers - NS records IN NS ns1.dizigo.shop. IN NS ns2.dizigo.shop. IN NS ns3.dizigo.shop.
; PTR Records 72.0 IN PTR ns1.dizigo.shop. 99.0 IN PTR ns2.dizigo.shop. 39.0 IN PTR ns3.dizigo.shop.
Most of values are same. Add all of name servers end of SOA field, then add PTR records. After all of these, I can check my configuration.
6. Create Caching DNS server without zone file (Only Forwarding caching DNS server)
Now, I create the Caching DNS server in front of Authoritative DNS servers. I will refere this instruction. Most of steps are similar with above. I have already written above.
In the instrucion, there is another term, "allow-query". This is same with "allow-recursion". So In my case I will use again in this post. I need to define "forwarders" which point to DNS server whiech handdle the recursive query. In my case, the authoritative DNS servers are listed in here.
At this time, I want to make this Caching server to work as forwarder (This server does not response against the query reqeust itself). So I will add "forward only;" option. Final thing I need to edit is dnssec. In fact, I do not know what this is exactly. Anyway, this part make the server and client more secure. So, the my configuration of "named.conf.opiton" look like below.
listen-on port 53 { 10.10.0.37; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
10.10.0.99;
10.10.0.72;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
After this configuration, I need to check the configuration with "named-checkconf" and restart bind
# named-checkconf
# service bind9 restart
7. Verfication of Caching server (Clean cached DB)
In this blog, there is the way to view cahce status.
# Run Command
# rndc dumpdb -cache
# Log messages (Error)
Sep 13 14:38:25 cache kernel: [195574.027929] audit: type=1400 audit(1568385505.800:83): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/named_dump.db" pid=25682 comm="named" requested_mask="c" denied_mask="c" fsuid=112 ouid=112 Sep 13 14:38:25 cache named[25678]: received control channel command 'dumpdb -cache' Sep 13 14:38:25 cache named[25678]: could not open dump file 'named_dump.db': permission denied
This error happend due to permission of file location which is created by the command. Therefore, I need to re-define the path for the dump file in the configuration. Please read this instruction.
listen-on port 53 { 10.10.0.37; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
10.10.0.99;
10.10.0.72;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
dump-file "/var/cache/bind/dumps/named_dump.db";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
"dump-file "/var/cache/bind/dumps/named_dump.db";" is added int the configuration. After then, check configuration and restart. (Please note that the file should be located under /var/cache/bind directory)
# Run Command
# rndc dumpdb -cache
# /var/cache/bind/dumps# ls named_dump.db
I can see the file created. I can also read this file. The result look like below
If I want to clean this db and caching. I can run like below. Flush and service restarted are necessary.
# rndc flush
# service bind9 restart
8. Create Caching DNS server with zone file (Delegating sub-domain)
Please note that I can not delegate other domain. I can only delegate sub-domain. For example, "some-name.origin-domain.com --> some-domain.com" is not possible. "some-name.origin-domain.com --> some-name.sub-domain.origin-domain.com" is only possible
Because of above, I use another name "ozigo.shop". (So far, I used "dizigo.shop")
I will follow this instruction. Caching DNS server can have zone file and handle the query directly. For this, I will do some of changes. First I will remove "forward only;" and "forwarders". Therefore "named.conf.option" is look like below
listen-on port 53 { 10.10.0.37; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
dnssec-enable yes;
dnssec-validation yes;
dump-file "/var/cache/bind/dumps/named_dump.db";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
And then, I need other configuration file and zone file, "named.conf.local" and "zone file included sub-domain"
# cat named.conf.local
zone "ozigo.shop" {
type master;
file "/etc/bind/zones/db.ozigo.shop";
};
I used "$ORIGIN" term to seperate zone between ozigo.shop and ns.ozigo.shop. The red text show how to delegate sub-domain reqursion. The request query for "ns.ozigo.shop" will be sent to "ns1.ns.ozigo.shop" which has 10.10.0.72 IP address. The authoritative DNS which has zone file will be like below.
root@cache:/var/cache/bind/zones# cat db.crenet.com $ORIGIN crenet.com. $TTL 10 @ IN SOA crenet.com. admin.crenet.com. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; IN NS ns1.crenet.com. ns1.crenet.com. IN A 10.10.0.204
; www.crenet.com. IN CNAME www.g.crenet.com.
