{"id":1923,"date":"2025-11-16T17:20:12","date_gmt":"2025-11-16T14:20:12","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/acme-challenge-turleri-derinlemesine-http%e2%80%9101-dns%e2%80%9101-ve-tls%e2%80%91alpn%e2%80%9101-ne-zaman-hangisi\/"},"modified":"2025-11-16T17:20:12","modified_gmt":"2025-11-16T14:20:12","slug":"acme-challenge-turleri-derinlemesine-http%e2%80%9101-dns%e2%80%9101-ve-tls%e2%80%91alpn%e2%80%9101-ne-zaman-hangisi","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/acme-challenge-turleri-derinlemesine-http%e2%80%9101-dns%e2%80%9101-ve-tls%e2%80%91alpn%e2%80%9101-ne-zaman-hangisi\/","title":{"rendered":"ACME Challenge T\u00fcrleri Derinlemesine: HTTP\u201101, DNS\u201101 ve TLS\u2011ALPN\u201101 Ne Zaman Hangisi?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Bugun_yine_ACME_yuzunden_bir_kahve_daha_ictim_Giris\"><span class=\"toc_number toc_depth_1\">1<\/span> Bug\u00fcn yine ACME y\u00fcz\u00fcnden bir kahve daha i\u00e7tim: Giri\u015f<\/a><\/li><li><a href=\"#ACMEyi_mutfaga_davet_edelim_Mantik_nasil_calisiyor\"><span class=\"toc_number toc_depth_1\">2<\/span> ACME\u2019yi mutfa\u011fa davet edelim: Mant\u0131k nas\u0131l \u00e7al\u0131\u015f\u0131yor?<\/a><\/li><li><a href=\"#HTTP01_Trafigin_en_kisa_yolu\"><span class=\"toc_number toc_depth_1\">3<\/span> HTTP\u201101: Trafi\u011fin en k\u0131sa yolu<\/a><ul><li><a href=\"#Nedir_nasil_gorunur\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?<\/a><\/li><li><a href=\"#Ne_zaman_mantikli\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Ne zaman mant\u0131kl\u0131?<\/a><\/li><li><a href=\"#Catlaklar_ve_puf_noktalari\"><span class=\"toc_number toc_depth_2\">3.3<\/span> \u00c7atlaklar ve p\u00fcf noktalar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#DNS01_Alan_adinin_kalbinden_dogrulama\"><span class=\"toc_number toc_depth_1\">4<\/span> DNS\u201101: Alan ad\u0131n\u0131n kalbinden do\u011frulama<\/a><ul><li><a href=\"#Nedir_nasil_gorunur-2\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?<\/a><\/li><li><a href=\"#Ne_zaman_mantikli-2\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Ne zaman mant\u0131kl\u0131?<\/a><\/li><li><a href=\"#Catlaklar_ve_puf_noktalari-2\"><span class=\"toc_number toc_depth_2\">4.3<\/span> \u00c7atlaklar ve p\u00fcf noktalar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#TLSALPN01_Sadece_443te_sessiz_bir_tokalasma\"><span class=\"toc_number toc_depth_1\">5<\/span> TLS\u2011ALPN\u201101: Sadece 443\u2019te, sessiz bir tokala\u015fma<\/a><ul><li><a href=\"#Nedir_nasil_gorunur-3\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?<\/a><\/li><li><a href=\"#Ne_zaman_mantikli-3\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Ne zaman mant\u0131kl\u0131?