Embed Size (px)
Citation preview
Let’s Encrypt ContainerVNS3 Plugins Guide 2018
© 2019
Table of Contents
�2
Introduction 3Let’s Encrypt Container Detail 7Deploying the Let’s Encrypt Container 11Configuring the Let’s Encrypt Container 17Export a Container Image 21
© 2019
Introduction
�3
© 2019
VNS3 provides container based network services
�4
waf content caching nids proxy load balancing custom
router switch firewall vpn concentrator protocolredistributor
dynamic &srciptable sdn
VNS3 Core Components
firewall vpn concentrator protocolredistributor extensible nfv
VNS3 Core Components
router switch
Isolated Linux containers within VNS3 allow partners and customers to embed features and functions safely and securely into their cloud network.
© 2019
Requirements
�5
You have agreed to the VNS3 Terms and Conditions.Basic knowledge of Linux software installation and use of command line tools.
© 2019
Getting Help with VNS3
�6
This document assumes you have a VNS3 Controller instance launched and running in a security group, network or similar that has the appropriate access rules included for normal VNS3 operations. For any support issues, email us at [email protected]
Please review the VNS3 Support Plans and Contacts before sending support inquiries. If you need specific help with project planning, POCs, or audits, contact our professional services team via [email protected] for details.
© 2019
Let’s Encrypt Container Detail
�7
© 2019
Getting Started with VNS3 Plugin System
�8
The Let’s Encrypt container is deployed to VNS3 as a plugin using the container system.Please be familiar with the VNS3 plug-in configuration guide:https://s3.amazonaws.com/cohesive-networks/dnld/Cohesive-Networks_VNS3-4-Container-System.pdf
© 2019
Let’s Encrypt Container - What does it do?
�9
Following initial setup, the container will run once per week to perform the following actions:- Initiate certificate generation/renewal by Let’s Encrypt- Perform Let’s Encrypt http challenge verification- Upload and install certificates to VNS3 via the VNS3 API
You do not need a Let’s Encrypt account to use this container.
© 2019
Let’s Encrypt Container - What does it need?
�10
The setup script inside the container requires and prompts for the following information:• A DNS address for which certificates will be generated. This address must resolve to
your VNS3 controller’s public IP address.• An email address to be associated with the certificate, usually your webmaster address.• You VNS3 controller’s container network IP address. This will be the first address in your
overlay subnet; for example, if your container network is 198.51.100.0/28, VNS3’s address is 198.51.100.1.
• Your VNS3 controller’s API password.
© 2019
Deploying the Let’s Encrypt Container
�11
© 2019
Getting the Let’s Encrypt Container
�12
The Linux-based (Ubuntu 14.04) Let’s Encrypt Container Image is accessible at the following URL:
https://vns3-containers-read-all.s3.amazonaws.com/LetsEncrypt/LetsEncrypt-1.0-20190710.tar.gz
This is a read-only Amazon S3 storage location. Only Cohesive Networks can update or modify files stored in this location.This URL can be used directly in a VNS3 Controller via the Web UI or API to import the container image for use in that controller. General screenshot walkthrough and help available in the plug-in configuration document:https://s3.amazonaws.com/cohesive-networks/dnld/Cohesive-Networks_VNS3-4-Container-System.pdf
© 2019
Uploading the Container Image to VNS3
�13
From the Container —> Images page, choose Upload Image.Provide a name for the image and a short description if you wish.Select “Image File URL” and enter the Let’s Encrypt Container Image file URL: https://vns3-containers-read-all.s3.amazonaws.com/LetsEncrypt/LetsEncrypt-1.0-20190710.tar.gzClick “Upload”
© 2019
Allocating a Container from the Image
�14
When the Image has imported successfully, its state will be “Ready” in the Status Column. To launch a container from the image, choose Allocate from the Image’s Action menu.
© 2019
Launching the Let’s Encrypt Container
�15
After selecting Allocate from the Actions menu, name your container, provide a description (optional), and “/usr/bin/supervisord” as the Command to start the container.
You can allow VNS3 to auto-assign a container network IP, but it is recommended that you choose one explicitly. Take note of this address for the following steps.
© 2019
Let’s Encrypt Container Firewall Rules
�16
The Let’s Encrypt Container requires the following firewall rules be added to the VNS3 controller:
Anywhere it appears, replace <container_ip> with the container IP you noted in the previous step.
# Container internet access
FORWARD_CUST -o eth0 -s <container_ip> -j ACCEPT
FORWARD_CUST -o plugin0 -d <container_ip> -j ACCEPT
POSTROUTING_CUST -s <container_ip> -o eth0 -j MASQUERADE
# Container SSH access
PREROUTING_CUST -p tcp --dport 44 -j DNAT --to <container_ip>:22
# Container LetsEncrypt verification
PREROUTING_CUST -i eth0 -p tcp --dport 80 -j DNAT --to <container_ip>:80
# LetsEncrypt container API access
INPUT_CUST -i plugin0 -s <container_ip> -p tcp --dport 8000 -j ACCEPT
OUTPUT_CUST -o plugin0 -d <container_ip> -p tcp --sport 8000 -j ACCEPT
© 2019
Configuring the Let’s Encrypt Container
�17
© 2019
Configuring the Let’s Encrypt Container
�18
After allocating the container and applying the necessary firewall rules to VNS3, you can ssh into the container on port 44.The username is container_admin, and the default password is container_admin_123!We recommend that you change this password immediately, using the following command:sudo passwd container_admin
© 2019
Configuring the Let’s Encrypt Container
�19
Configuration of the Let’s Encrypt container is simple; start by SSHing into the container.Next, run ./setup.shYou will be prompted to enter the following information:
• The controller’s DNS address• An email address to be associated with the generated certificates• Your VNS3 controller’s Container Network IP address• Your VNS3 controller’s API password
© 2019
Configuring the Let’s Encrypt Container
�20
The script will then generate and install a Let’s Encrypt HTTPS certificate, and it will renew that certificate every week for as long as the container runs.Once the initial certificate generation process has completed (indicated by the message “finished_ok”), you may log out of the container.
© 2019
Export a Container Image
�21
© 2019
Exporting a Container Image
�22
In the event that your VNS3 controller needs to be replaced or upgraded, you will need a copy of your configured Let’s Encrypt Container. We recommend creating and downloading an image of your container as a final step of the deployment process:
From the Containers page in the VNS3 web UI, select “Action” > “Save as Image” for your new Let’s Encrypt Container. Once that process is complete, you’ll be brought to the Images page. Select “Action” > “Export” on the new image, and provide a name.Once Exporting is complete, you will have the option to download the image locally.
© 2019
VNS3 Configuration Document Links
�23
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Instructions (Free & Lite Editions | BYOL)Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.
VNS3 Administration DocumentCovers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.
VNS3 TroubleshootingTroubleshooting document that provides explanation issues that are more commonly experienced with VNS3.
