『情報銀行のプラットフォームとして利用できるかもしれない… シリーズ』は、<APIでExtRoleを触ってみる> までをやりきって、満足感に浸っている状況なので… 一旦ここで趣を変えてみましょうかと思います。 今過去のエントリである <Ansibleでインストールする> の通りに、構築を進めると多分うまくいかないはずなのです。 なのでここでもう一度、新しいバージョンでの構築を、おさらいの意味も含めてやってみようかなぁ… と。
こちらの手順は、別のエントリーで、ワイルドカード指定で取得したサーバ証明書が、仕様に合っておらず https で正しくアクセスができなかった手順の改善版で、スルっと構築できる手順です。
どんな間違いを犯して、丸1日を無駄にしたのかを、確認したいという好奇心をお持ちの輩は、以下のエントリを参照するのもおもろいかもしれません…
<失敗した手順> 新しいバージョン(1.7.9)の Personium を Ansibleでインストールする
はい。こちらのエントリを確認したい方は、能書きは不要 もしくは 手順だけ分かりゃいいのよ! という方々なので… 手順だけをドンドン進めます。
1.7.5 から変更が加えられているポイント。
旧仕様)
https:// {{ユニットを示すFQDN}} / {{ユニット内の Cell名}} / {{コマンド や Box名}} / …
新仕様)
https:// {{ユニット内の Cell名}} . {{ユニットを示すFQDN}} / {{コマンド や Box名}} / …
っで… 前のエントリで、{{CELL}}.personium.takky.info のようなワイルドカード指定で、対応する想定で進めたら、なんと! Let's Encrypt の仕様で「*.personium.takky.info」のワイルドカードの証明書が取得できなかったので「*.takky.info」で取得したのですが、そうすると「*.*.takky.info」は証明書の対象とはならなかったのでした。
なので、さらに新しいドメイン( takky.work )を取得して対応することとしました。
※ takky.info は他の利用方法がありそうなのですが、この検証でしか利用できないことになるので、温存することにしました。
整理
まずは、やらなきゃいかんことを整理しましょう。
- インスタンスの準備 ・・・ いつもと同じように Azure のインスタンスを立てましょう。
- ホスト名 ・・・ 前の環境と同様に… takky.work にしました。
- Cell毎のFQDN ・・・ DNSでワイルドカード指定で、*.takky.work に A レコードを指定します。
- サーバ証明書 ・・・ 「Let's Encrypt」がワイルドカードで対応します
- Ansibleの取得 ・・・ Ver 1.5.1 で進めます。
- Ansibleの実行と確認 ・・・ 前のエントリの手順で進めればOKです。
セットアップ
いざ! セットアップ!!
<失敗した手順> 新しいバージョン(1.7.9)の Personium を Ansibleでインストールする のコマンドをどんどん実行して行きましょう!
1.環境の準備
| 設定項目 | 値 |
|---|---|
| Host名 | takky.work |
| Cell名1 | unitamdin.takky.work |
| Cell名2 | amdin.takky.work |
| TXT | _acme-challenge.takky.work="TEST" |
| Private IP | 10.0.14.4 |
| OS | CentOS 7.5 |
| インスタンスサイズ | Azure Standard D2sv3 (2vcpu、8GBメモリ) <最低メモリ:4GB> |
| 解放ポート | ssh(22),https(443),http(80) ※必要に応じ解放範囲を限定 |
そして今回は、CELLを含めたFQDNで「名前解決」の他に、「 _acme-challenge.takky.work 」のTXTが重要で… そして Let's Encrypt の証明書取得を始めてから TXT レコードを更新するひつ表があるため、TTLの値を短くした状態で証明書取得を始めたいので、最初にダミーの値で登録しておきます。
_acme-challenge.takky.work
$ dig _acme-challenge.takky.work TXT +noedns
; <<>> DiG 9.10.6 <<>> _acme-challenge.takky.work TXT +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51498
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_acme-challenge.takky.work. IN TXT
;; ANSWER SECTION:
_acme-challenge.takky.work. 591 IN TXT "gMTNZ8vbUJhtAa4KQjpXhC4COeQzbnk1-RgUyh3A1LM"
;; Query time: 4 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:19:33 JST 2019
;; MSG SIZE rcvd: 100
takky.work
$ dig takky.work +noedns
; <<>> DiG 9.10.6 <<>> takky.work +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38162
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;takky.work. IN A
;; ANSWER SECTION:
takky.work. 445 IN A 13.73.20.18
;; Query time: 2 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:21:04 JST 2019
;; MSG SIZE rcvd: 44
unitadmin.takky.work
$ dig unitadmin.takky.work +noedns
; <<>> DiG 9.10.6 <<>> unitadmin.takky.work +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63191
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;unitadmin.takky.work. IN A
;; ANSWER SECTION:
unitadmin.takky.work. 600 IN A 13.73.20.18