<\/a><\/li><li><a href=\"#Catlaklar_ve_puf_noktalari-3\"><span class=\"toc_number toc_depth_2\">5.3<\/span> \u00c7atlaklar ve p\u00fcf noktalar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Hangi_durumda_hangisi_Gercek_senaryolarla_dusunelim\"><span class=\"toc_number toc_depth_1\">6<\/span> Hangi durumda hangisi? Ger\u00e7ek senaryolarla d\u00fc\u015f\u00fcnelim<\/a><ul><li><a href=\"#Kucuk_bir_WordPress_sitesi_paylasimli_hosting_sifir_ugras\"><span class=\"toc_number toc_depth_2\">6.1<\/span> K\u00fc\u00e7\u00fck bir WordPress sitesi, payla\u015f\u0131ml\u0131 hosting, s\u0131f\u0131r u\u011fra\u015f<\/a><\/li><li><a href=\"#CDN_arkasinda_bir_kurumsal_site_firewall_katmani_kalin\"><span class=\"toc_number toc_depth_2\">6.2<\/span> CDN arkas\u0131nda bir kurumsal site, firewall katman\u0131 kal\u0131n<\/a><\/li><li><a href=\"#Wildcard_istiyorum_alt_alanlarimi_tek_catidan_yurutmek\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Wildcard istiyorum, alt alanlar\u0131m\u0131 tek \u00e7at\u0131dan y\u00fcr\u00fctmek<\/a><\/li><li><a href=\"#Port_80_kapali_sadece_443_uzerinden_yasam\"><span class=\"toc_number toc_depth_2\">6.4<\/span> Port 80 kapal\u0131, sadece 443 \u00fczerinden ya\u015fam<\/a><\/li><li><a href=\"#Kubernetes_coklu_servis_bir_suru_giris_noktasi\"><span class=\"toc_number toc_depth_2\">6.5<\/span> Kubernetes, \u00e7oklu servis, bir s\u00fcr\u00fc giri\u015f noktas\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Otomasyon_hatalar_ve_kucuk_kurtarici_numaralar\"><span class=\"toc_number toc_depth_1\">7<\/span> Otomasyon, hatalar ve k\u00fc\u00e7\u00fck kurtar\u0131c\u0131 numaralar<\/a><ul><li><a href=\"#ACME_istemcisi_secimi_ve_gunluk_hayatta_rahatlik\"><span class=\"toc_number toc_depth_2\">7.1<\/span> ACME istemcisi se\u00e7imi ve g\u00fcnl\u00fck hayatta rahatl\u0131k<\/a><\/li><li><a href=\"#DNS_otomasyonu_kurarken_guvenligin_ritmi\"><span class=\"toc_number toc_depth_2\">7.2<\/span> DNS otomasyonu kurarken g\u00fcvenli\u011fin ritmi<\/a><\/li><li><a href=\"#HTTP01de_well-known_yolunu_gozden_kacirmamak\"><span class=\"toc_number toc_depth_2\">7.3<\/span> HTTP\u201101\u2019de .well-known yolunu g\u00f6zden ka\u00e7\u0131rmamak<\/a><\/li><li><a href=\"#TLSALPN01de_SNI_ve_gecici_sertifika_trafigi\"><span class=\"toc_number toc_depth_2\">7.4<\/span> TLS\u2011ALPN\u201101\u2019de SNI ve ge\u00e7ici sertifika trafi\u011fi<\/a><\/li><li><a href=\"#Oran_limitleri_kucuk_molalar_ve_alternatif_plan\"><span class=\"toc_number toc_depth_2\">7.5<\/span> Oran limitleri, k\u00fc\u00e7\u00fck molalar ve alternatif plan<\/a><\/li><\/ul><\/li><li><a href=\"#Kapanis_Dogru_anahtar_yan_cebinde\"><span class=\"toc_number toc_depth_1\">8<\/span> Kapan\u0131\u015f: Do\u011fru anahtar yan cebinde<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Bugun_yine_ACME_yuzunden_bir_kahve_daha_ictim_Giris\">Bug\u00fcn yine ACME y\u00fcz\u00fcnden bir kahve daha i\u00e7tim: Giri\u015f<\/span><\/h2>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? Basit bir SSL yenilemesi yapaca\u011f\u0131m diye bilgisayar kar\u015f\u0131s\u0131nda, elinizde duman\u0131 t\u00fcten kahveyle, taray\u0131c\u0131n\u0131n d\u00f6nen \u00e7ark\u0131na bakakald\u0131\u011f\u0131n\u0131z oldu mu? Ben bug\u00fcn tam da onu ya\u015fad\u0131m. Eski bir projede sertifika otomasyonu tak\u0131lm\u0131\u015f, gece saatlerinde pof diye d\u00fc\u015fm\u00fc\u015f; sabah ofise gelince fark ettim. \u201cBu i\u015fin bir yolu olmal\u0131, hem de p\u00fcr\u00fczs\u00fcz olan\u0131\u201d diye i\u00e7imden ge\u00e7irdim. Sonra d\u00fc\u015f\u00fcnd\u00fcm, bu hik\u00e2yeyi anlatmak laz\u0131m, \u00e7\u00fcnk\u00fc ayn\u0131 d\u00fc\u011f\u00fcme tak\u0131lan \u00e7ok ki\u015fi var.