mirror of
https://github.com/cunnie/sslip.io.git
synced 2025-10-17 05:00:42 +08:00

The behavior of `dig` version **9.11.25-RedHat-9.11.25-2.fc32** differs from macOS's `dig` version **9.10.6**. In other words, this test passes on my mac but not until now on (Linux-based) CI. I also took the opportunity to refactor our `dig` arguments to conform with the suggested usage: > Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} fixes <https://ci.nono.io/teams/main/pipelines/sslip.io/jobs/unit/builds/145>: ``` Expected <int>: 9 to match exit code: <int>: 0 ``` Note that for the `any` test I had to append an additional `+notcp` argument to avoid an attempted TCP connection. I suspect a bug in `dig`: ``` dig any sslip.io @localhost ;; Connection to 127.0.0.1#53(127.0.0.1) for sslip.io failed: connection refused. ```
100 lines
3.1 KiB
Markdown
100 lines
3.1 KiB
Markdown
In the following example, we create a webserver on Google Cloud Platform (GCP)
|
|
to acquire a wildcard certificate:
|
|
|
|
**Do Not Use** these instructions; they don't work. They are a work in progress.
|
|
|
|
```
|
|
gcloud auth login
|
|
# set your project; mine is "blabbertabber"
|
|
gcloud config set project blabbertabber
|
|
# create your VM
|
|
gcloud compute instances create \
|
|
--image-project "ubuntu-os-cloud" \
|
|
--image-family "ubuntu-2004-lts" \
|
|
--machine-type f1-micro \
|
|
--boot-disk-size 40 \
|
|
--boot-disk-type pd-ssd \
|
|
--zone "us-west1-a" \
|
|
sslip
|
|
# get the IP, e.g. 35.199.174.9
|
|
export NAT_IP=$(gcloud compute instances list --filter="name=('sslip')" --format=json | \
|
|
jq -r '.[0].networkInterfaces[0].accessConfigs[0].natIP')
|
|
echo $NAT_IP
|
|
# get the fully-qualified domain name, e.g. 35-199-174-9.sslip.io
|
|
export FQDN=${NAT_IP//./-}.sslip.io
|
|
echo $FQDN
|
|
# set IP & FQDN on the VM because we'll need them later
|
|
gcloud compute ssh --command="echo export FQDN=$FQDN IP=$IP >> ~/.bashrc" --zone=us-west1-a sslip
|
|
# create the rules to allow DNS (and ICMP/ping) inbound
|
|
gcloud compute firewall-rules create sslip-io-allow-dns \
|
|
--allow udp:53,icmp \
|
|
--network=default \
|
|
--source-ranges 0.0.0.0/0 \
|
|
# ssh onto the VM
|
|
gcloud compute ssh sslip -- -A
|
|
# install docker
|
|
sudo apt update && sudo apt upgrade -y && sudo apt install -y docker.io jq
|
|
# add us to the docker group
|
|
sudo addgroup $USER docker
|
|
newgrp docker
|
|
# Create the necessary directories
|
|
mkdir -p tls/
|
|
# disable systemd-resolved to fix "Error starting userland proxy: listen tcp 0.0.0.0:53: bind: address already in use."
|
|
# thanks https://askubuntu.com/questions/907246/how-to-disable-systemd-resolved-in-ubuntu
|
|
sudo systemctl disable systemd-resolved
|
|
sudo systemctl stop systemd-resolved
|
|
echo nameserver 8.8.8.8 | sudo tee /etc/resolv.conf
|
|
# Let's start it up:
|
|
docker run -it --rm --name wildcard \
|
|
-p 53:53/udp \
|
|
-p 80:80 \
|
|
cunnie/wildcard-dns-http-server &
|
|
dig +short TXT does.not.matter.example.com @localhost
|
|
# You should see `"Set this TXT record ..."`
|
|
export ACMEDNS_UPDATE_URL="http://localhost/update"
|
|
docker run --rm -it \
|
|
-v $PWD/tls:/acme.sh \
|
|
-e ACMEDNS_UPDATE_URL \
|
|
--net=host \
|
|
neilpang/acme.sh \
|
|
--issue \
|
|
--staging \
|
|
--debug \
|
|
-d *.$FQDN \
|
|
--dns dns_acmedns
|
|
```
|
|
|
|
Clean-up:
|
|
|
|
```
|
|
gcloud compute firewall-rules delete sslip-io-allow-dns
|
|
gcloud compute instances delete sslip
|
|
```
|
|
|
|
#### Troubleshooting / Debugging
|
|
|
|
Run the server in one window so you can see the output, and then ssh into another window
|
|
and watch the output in realtime.
|
|
|
|
```
|
|
gcloud compute ssh sslip -- -A
|
|
docker run -it --rm --name wildcard \
|
|
-p 53:53/udp \
|
|
-p 80:80 \
|
|
cunnie/wildcard-dns-http-server
|
|
```
|
|
|
|
Use `acme.sh`'s `--staging` flag to make sure it works (so you don't run into Let's Encrypt's [rate limits](https://letsencrypt.org/docs/rate-limits/) with failed attempts).
|
|
|
|
```
|
|
docker run --rm -it \
|
|
-v $PWD/tls:/acme.sh \
|
|
-e ACMEDNS_UPDATE_URL \
|
|
--net=host \
|
|
neilpang/acme.sh \
|
|
--issue \
|
|
--staging \
|
|
--debug \
|
|
-d *.$FQDN \
|
|
--dns dns_acmedns
|
|
``` |