;; Query time: 47 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:21:37 JST 2019
;; MSG SIZE rcvd: 54
admin.takky.work
$ dig admin.takky.work +noedns
; <<>> DiG 9.10.6 <<>> admin.takky.work +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52206
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;admin.takky.work. IN A
;; ANSWER SECTION:
admin.takky.work. 600 IN A 13.73.20.18
;; Query time: 35 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:22:05 JST 2019
;; MSG SIZE rcvd: 50
OKです。
2.Ansibleの展開
では、まずはサーバーにログイン
$ ssh {user}@takky.work
The authenticity of host 'takky.work (13.73.20.18)' can't be established.
ECDSA key fingerprint is SHA256:MusNSZeF7g6gY3XRRZv26TiJbujnT76GdWCZSSSi4wI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'takky.work,13.73.20.18' (ECDSA) to the list of known hosts.
Password:
[{user}@personium ~]$
最新版の Ansible の取得と圧縮ファイルの伸張
$ wget https://github.com/personium/ansible/archive/master.zip
--2019-04-22 02:56:19-- https://github.com/personium/ansible/archive/master.zip
github.com (github.com) をDNSに問いあわせています... 192.30.255.113, 192.30.255.112
github.com (github.com)|192.30.255.113|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 302 Found
場所: https://codeload.github.com/personium/ansible/zip/master [続く]
--2019-04-22 02:56:20-- https://codeload.github.com/personium/ansible/zip/master
codeload.github.com (codeload.github.com) をDNSに問いあわせています... 192.30.255.120, 192.30.255.121
codeload.github.com (codeload.github.com)|192.30.255.120|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 特定できません [application/zip]
`master.zip' に保存中
[ <=> ] 555,837 1.02MB/s 時間 0.5s
2019-04-22 02:56:21 (1.02 MB/s) - `master.zip' へ保存終了 [555837]
$ ls
master.zip
$ unzip master.zip
Archive: master.zip
8f2978c80345e4ddac773f4ecd31ad3a1fa102fc
creating: ansible-master/
creating: ansible-master/1-server_unit/
inflating: ansible-master/1-server_unit/1-server_unit.jpg
inflating: ansible-master/1-server_unit/Ansible_Settings_Instruction.md
inflating: ansible-master/1-server_unit/README.md
inflating: ansible-master/1-server_unit/ansible.cfg
:
inflating: ansible-master/Create_Server_Certificate_for_Letsencript.md
inflating: ansible-master/How_to_generate_Self-signed_Unit_Certificate.md
inflating: ansible-master/LICENSE
inflating: ansible-master/README.md
$ ls
ansible-master master.zip
Ansibleの実行用に配置(1-server)
$ sudo ln -s /home/pds/ansible-master/1-server_unit/ /root/ansible
$ sudo ls -l /root | grep ^l
lrwxrwxrwx. 1 root root 39 4月 22 02:58 ansible -> /home/pds/ansible-master/1-server_unit/
3.Ansibleの設定ファイル(static_inventory/hosts)を環境に合わせるため修正
$ vim ~/ansible-master/1-server_unit/static_inventory/hosts
############ Private IP Address of Bastion server ############
[tag_ServerType_bastion]
#Fill in the Private IP Address of Bastion server
#{Bastion_Private_IP}
# 上の行を、下 ↓ ↓ ↓ のようにプライベートIPに修正
10.0.14.4
############ Private IP Address of Personium server ############
[tag_ServerType_personium]
#Fill in the Private IP Address of Personium server
#{Personium_Private_IP}