<\/p>\n<p>ACME\u2019nin b\u00fcy\u00fcs\u00fc burada: Alan ad\u0131n\u0131z\u0131 ger\u00e7ekten sizin y\u00f6netti\u011finizi ispatl\u0131yorsunuz ve kar\u015f\u0131l\u0131\u011f\u0131nda sertifika al\u0131yorsunuz. Ama bu ispat\u0131n \u00fc\u00e7 farkl\u0131 yolu var. Kimi zaman kap\u0131dan (HTTP\u201101), kimi zaman anahtar dolab\u0131ndan (DNS\u201101), kimi zamansa sadece \u00f6zel bir tokala\u015fmayla (TLS\u2011ALPN\u201101). Her yol farkl\u0131 bir ruh h\u00e2li, farkl\u0131 bir pratik. Yaz\u0131n\u0131n kalan\u0131nda, bu \u00fc\u00e7 y\u00f6ntemi birer k\u00fc\u00e7\u00fck hik\u00e2ye gibi ele alaca\u011f\u0131m. Mesela \u201cWordPress\u2019i payla\u015f\u0131ml\u0131 sunucuda bar\u0131nd\u0131r\u0131yorum, hangisi daha zahmetsiz?\u201d, ya da \u201cWildcard laz\u0131m, CDN kullan\u0131yorum, nas\u0131l olacak?\u201d gibi sorulara, kendi deneyimimden \u00f6rneklerle cevap verece\u011fim. En sonunda da \u201cHangi durumda hangisi?\u201d sorusunu ger\u00e7ek senaryolarla tatl\u0131 tatl\u0131 ba\u011flayaca\u011f\u0131z.<\/p>\n<h2 id=\"section-2\"><span id=\"ACMEyi_mutfaga_davet_edelim_Mantik_nasil_calisiyor\">ACME\u2019yi mutfa\u011fa davet edelim: Mant\u0131k nas\u0131l \u00e7al\u0131\u015f\u0131yor?<\/span><\/h2>\n<p>Bir ad\u0131m geri \u00e7ekilip tabloya bak\u0131nca mant\u0131k \u00e7ok basit: Sertifika yetkilisi, \u201cBu alan ad\u0131 ger\u00e7ekten senin mi?\u201d diye soruyor. Cevab\u0131n\u0131 da \u00fc\u00e7 farkl\u0131 kanaldan bekliyor. Birincisi, \u201cWeb sunucunda belirli bir dosyay\u0131 bana g\u00f6ster\u201d diyor; buna HTTP\u201101 deniyor. \u0130kincisi, \u201cDNS\u2019te belirli bir metni yay\u0131mla\u201d diyor; bu DNS\u201101. \u00dc\u00e7\u00fcnc\u00fcs\u00fc de \u201c443 numaral\u0131 kap\u0131da, belirli bir \u015fekilde el s\u0131k\u0131\u015fal\u0131m\u201d diyor; bu da TLS\u2011ALPN\u201101.<\/p>\n<p>Bu ak\u0131\u015f\u0131 daha derine \u00e7ekmek istersen, <a href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt\u2019in challenge t\u00fcrleri anlat\u0131m\u0131<\/a> gayet anla\u015f\u0131l\u0131r. Daha da temelini merak edenler i\u00e7in, <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8555\" rel=\"nofollow noopener\" target=\"_blank\">ACME standard\u0131n\u0131n resmi dok\u00fcman\u0131<\/a> t\u00fcm s\u00fcreci anlat\u0131yor. Ama gelin, biz burada mutfa\u011f\u0131n pratik k\u0131sm\u0131na odaklanal\u0131m. \u00c7\u00fcnk\u00fc g\u00fcn\u00fcn sonunda i\u015f, \u201cBug\u00fcn hangi anahtar i\u015fimizi g\u00f6r\u00fcr?