$ORIGIN g.crenet.com. @ IN NS ns1.g.crenet.com. IN NS ns2.g.crenet.com. ns1.g.crenet.com. IN A 10.10.0.124 ns2.g.crenet.com. IN A 10.10.0.225
# cat zones/db.ns.ozigo.shop
$TTL 60
@ IN SOA ns1.ns.ozigo.shop. admin.ns.ozigo.shop. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers - NS records
IN NS ns1.ns.ozigo.shop.
; name servers - A records
ns1.ns.ozigo.shop. IN A 10.10.0.72
; sample - A records
recursion.ns.ozigo.shop. IN A 200.200.200.200
My final goal is looking up "recursion.ozigo.shop". When I try to dig from remote client, the result should be like below.
How to install self-signed certification on Windows 2012 R2 for RDP?
Recently, I have some issue about the RDP security. I try to find out how to use my own certification. Please note that it is not recommend that I use self-signed certification. Because it can make more complex trouble. However, I do not have any certification. So I will use self-signed certification for this post.
2. Install certification feature and Import certificate file.
Run "mmc" and open the console. In here, I can install and configure the certification.
There is nothing at first. I need to install the certification.
I need to follow "File > Add/Remove Snap-ins".
And choose the what I want to install. In my case, Certificates is chosen. After "Add the Certificate for Snap-in". I can see the menu like below. Select "Computer account".
Select "Local computer"
After finishing the above steps, I can see the "Certificates" category on the left of side. In "Certificates > Personal > All Tasks > Import", I can see my self-signed certificate.
Now, I can start the "Certificate Import Wizard". Click "Next"
There is the form to insert the path for certificate which is the "pfx" file.
Input the optional values if I used the values.
Select the location which the certificate is located in. In this case, "Personal" is used.
Now I can check all of information.
Click Finish. I can check the certification which is located in Personal like below.
Now, I have done to insert my certificate.
3. Check the certification status and activate the certification.
After installation and import process above, I can check the detail of certification which is installed with "double click". If it is status is good. I can see the comment "You have a private key that corresponds to this certificate".
Now, self-signed certification is imported with correct steps and status. Now, I need to check "Thumbprint" to activate and covert this certification from default. In Details, I can see the "Thumbprint" like below.
This value of "Thumbprint" is necessary. This value is used with command line below. There are two types of command. In my case, I will use "Command mode"
# Command mode
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
In the CMD, I can run like below and I will confirm that "Update is successful".
4. Access the Remote Desktop
Now, I will access and I can confirm the certification is changed like below.
Basically, RDP is encrypted by TLS. With the steps above. It is more customized.
I can see the TLS handshake by the wireshark packets.
5. (Optional) Enforce the RDP data and connection encryption level.
In this post. there are several steps to make more secure RDP connection. In the middle of contents, "Local Group Policy Editor" are used to enhance the security. Run "gpedit.msc" at first.
In "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security", there are several parameter which I have to change.
1. Set Client Connection Encryption Level (Enable/High Level)
2. Require Secure RPC communication. (Enable)
3. Require Use of Specific Security Layer for Remote (RDP) connections. (Enable/SSL)
4. Require user authentication for remote connections by using Network Level Authentication (Enable)
How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu?
From this post, I run multi-machine cluster basic mode. Now, I will run multi-machine cluster with TLS/SSL security. I am not the security engineer. I am not friendly about TLS/SSL concepts. I studied about key and chain concept before, however it still difficult to understand it. In this documentation, there are 2 things required, a unique key pair (member.crt, member.key) and shared cluster CA certificate (ca.crt). In this post, I address how to create these.
1. Overview the command for multi-machine cluster with TLS/SSL.
In the command, there are 2 root certificate, ca-client.crt and ca-peer.crt. It will be shared between all hosts. Thus, I create these certificate on single host and copy into others. To create root certificate, I need 2 files, "config.json" and "csr.json". The contents is here.