# 上の行を、下 ↓ ↓ ↓ のようにプライベートIPに修正
10.0.14.4
############ Setting items of bastion server ############
[tag_ServerType_bastion:vars]
# Hostname
#tag_Name={Bastion_Tag_Name}
# 上の行を、下 ↓ ↓ ↓ のように修正
tag_Name=bastion-web
## User who runs ansible
#ansible_ssh_user={Ansible_Execution_User}
# 上の行を、下 ↓ ↓ ↓ のようにユーザー名に修正
ansible_ssh_user=root
## Secret key for executing ansible(Absolute path)
#ansible_ssh_private_key_file={SSH_PrivateKey}
# 上の行を、下 ↓ ↓ ↓ のようにホルダー名に修正
ansible_ssh_private_key_file=/root/.ssh/id_rsa
# Master Token of Personium
#master_token={Master_Token}
# 上の行を、下 ↓ ↓ ↓ のようにパスワードに修正
# 非常に強力なユーザーのパスワードなので、容易に想像できないものを設定
# 且つ第三者に渡らないよう管理してください。
master_token= TOKEN
## Web server FQDN
#base_url={Personium_FQDN}
# 上の行を、下 ↓ ↓ ↓ のようにFQDNに修正
base_url=takky.work
## URL format to access cell
## true:path based cell url
## false:per cell fqdn url
#path_based_cell_url_enabled={Path_Based_Cell_Url_Enabled}
# 上の行を、下 ↓ ↓ ↓ のように false に修正
path_based_cell_url_enabled=false
############ Setting items of Personium server ############
[tag_ServerType_personium:vars]
# Hostname
#tag_Name={Personium_Tag_Name}
# 上の行を、下 ↓ ↓ ↓ のように修正
tag_Name=test-ap
## User who runs ansible
#ansible_ssh_user={Ansible_Execution_User}
# 上の行を、下 ↓ ↓ ↓ のようにユーザー名に修正
ansible_ssh_user=root
## Secret key for executing ansible(Absolute path)
#ansible_ssh_private_key_file={SSH_PrivateKey}
# 上の行を、下 ↓ ↓ ↓ のようにホルダー名に修正
ansible_ssh_private_key_file=/root/.ssh/id_rsa
# Master Token of Personium
#master_token={Master_Token}
# 上の行を、下 ↓ ↓ ↓ のように(bastionで設定しものと同じ)パスワードに修正
# 非常に強力なユーザーのパスワードなので、容易に想像できないものを設定
# 且つ第三者に渡らないよう管理してください。
master_token= TOKEN
## Web server FQDN
#base_url={Personium_FQDN}
# 上の行を、下 ↓ ↓ ↓ のようにFQDNに修正
base_url=takky.work
## URL format to access cell
## true:path based cell url
## false:per cell fqdn url
#path_based_cell_url_enabled={Path_Based_Cell_Url_Enabled}
# 上の行を、下 ↓ ↓ ↓ のように false に修正
path_based_cell_url_enabled=false
4.ユニット証明として利用するサーバ証明書を生成する
$ sudo su -
# cd /root/ansible/resource/ap/opt/x509/
# ls
empty
# openssl genrsa -out unit.key 2048 -outform DER
Generating RSA private key, 2048 bit long modulus
................................+++
.....................+++
e is 65537 (0x10001)
# ls
empty unit.key
# openssl req -new -key unit.key -out unit.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: takky.work
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ls
empty unit.csr unit.key
# openssl x509 -req -days 3650 -signkey unit.key -out unit-self-sign.crt < unit.csr
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=takky.work
Getting Private key
# ls
empty unit.csr unit.key unit-self-sign.crt
5.nginx にセットする、サーバ証明書を Let's Encrypt で取得する
Gitのインストール
$ sudo su -
[sudo] {user} のパスワード:
最終ログイン: 2019/04/22 (月) 03:12:37 UTC日時 pts/0
# yum install git-all
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
:
Install 1 Package (+118 Dependent packages)
Upgrade ( 2 Dependent packages)
Total download size: 73 M
Is this ok [y/d/N]: yを入力
:
Dependency Updated:
freetype.x86_64 0:2.8-12.el7_6.1 glib2.x86_64 0:2.56.1-2.el7
Complete!
