When using PKI certificates is critical that both DNS is working correctly and that hosts have their time synced via a reliable NTP server. In this part of the series I will build a utility server that will act as the DNS, NTP and root certificate authority. The utility server will use Centos 7 minimal as the OS with the firewall service disabled and SELinux set to permissive.
The DNS service will be provided by dnsmasq as it's lightweight and easy to setup.
sudo yum install -y dnsmasq
Create a dnsmasq user and group and assign the user to the group.
sudo groupadd -r dnsmasq sudo useradd -r -g dnsmasq dnsmasq
Backup the old /etc/dnsmasq.conf configuration file.
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old
Create an /etc/dnsmasq.conf file with the following contents.
# /etc/dnsmasq.conf listen-address=127.0.0.1,192.168.121.120 port=53 bind-interfaces user=dnsmasq group=dnsmasq pid-file=/var/run/dnsmasq.pid domain-needed domain=lab.local expand-hosts bogus-priv dns-forward-max=150 cache-size=1000 no-negcache neg-ttl=3600 resolv-file=/etc/resolv.dnsmasq no-poll
Create an /etc/resolv.dnsmasq file that uses google DNS as the upstream DNS servers.
# /etc/resolv.dnsmasq nameserver 220.127.116.11 nameserver 18.104.22.168
Set the nameserver attribute in /etc/resolv.conf file to use a loopback address.
# /etc/resolv.conf nameserver 127.0.0.1
Add the device host to IP address mappings to the /etc/hosts file.
# /etc/hosts 192.168.121.120 util 192.168.121.121 jenkins 192.168.121.122 gitlab 192.168.121.123 awx 192.168.121.124 netq
Note: When the /etc/hosts file is updated the dnsmasq service needs to be restarted to update its DNS cache.
The dnsmasq configuration can be tested for syntax errors
dnsmasq --test command.
sudo dnsmasq --test # output dnsmasq: syntax check OK.
Start and enable the dnsmasq service.
sudo systemctl start dnsmasq sudo systemctl enable dnsmasq
The hosts in this lab get their management IP addresses via DHCP. An update to the /etc/sysconfig/network-scripts/ifcfg-eth0 file is required to use the local dnsmasq service.
DEVICE="eth0" BOOTPROTO="dhcp" ONBOOT="yes" TYPE="Ethernet" PERSISTENT_DHCLIENT="yes" # add the following DNS1="127.0.0.1" PEERDNS=no
Restart the network service.
sudo systemctl restart network
Install the ntp service.
sudo yum install -y ntp
Backup the old /etc/ntp.conf configuration file.
sudo mv /etc/ntp.conf /etc/ntp.conf.old
Create an /etc/ntp.conf file with the following contents.
# /etc/ntp.conf # For more information about this file, see the man pages # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). driftfile /var/lib/ntp/drift # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default nomodify notrap nopeer noquery # Permit all access over the loopback interface. restrict 127.0.0.1 restrict ::1 # Hosts on local network are less restricted. restrict 192.168.121.0 mask 255.255.255.0 nomodify notrap # Use NTP servers. server time.google.com iburst server time.apple.com iburst # Enable public key cryptography. #crypto includefile /etc/ntp/crypto/pw # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys # Enable writing of statistics records. #statistics clockstats cryptostats loopstats peerstats # Disable the monitoring facility to prevent amplification attacks using ntpdc # monlist command when default restrict does not include the noquery flag. See # CVE-2013-5211 for more details. # Note: Monitoring will not be disabled with the limited restriction flag. disable monitor
Note: the subnet that can query the NTP server is restricted to 192.168.121.0/24 and the upstream NTP servers are set to the Google and Apple stratum 1 time servers.
Start and enable the ntp service.
sudo systemctl start ntpd sudo systemctl enable ntpd
Test the connection to the NTP servers with the
ntpq -p command.
ntpq -p # output remote refid st t when poll reach delay offset jitter ============================================================================== *time4.google.co .GOOG. 1 u 15 1024 377 141.819 48.513 57.598 +ussjc2-ntp-002. .GPSs. 1 u 115 1024 377 218.000 18.940 32.073
The root CA server will provide certificate signing services. The openssl package will be used to generate the root certificate and to also sign the hosts certificates. Note: I will be using a minimal configuration that is not very secure, please don't use this method in production.
Generate a signing key.
openssl genrsa -out ROOTCA.key 2048
Create a self-signed certificate using the signing key just created.
openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \ -subj "/C=AU/ST=NSW/L=NSW/O=LAB/CN=util.lab.local" \ -out ROOTCA.pem
Move the certificates to the /etc/ssl/certs directory and update the permissions and ownership to the root user.
sudo mv ROOTCA.* /etc/ssl/certs/ ; cd /etc/ssl/certs/ sudo chown root:root ROOTCA.* sudo chmod 0644 ROOTCA.pem sudo chmod 0400 ROOTCA.key
Once this is done the ROOTCA.pem will need to be imported into the trusted certificate store of the host devices. The host themselves will need to generate a certificate signing request and have the certificate signed by the root CA.
Now that the utility server is configured with DNS, NTP and certificate services let move onto part 3 of this series: Gitlab Installation.