I create "ca-client-config.json" and "ca-client-csr.json" for ca-client certificate. I have to create more for ca-peer certificate. CN name should be different.
It's good. I can generate intermediate certification with this certificate. Therefore I need to copy these files into other hosts. I move files on each directory like below. (I create these directory on every hosts)
At first, In example 2, I need server to run "etcd" and I need client certificate to get response. And second, In example 3, I need peer certificate to communicate between hosts.
4. Create server, client and peer certificate.
Look at this post, there are way to generate each certificate. I create server certificate. To create, I need to "server.json" file. In this Git, there are sample JSON file. For server.json, hosts information are most important.
IP's currently in the config should be replaced/added with IP addresses of each cluster node, please note 127.0.0.1 is always required for loopback
I will generate server certificate. Please note that the command above use the name "infra-client", however, this is server certification, it is not client certificate.
"-profile=server" option makes server certificate. Next, I create the peer certificate. Also I need "peer.json" file. This file is similar with "server.json". However, CommonName (CN) should be different.
I create server certificate and peer certificate. Therefore, I can run "etcd" with both certificate. However, I need client certificate to obtain response. I will use same root certificate of the server. I need "client.json" file.
I can see the result {"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}. It's works now.
6. Run automatic certificate mode
So far, I do so many step to run in security mode. It's is not simple. Because of this, etcd offers automatic certificate mode. In this mode, etcd create certificate automatically. "--auto-tls" and "--peer-auto-tls" are replaced instead of part for certificate.
How to use etcd (multi-machine cluster basic mode) in Ubuntu?
Recently, I have found interesting solution. it is called as etcd. It is Distributed reliable key-value store. What is the key-value store?. It is similar with dictionary in Python. This etcd make dictionary items can be put and get on any hosts.
1. Prerequesite
The etcd is used for cluster environment. Therefore, I will prepare 3 servers with ubuntu.
infra0172.22.0.96infra0.example.com
infra1172.22.0.33infra1.example.com
infra2172.22.0.133infra2.example.com
2. Get etcd release
I have ubuntu server. I need the etcd release for ubuntu. In this documentation. There is installation guide for Linux.
Even if this single mode works, but etcd is more powerful in mult-machin cluster mode. Look this documentation. To run cluster mode, there are 2 things important. IP address to listen and announce and IP address for peer hosts.
For peer communicate, the 2380 port is used. For data communication, the 2379 port is used. Therefore, "127.0.0.1:2379" is necessary to request to localhost. However, this is not necessary to announce. These command above should be run on each host. After running, I can get the status of clustering.
# ETCDCTL_API=3 etcdctl --endpoints=172.22.0.96:2379,172.22.0.33:2379,172.22.0.133:2379 endpoint health
172.22.0.96:2379 is healthy: successfully committed proposal: took = 2.385219ms
172.22.0.133:2379 is healthy: successfully committed proposal: took = 2.847419ms
172.22.0.33:2379 is healthy: successfully committed proposal: took = 2.292504ms
Now, I have done everything to cluster multi-hosts. In multi-hosts environments, I put data into anywhere, I can get data from anywhere.
# ETCDCTL_API=3 etcdctl --endpoints=172.22.0.96:2379 put foo "Hello World!"
OK
# ETCDCTL_API=3 etcdctl --endpoints=172.22.0.133:2379 get foo
The purpose of using an intermediate CA is primarily for security. The root key can be kept offline and used as infrequently as possible. If the intermediate key is compromised, the root CA can revoke the intermediate certificate and create a new intermediate cryptographic pair.
I studied about the chain concept. I focused if the encryption with private key of root certificate and decryption with public key of child certificate are possible, reverse versa?. (The answer is "Not Possible"). The reason is to hide the root CA for security.
1. Prerequisite
This is the default directory structure to generate intermediate certificate.
# mkdir /root/ca
# cd /root/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
To generate "Key", "CSR" (Certificate Signing Reqeust) and. CRT (Certificate), I need configuration for each case, In reference documentation, there are 2 types of configuration for Root CA and Intermediate CA. At this time, I need Root CA configuration. It looks like below.