Let's Encrypt の証明書のインストール
まずは、certbot を Git から持ってきます。
# cd /usr/local
# git clone https://github.com/certbot/certbot
Cloning into 'certbot'...
remote: Enumerating objects: 20, done.
remote: Counting objects: 100% (20/20), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 64348 (delta 7), reused 4 (delta 0), pack-reused 64328
Receiving objects: 100% (64348/64348), 21.24 MiB | 9.22 MiB/s, done.
Resolving deltas: 100% (47036/47036), done.
以下のようなコマンドで実行します。
./certbot-auto certonly --manual \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
-d *.takky.work \
-m {メールアドレス} \
--agree-tos \
--manual-public-ip-logging-ok
# cd /usr/local/certbot/
# ./certbot-auto certonly --manual \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
-d *.takky.work \
-m {メールアドレス} \
--agree-tos \
--manual-public-ip-logging-ok
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /bin/yum
yum is hashed (/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 6.5 kB 00:00:00
* epel: www.ftp.ne.jp
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
openlogic | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Package 1:mod_ssl-2.4.6-88.el7.centos.x86_64 already installed and latest version
:
:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: ← yを指定
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for takky.info
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.takky.work with the following value: ←← _acme-challenge.takky.work に
gMTNZ8vbUJhtAa4KQjpXhC4COeQzbnk1-RgUyh3A1LM ←← この値を設定する
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue ←←← ここで上記の DNS TXTの 値 "gMTNZ … 3A1LM" をDNSに登録する
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/takky.work/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/takky.work/privkey.pem
Your cert will expire on 2019-07-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
「Press Enter to Continue」 のとろこで DNSに DNS TXTの 値 "gMTNZ … 3A1LM" を登録後、以下のように 指定の TXT が引けるようになっていることを確認できてから Enter します。
$ dig _acme-challenge.takky.work TXT +noedns
; <<>> DiG 9.10.6 <<>> _acme-challenge.takky.work TXT +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51498
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_acme-challenge.takky.work. IN TXT
;; ANSWER SECTION:
_acme-challenge.takky.work. 591 IN TXT "gMTNZ8vbUJhtAa4KQjpXhC4COeQzbnk1-RgUyh3A1LM"
;; Query time: 4 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:19:33 JST 2019
;; MSG SIZE rcvd: 100
(ドメインは takky.work です…) あります。 あります…
# ls -alh /etc/letsencrypt/live/takky.work/
total 4.0K
drwxr-xr-x. 2 root root 93 Apr 22 04:28 .
drwx------. 3 root root 38 Apr 22 04:28 ..
lrwxrwxrwx. 1 root root 34 Apr 22 04:28 cert.pem -> ../../archive/takky.work/cert1.pem
lrwxrwxrwx. 1 root root 35 Apr 22 04:28 chain.pem -> ../../archive/takky.work/chain1.pem
lrwxrwxrwx. 1 root root 39 Apr 22 04:28 fullchain.pem -> ../../archive/takky.work/fullchain1.pem
lrwxrwxrwx. 1 root root 37 Apr 22 04:28 privkey.pem -> ../../archive/takky.work/privkey1.pem
-rw-r--r--. 1 root root 692 Apr 22 04:28 README
次に、取得した Let's Encrypt の証明書を、Ansible実行時の環境に合わせて配置します。
# cd /root/ansible/resource/web/opt/nginx/conf
# ls
backend.conf.j2 host-acl.conf nginx.conf personium_version.d server_name.conf
# ln -s /etc/letsencrypt/live/takky.work/fullchain.pem server.crt
# ln -s /etc/letsencrypt/live/takky.work/privkey.pem server.key
# ls -l | grep ^l
lrwxrwxrwx. 1 root root 46 Apr 22 07:07 server.crt -> /etc/letsencrypt/live/takky.work/fullchain.pem
lrwxrwxrwx. 1 root root 44 Apr 22 07:07 server.key -> /etc/letsencrypt/live/takky.work/privkey.pem
6.公開鍵を生成
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <Enter>
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): <任意のパスフレーズを入力>
Enter same passphrase again: <任意のパスフレーズを再入力>
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jdz79bA5gBY/Lp11lXHkuW1nus5Rv9aqwSVrb8pB+2o root@personium
The key's randomart image is:
+---[RSA 2048]----+
| ..|
| oo|
| .=|
| . +. .+|
| S o+o ..B|
| o++=.=+|
| ..oB==.o|
| .+EBoOo|
| o**@+.|
+----[SHA256]-----+
# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
# ls -alh /root/.ssh/
total 12K
drwx------. 2 root root 61 Apr 22 06:26 .
