When using PKI certificates is critical that both DNS is working correctly and that hosts have their time synced via a reliable NTP server. In this part of the series I will build a utility server that will act as the DNS, NTP and root certificate authority. The utility server will use Centos 7 minimal as the OS with the firewall service disabled and SELinux set to permissive.


The DNS service will be provided by dnsmasq as it's lightweight and easy to setup.

sudo yum install -y dnsmasq

Create a dnsmasq user and group and assign the user to the group.

sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq

Backup the old /etc/dnsmasq.conf configuration file.

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old

Create an /etc/dnsmasq.conf file with the following contents.

# /etc/dnsmasq.conf

Create an /etc/resolv.dnsmasq file that uses google DNS as the upstream DNS servers.

# /etc/resolv.dnsmasq

Set the nameserver attribute in /etc/resolv.conf file to use a loopback address.

# /etc/resolv.conf

Add the device host to IP address mappings to the /etc/hosts file.

# /etc/hosts util jenkins gitlab awx netq

Note: When the /etc/hosts file is updated the dnsmasq service needs to be restarted to update its DNS cache.

The dnsmasq configuration can be tested for syntax errors with the dnsmasq --test command.

sudo dnsmasq --test

# output
dnsmasq: syntax check OK.

Start and enable the dnsmasq service.

sudo systemctl start dnsmasq
sudo systemctl enable dnsmasq

The hosts in this lab get their management IP addresses via DHCP. An update to the /etc/sysconfig/network-scripts/ifcfg-eth0 file is required to use the local dnsmasq service.


# add the following

Restart the network service.

sudo systemctl restart network


Install the ntp service.

sudo yum install -y ntp

Backup the old /etc/ntp.conf configuration file.

sudo mv /etc/ntp.conf /etc/ntp.conf.old

Create an /etc/ntp.conf file with the following contents.

# /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.
restrict ::1

# Hosts on local network are less restricted.
restrict mask nomodify notrap

# Use NTP servers.
server iburst
server iburst

# Enable public key cryptography.

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

Note: the subnet that can query the NTP server is restricted to and the upstream NTP servers are set to the Google and Apple stratum 1 time servers.

Start and enable the ntp service.

sudo systemctl start ntpd
sudo systemctl enable ntpd

Test the connection to the NTP servers with the ntpq -p command.

ntpq -p

# output
     remote           refid      st t when poll reach   delay   offset  jitter
* .GOOG.           1 u   15 1024  377  141.819   48.513  57.598
+ussjc2-ntp-002. .GPSs.           1 u  115 1024  377  218.000   18.940  32.073

Root CA

The root CA server will provide certificate signing services. The openssl package will be used to generate the root certificate and to also sign the hosts certificates. Note: I will be using a minimal configuration that is not very secure, please don't use this method in production.

Generate a signing key.

openssl genrsa -out ROOTCA.key 2048

Create a self-signed certificate using the signing key just created.

openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
    -subj "/C=AU/ST=NSW/L=NSW/O=LAB/CN=util.lab.local" \
    -out ROOTCA.pem

Move the certificates to the /etc/ssl/certs directory and update the permissions and ownership to the root user.

sudo mv ROOTCA.* /etc/ssl/certs/ ; cd /etc/ssl/certs/
sudo chown root:root ROOTCA.*
sudo chmod 0644 ROOTCA.pem
sudo chmod 0400 ROOTCA.key

Once this is done the ROOTCA.pem will need to be imported into the trusted certificate store of the host devices. The host themselves will need to generate a certificate signing request and have the certificate signed by the root CA.


Now that the utility server is configured with DNS, NTP and certificate services let move onto part 3 of this series: Gitlab Installation.


Published: 2018-01-24