# vi /root/ca/openssl.cnf
# OpenSSL root CA configuration file.
# Copy to `/root/ca/openssl.cnf`.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
There are lots of options in there. I can not explain all of things. For the reproduction of this test, I check the directory path at first.
[ CA_default ]
# Directory and file locations.
dir = /root/ca
In this post, I create "/root/ca" directory before, therefore I do not need to change this value. However, it need to be changed if I want to work on other directory.
2. Create root key and root certificate
I generate RSA private key which is most used with "openssl genrsa" command. (Please, note that If there is no option like "-aes256", there is no process to enter the password)
Verifying - Enter pass phrase for ca.key.pem: secretpassword
# chmod 400 private/ca.key.pem
And then, I create Root CA certificate with the Private key which is generated earlier. (In this case, I do not use the CSR). The "-x509" option is the option which is necessary when I create certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name []:England
Locality Name []:
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Certificate Authority
Common Name []:Alice Ltd Root CA
Email Address []:
# chmod 444 certs/ca.cert.pem
In this case, Root CA is not changed for a long time. So "-days 7300" (almost 20 years) is defined. Because of this, the Private key of Root should be secret. I can see more detail information with "verification" command. In the result, I can see the "issuer" and "validity" information. Also I can see the certificate include the Public Key Info.
To generate the Intermediate certificate, I need to make sub-directory under the root directory.
# mkdir /root/ca/intermediate
# cd /root/ca/intermediate
# mkdir certs crl csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
# echo 1000 > /root/ca/intermediate/crlnumber
"echo 1000 > /root/ca/intermediate/crlnumber" is used for tracking certificate revocation lists. In this post, I do not handle about this. I also need configuration for intermediate certificate. Most of the contents are same with Root's configuration. 5 things are different.
I generate RSA Private key. this key is independent with Root Private key. This intermediate certificate is usually not used for end-point such as the server and client. I think it is kinds of sub-Root certificate. (However, this is one of cases. I can use intermediate certificate on server and client also.)
Now I need to generate certificate signing request (CSR) at this time. During this step, The Common Name must be different. CSR includes several information such as "common Name". I can create certificate without this CSR. (In the Root case, I did not create CSR at that time.
I obtain "Private key", "CSR" and "Certificate" files for intermediate. I have some question how does this cert guarantee?. "openssl verfify -CAfile" command show intermediate cert is certified by root certificate.
4-1. [Optional] The relationship between Root Key and Intermediate Key.
Someone can think like me, the intermediate certificate inherit from the root certification. Therefore, I can encrypt with intermediate public key and decrypt with root private key or reverse versa. The answer is "No" (RSA operation error is happend)
# echo "welecom ssl world" > message
[ Intermediate public encrypt + Root private decrypt ]
When an application (eg, a web browser) tries to verify a certificate signed by the intermediate CA, it must also verify the intermediate certificate against the root certificate.
Thus, it is necessary to confirm if the intermediate certificate come from root certificate. To create chain, I will merge both certificate into single file.
Before, I do this step. I need to know what is difference between server certificate and client certificate. Before, I write this post, I only consider web server such as Apache. In this Apache case, the server certificate is necessary. Server certificate focus if this server is safe or not. Client certificate focus if my request to the server is safe or not. So usually, client certificate is doing after server certificate. In this post, I will handle server certificate.
I think this intermediate certificate is kinds of sub-root certificate. So this intermediate should be hidden for the security. (Don't worry, if this intermediate certificate is stolen, I can delete and re-create with Root certificate again) Anyway, I can create certificate for end-point.
The reason why I use 2048 bit to create RSA key. Usually, the certificate for end-point should be short expiration day. So, 2048 bit is much efficient. After this, I create the CSR with private key. And I use intermediate configuration file to generate. (At this time, it looks like another intermediate certificate). Note that the Common Name cannot be the same as either your root or intermediate certificate.
Enter pass phrase for www.example.com.key.pem: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:US
State or Province Name []:California
Locality Name []:Mountain View
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Web Services
Common Name []:www.example.com
Email Address []:
Now, I will create the certificate. Please note, I used "server_cert" option, because I suppose I create certificate for web-server. However if I want the certificate for client, I use "user_cert"
To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used on a server, use the server_cert extension. If the certificate is going to be used for user authentication, use the usr_cert extension. Certificates are usually given a validity of one year, though a CA will typically give a few days extra for convenience.