dr-xr-x---. 6 root root 238 Apr 22 06:26 ..
-rw-------. 1 root root 396 Apr 22 06:26 authorized_keys
-rw-------. 1 root root 1.8K Apr 22 06:26 id_rsa
-rw-r--r--. 1 root root 396 Apr 22 06:26 id_rsa.pub
7.Ansible の実行
まずは、EPEL(7-11)リポジトリの追加ですね。
(Azureのデフォルトが7.5から7.7に変更されていて… )CentOS7.7では「このリポジトリの追加」は不要のようです。
$ sudo su -
# yum localinstall http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
Loaded plugins: fastestmirror, langpacks
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Examining /var/tmp/yum-root-ZK6YtV/epel-release-7-11.noarch.rpm: epel-release-7-11.noarch
Marking /var/tmp/yum-root-ZK6YtV/epel-release-7-11.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================
Installing:
epel-release noarch 7-11 /epel-release-7-11.noarch 24 k
Transaction Summary
================================================================================================================================
Install 1 Package
Total size: 24 k
Installed size: 24 k
Is this ok [y/d/N]: ←← y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
次に、ansible のインストール
# yum install ansible
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 4.7 kB 00:00:00
* epel: ftp.jaist.ac.jp
epel | 4.7 kB 00:00:00
(1/3): epel/x86_64/group_gz | 88 kB 00:00:00
(2/3): epel/x86_64/updateinfo | 988 kB 00:00:00
(3/3): epel/x86_64/primary_db | 6.7 MB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package ansible.noarch 0:2.7.10-1.el7 will be installed
:
:
Transaction Summary
================================================================================================================================
Install 1 Package (+17 Dependent packages)
Total download size: 16 M
Installed size: 79 M
Is this ok [y/d/N]: ←← yを入力
Downloading packages:
(1/18): libtomcrypt-1.17-26.el7.x86_64.rpm | 224 kB 00:00:00
(2/18): libtommath-0.42.0-6.el7.x86_64.rpm | 36 kB 00:00:00
:
:
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: ←← yを入力
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python-enum34-1.0.4-1.el7.noarch 1/18
Installing : python-httplib2-0.9.2-1.el7.noarch 2/18
Installing : sshpass-1.06-2.el7.x86_64 3/18
:
:
Dependency Installed:
libtomcrypt.x86_64 0:1.17-26.el7 libtommath.x86_64 0:0.42.0-6.el7 python-babel.noarch 0:0.9.6-8.el7
python-cffi.x86_64 0:1.6.0-5.el7 python-enum34.noarch 0:1.0.4-1.el7 python-httplib2.noarch 0:0.9.2-1.el7
python-idna.noarch 0:2.4-1.el7 python-jinja2.noarch 0:2.7.2-2.el7 python-keyczar.noarch 0:0.71c-2.el7
python-markupsafe.x86_64 0:0.11-10.el7 python-paramiko.noarch 0:2.1.1-9.el7 python-ply.noarch 0:3.4-11.el7
python-pycparser.noarch 0:2.14-1.el7 python2-crypto.x86_64 0:2.6.1-16.el7 python2-cryptography.x86_64 0:1.7.2-2.el7
python2-jmespath.noarch 0:0.9.0-3.el7 sshpass.x86_64 0:1.06-2.el7
Complete!
Oracle JDK(1.8.0_131) のダウンロード
$ sudo su -
# wget -q -O /usr/src/jdk1.8.0_131.tar.gz --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.tar.gz creates=/usr/src/jdk1.8.0_131.tar.gz
Ansible 実行
# cd /root/ansible/
# date; ansible-playbook init_personium.yml ; date
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default). This
feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
PLAY [tag_ServerType_bastion] **************************************************************************************************
TASK [Change base_url] *********************************************************************************************************
skipping: [10.0.14.4]
TASK [install unzip] ***********************************************************************************************************
ok: [10.0.14.4]
TASK [install wget] ************************************************************************************************************
ok: [10.0.14.4]
:
:
PLAY [tag_ServerType_personium] ************************************
TASK [Deploy /etc/cron.d/log-delete-cron] **************************
Enter passphrase for key '/root/.ssh/id_rsa': <公開鍵生成 時のパスフレーズを入力>
changed: [10.0.14.4]
TASK [install unzip] ***********************************************************************************************************
ok: [10.0.14.4]
TASK [install wget] ************************************************************************************************************
ok: [10.0.14.4]
:
:
TASK [Delete /tmp/personium-init-svcmgr.sh] ************************************************************************************
changed: [10.0.14.4]
TASK [Delete personium-init-svcmgr.log] ****************************************************************************************
changed: [10.0.14.4]
PLAY RECAP *********************************************************************************************************************
10.0.14.4 : ok=271 changed=48 unreachable=0 failed=0
Mon Apr 22 07:14:21 UTC 2019
OK!!
では、正しい確認方法で確認しましょう。
# curl -L -i https://unitadmin.takky.work/
HTTP/1.1 412
Date: Mon, 22 Apr 2019 07:17:02 GMT
Content-Type: application/json
Content-Length: 98
Connection: keep-alive
X-Personium-Version: 1.7.10
Server: Personium
{
"code":"PR412-UI-0001","message":{
"lang":"en",
"value":"Property [relayhtmlurl] not configured."
}
}
当然 OK!!
8.personium-plugins のインストール
mavenのインストール
$ sudo su -
# mkdir ~/maven
# cd ~/maven
# wget http://ftp.jaist.ac.jp/pub/apache/maven/maven-3/3.6.0/binaries/apache-maven-3.6.0-bin.tar.gz
--2019-04-22 07:18:25-- http://ftp.jaist.ac.jp/pub/apache/maven/maven-3/3.6.0/binaries/apache-maven-3.6.0-bin.tar.gz
Resolving ftp.jaist.ac.jp (ftp.jaist.ac.jp)... 150.65.7.130, 2001:df0:2ed:feed::feed
Connecting to ftp.jaist.ac.jp (ftp.jaist.ac.jp)|150.65.7.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9063587 (8.6M) [application/x-gzip]
Saving to: ‘apache-maven-3.6.0-bin.tar.gz’
100%[======================================================================================>] 9,063,587 10.6MB/s in 0.8s
2019-04-22 07:18:26 (10.6 MB/s) - ‘apache-maven-3.6.0-bin.tar.gz’ saved [9063587/9063587]
# tar xzvf apache-maven-3.6.0-bin.tar.gz
# ls
apache-maven-3.6.0 apache-maven-3.6.0-bin.tar.gz
# ln -s ~/maven/apache-maven-3.6.0/bin/mvn /opt/jdk/bin/
# ls -l /opt/jdk/bin | grep ^l
lrwxrwxrwx. 1 root root 38 Apr 22 07:19 mvn -> /root/maven/apache-maven-3.6.0/bin/mvn
# exit
$ sudo su -
[sudo] pds のパスワード:
# cd ~/maven
# mvn -v
Apache Maven 3.6.0 (97c98ec64a1fdfee7767ce5ffb20918da4f719f3; 2018-10-24T18:41:47Z)
Maven home: /root/maven/apache-maven-3.6.0
Java version: 1.8.0_192, vendor: Oracle Corporation, runtime: /opt/jdk8u192-b12/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "3.10.0-862.11.6.el7.x86_64", arch: "amd64", family: "unix"
9.personium-plugins(4つ)のインストール
personium-ex-httpclient
# mkdir /personium/personium-ex-xxxxx
# cd /personium/personium-ex-xxxxx
# wget https://github.com/personium/personium-ex-httpclient/archive/master.zip
--2019-04-22 07:21:45-- https://github.com/personium/personium-ex-httpclient/archive/master.zip