I can verify this certificate. At this time, I do not verify with the certificate of the intermediate. I verify with ca-chain which are generated earlier.
I will deploy my web server with these certificate and chain. At this time, I do not need to merge again the ca-chain.cert.pem.
ca-chain.cert.pem
www.example.com.key.pem
www.example.com.cert.pem
I compare the configuration. In "-config" option of "openssl ca", it decide the "issuer". Therefore, intermediate's issuer is root and server's issuer is intermediate. In "extension" option, it decide the rule or type of certificate. Becuase of this, the server handle another type of intermediate certificate which is issued by (sub-root) intermediate certificate.
Therefore, the certification does not need to merge at this time. I do test again to check the relationship between intermediate certifications. In the result, I can not encrypt and decrypt.
Recently, I have some changes to know about "ECDSA" to signature the messages. I am not the security engineer. So, I can not explain all of things about this. Before, I read about this. I only think about the encryption and decryption. However, "ECDSA" shows another mechanism. Most of the documentations, "ECDSA" uses to sign and verfication. Let's think about RSA case, the RSA focus on "How can the file encrypt and decrypt". Therefore, encrypted-file is created and transferred to the destination. However, the ECDSA case is different. the ECDSA focus on "How can this message confirm to be same with others". Therefore, no encrypted-file is created, but the signature is generated. The destination has already known the message, it is verified with this signature. In this post, I will use "openssl" mainly.
1. Create the Private key
In ECDSA algorithm, the concept of the private and public key. I can create a private key at first. With the private key, I can generate the signature for the some messages.
Above, there is "name" field which has already defined. With "-list_curves" option, I can check what name is possible. In my case, "sect571r1" is one what I choose.
# # openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
sect113r1 : SECG curve over a 113 bit binary field
sect113r2 : SECG curve over a 113 bit binary field
sect131r1 : SECG/WTLS curve over a 131 bit binary field
sect131r2 : SECG curve over a 131 bit binary field
sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
sect163r1 : SECG curve over a 163 bit binary field
sect163r2 : NIST/SECG curve over a 163 bit binary field
sect193r1 : SECG curve over a 193 bit binary field
sect193r2 : SECG curve over a 193 bit binary field
sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect239k1 : SECG curve over a 239 bit binary field
sect283k1 : NIST/SECG curve over a 283 bit binary field
sect283r1 : NIST/SECG curve over a 283 bit binary field
sect409k1 : NIST/SECG curve over a 409 bit binary field
sect409r1 : NIST/SECG curve over a 409 bit binary field
sect571k1 : NIST/SECG curve over a 571 bit binary field
sect571r1 : NIST/SECG curve over a 571 bit binary field
c2pnb163v1: X9.62 curve over a 163 bit binary field
c2pnb163v2: X9.62 curve over a 163 bit binary field
c2pnb163v3: X9.62 curve over a 163 bit binary field
c2pnb176v1: X9.62 curve over a 176 bit binary field
c2tnb191v1: X9.62 curve over a 191 bit binary field
c2tnb191v2: X9.62 curve over a 191 bit binary field
c2tnb191v3: X9.62 curve over a 191 bit binary field
c2pnb208w1: X9.62 curve over a 208 bit binary field
c2tnb239v1: X9.62 curve over a 239 bit binary field
c2tnb239v2: X9.62 curve over a 239 bit binary field
c2tnb239v3: X9.62 curve over a 239 bit binary field
c2pnb272w1: X9.62 curve over a 272 bit binary field
c2pnb304w1: X9.62 curve over a 304 bit binary field
c2tnb359v1: X9.62 curve over a 359 bit binary field
c2pnb368w1: X9.62 curve over a 368 bit binary field
c2tnb431r1: X9.62 curve over a 431 bit binary field
wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls12: WTLS curvs over a 224 bit prime field
Oakley-EC2N-3:
IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
Oakley-EC2N-4:
IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
2. Create the Public key
Now, I can create the public key with private key.