Resolving github.com (github.com)... 192.30.255.112, 192.30.255.113
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-httpclient/zip/master [following]
--2019-04-22 07:21:45-- https://codeload.github.com/personium/personium-ex-httpclient/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.120, 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’
[ <=> ] 23,059 --.-K/s in 0.1s
2019-04-22 07:21:46 (214 KB/s) - ‘master.zip’ saved [23059]
# unzip master.zip
:
creating: personium-ex-httpclient-master/src/test/java/io/personium/engine/extension/
creating: personium-ex-httpclient-master/src/test/java/io/personium/engine/extension/httpclient/
inflating: personium-ex-httpclient-master/src/test/java/io/personium/engine/extension/httpclient/Ext_HttpClientTest.java
# cd personium-ex-httpclient-master/
# mvn clean package -DskipTests
:
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar with /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient-1.1.3-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.193 s
[INFO] Finished at: 2019-04-22T07:23:00Z
[INFO] ------------------------------------------------------------------------
# ln -s /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar /personium/personium-engine/extensions
# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar
# mv ../master.zip ../personium-ex-httpclient.zip
personium-ex-mailsender
# cd /personium/personium-ex-xxxxx
# wget https://github.com/personium/personium-ex-mailsender/archive/master.zip
--2019-04-22 07:24:02-- https://github.com/personium/personium-ex-mailsender/archive/master.zip
Resolving github.com (github.com)... 192.30.255.112, 192.30.255.113
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-mailsender/zip/master [following]
--2019-04-22 07:24:02-- https://codeload.github.com/personium/personium-ex-mailsender/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.121, 192.30.255.120
Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’
[ <=> ] 23,715 --.-K/s in 0.1s
2019-04-22 07:24:03 (192 KB/s) - ‘master.zip’ saved [23715]
# unzip master.zip
:
creating: personium-ex-mailsender-master/src/test/java/io/personium/engine/
creating: personium-ex-mailsender-master/src/test/java/io/personium/engine/extension/
creating: personium-ex-mailsender-master/src/test/java/io/personium/engine/extension/mailsender/
inflating: personium-ex-mailsender-master/src/test/java/io/personium/engine/extension/mailsender/Ext_MailSenderTest.java
# cd personium-ex-mailsender-master/
# mvn clean package -DskipTests
:
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar with /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender-1.5.2-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5.657 s
[INFO] Finished at: 2019-04-22T07:25:02Z
[INFO] ------------------------------------------------------------------------
# ln -s /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar /personium/personium-engine/extensions
# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:25 personium-ex-mailsender.jar -> /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar
# mv ../master.zip ../personium-ex-mailsender.zip
personium-ex-slack-messenger
# cd /personium/personium-ex-xxxxx
# wget https://github.com/personium/personium-ex-slack-messenger/archive/master.zip
--2019-04-22 07:26:04-- https://github.com/personium/personium-ex-slack-messenger/archive/master.zip
Resolving github.com (github.com)... 192.30.255.113, 192.30.255.112
Connecting to github.com (github.com)|192.30.255.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-slack-messenger/zip/master [following]
--2019-04-22 07:26:05-- https://codeload.github.com/personium/personium-ex-slack-messenger/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.120, 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’
[ <=> ] 18,144 --.-K/s in 0.1s
2019-04-22 07:26:05 (166 KB/s) - ‘master.zip’ saved [18144]
# unzip master.zip
:
creating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/
creating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/extension/
creating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/extension/slack/
inflating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/extension/slack/Ext_SlackTest.java
# cd personium-ex-slack-messenger-master/
# mvn clean package -DskipTests
:
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar with /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack-1.0.1-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 25.024 s
[INFO] Finished at: 2019-04-22T07:27:27Z
[INFO] ------------------------------------------------------------------------
# ln -s /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar /personium/personium-engine/extensions
# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:25 personium-ex-mailsender.jar -> /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:27 personium-ex-slack.jar -> /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar
# mv ../master.zip ../personium-ex-slack-messenger.zip
personium-ex-ew-services
# cd /personium/personium-ex-xxxxx
# wget https://github.com/personium/personium-ex-ew-services/archive/master.zip
--2019-04-22 07:28:26-- https://github.com/personium/personium-ex-ew-services/archive/master.zip
Resolving github.com (github.com)... 192.30.255.113, 192.30.255.112
Connecting to github.com (github.com)|192.30.255.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-ew-services/zip/master [following]
--2019-04-22 07:28:26-- https://codeload.github.com/personium/personium-ex-ew-services/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.120, 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’
[ <=> ] 14,024 --.-K/s in 0.1s
2019-04-22 07:28:27 (132 KB/s) - ‘master.zip’ saved [14024]
# unzip master.zip
:
creating: personium-ex-ew-services-master/src/main/java/io/personium/engine/
creating: personium-ex-ew-services-master/src/main/java/io/personium/engine/extension/
creating: personium-ex-ew-services-master/src/main/java/io/personium/engine/extension/ews/
inflating: personium-ex-ew-services-master/src/main/java/io/personium/engine/extension/ews/Ext_Ews.java
# cd personium-ex-ew-services-master/
# mvn clean package -DskipTests
:
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services.jar with /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services-1.0.1-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.999 s
[INFO] Finished at: 2019-04-22T07:29:25Z
[INFO] ------------------------------------------------------------------------
# ln -s /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services.jar /personium/personium-engine/extensions
# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 97 Apr 22 07:29 personium-ex-ew-services.jar -> /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:25 personium-ex-mailsender.jar -> /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:27 personium-ex-slack.jar -> /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar
# mv ../master.zip ../personium-ex-ew-services.zip
Tomcatの再起動
# systemctl restart tomcat
さぁ… 終わりました。
たぶん、これで大丈夫です!
実際に https://unitadmin.takky.work/ アクセスして、確認してみましょう
今回は、ちゃんとアクセスできています。
10.ユニットマネージャでのユニットへのアクセス
「ユニットアドミンのパスワード」の取得
$ sudo grep unitudmin /root/ansible/unitadmin_account
unitudmin_password=******************
ユニットマネージャへのアクセス
URL: https://app-uc-unit-manager.demo.personium.io/__/html/login.html
っで… 満を持して、Sign In です!
おぉ〜〜〜〜〜!! 完了です。
最後に
ここまで、なんやかんやで… 2日くらいかかっちゃいましたねぇ…
やはり、このエントリの内容くらい"何をどうやって、何を確認して…"という作業内容がわからないと、このくらいの時間が掛かっちゃうんですよね!
そして今回は、まだリリースされて間もない Let's Encrypt のワイルドカードタイプの証明書の取得も、コツを掴むまでにも時間がかかる要素がありますしね…
まだ自動更新の手順は理解していませんが、3ヶ月以内にはトライしてみないといけないですよね…
ただここまで整理されていれば、ヘンな凡ミスがなければ 3時間程度で構築できちゃいますし、もし凡ミスしてもどこまで正しくできているかが判断できますので、闇雲にいろいろやってみたり… ドキュメントをググりまくったりする必要はありません。
Personium の構築の際は、ぜひ、このエントリにたどり着き、参考にしてもらえると嬉しいですね。
ここからまた、新しいバージョンでのAPIアクセスなど、確認すべきことはあるのですが… とりあえずはこの辺までとし、また余裕のある時に確認してみたいと思います。
メニュー
- 1<はじめに>
- 2<Personiumに触れてみるには>
- 3<Ansibleでインストールする>
- 4<ざっくりとPersoniumとは>
- 5<APIでアクセスしてみる>
- 6<VirtualBoxイメージでサクッと触る>
- 7<APIでWebDavを触ってみる>
- 8<APIでODataを触ってみる>
- 9<APIでExtRoleを触ってみる>
- 10<セルとボックスについて理解する>
- 11<ホームアプリを触ってみる>
- 12<ユニットマネージャって便利じゃん>
- 13<テンプレートアプリってなんぞや>
14<自分のアプリケーション>