\u201d sorusuna geliyor. Benim deneyimimde, do\u011fru yolu se\u00e7ti\u011finizde otomasyon tereya\u011f\u0131 gibi ak\u0131yor; yanl\u0131\u015f se\u00e7ti\u011finizde ise k\u00fc\u00e7\u00fck tuzaklar s\u0131raya diziliyor.<\/p>\n<h2 id=\"section-3\"><span id=\"HTTP01_Trafigin_en_kisa_yolu\">HTTP\u201101: Trafi\u011fin en k\u0131sa yolu<\/span><\/h2>\n<h3><span id=\"Nedir_nasil_gorunur\">Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?<\/span><\/h3>\n<p>HTTP\u201101, web sunucusuna konan k\u00fc\u00e7\u00fck bir kan\u0131t dosyas\u0131 gibi. Sertifika yetkilisi, \u201cwww.orneksite.com\/.well-known\/acme-challenge\/&#8230; adresine bakt\u0131\u011f\u0131mda \u015fu i\u00e7eri\u011fi g\u00f6rmeliyim\u201d diyor. E\u011fer bu i\u00e7erik do\u011fruysa, alan ad\u0131n\u0131n kontrol\u00fcn\u00fcn sizde oldu\u011funa inan\u0131yor. Basit. Bu sadeli\u011fin g\u00fczel taraf\u0131, payla\u015f\u0131ml\u0131 veya y\u00f6netilen hosting ortamlar\u0131nda genelde haz\u0131r destek sunulmas\u0131. Pek \u00e7ok panel, bir t\u0131kla s\u00fcreci u\u00e7tan uca hallediyor.<\/p>\n<h3><span id=\"Ne_zaman_mantikli\">Ne zaman mant\u0131kl\u0131?<\/span><\/h3>\n<p>Tek alan adlar\u0131, k\u00fc\u00e7\u00fck projeler, klasik WordPress veya tek uygulamal\u0131 siteler\u2026 Trafiginiz do\u011frudan sunucunuza gidiyorsa ve 80 numaral\u0131 kap\u0131y\u0131 kullanabiliyorsan\u0131z, HTTP\u201101 genelde en h\u0131zl\u0131 sonu\u00e7 verir. Ayarlar basit, m\u00fc\u015fteri sitelerine kurarken anlatmas\u0131 kolay. Hatta \u00e7o\u011fu zaman \u201ckur ve unut\u201d dedi\u011fimiz kolayl\u0131kta \u00e7al\u0131\u015f\u0131r.<\/p>\n<h3><span id=\"Catlaklar_ve_puf_noktalari\">\u00c7atlaklar ve p\u00fcf noktalar\u0131<\/span><\/h3>\n<p>\u0130\u015fler, CDN veya ters vekil i\u015fin i\u00e7ine girince kar\u0131\u015fabiliyor. Trafi\u011fi bir i\u00e7erik da\u011f\u0131t\u0131m a\u011f\u0131 \u00fczerinden ge\u00e7irirken, o k\u00fc\u00e7\u00fck kan\u0131t dosyas\u0131n\u0131 yetkilinin g\u00f6rmesini garantilemek gerekiyor. Baz\u0131 CDN\u2019ler bunu otomatik y\u00f6nlendiriyor, baz\u0131lar\u0131 ise \u00f6zel kural istiyor. Bir de port 80 kapal\u0131ysa, ya da g\u00fcvenlik duvar\u0131 alt\u0131na sakland\u0131ysa, HTTP\u201101 duvara tosluyor. O noktada \u00e7are ya portu a\u00e7mak ya da farkl\u0131 bir challenge\u2019a ge\u00e7mek oluyor. Deneyimim, k\u00fc\u00e7\u00fck projelerde kolayl\u0131kla y\u00fcr\u00fcrken, karma\u015f\u0131k altyap\u0131larda s\u00fcrpriz \u00e7\u0131karma ihtimalinin y\u00fcksek oldu\u011fudur. \u00d6nlem al\u0131rsan\u0131z, tad\u0131ndan yenmez.<\/p>\n<h2 id=\"section-4\"><span id=\"DNS01_Alan_adinin_kalbinden_dogrulama\">DNS\u201101: Alan ad\u0131n\u0131n kalbinden do\u011frulama<\/span><\/h2>\n<h3><span id=\"Nedir_nasil_gorunur-2\">Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?<\/span><\/h3>\n<p>DNS\u201101, alan ad\u0131n\u0131n <strong>DNS kay\u0131tlar\u0131<\/strong> \u00fczerinden kan\u0131tlama yapar. \u201c\u015eu metin kayd\u0131n\u0131 (TXT) \u015fu isimle yay\u0131mla, ben de DNS \u00fczerinden kontrol edeyim\u201d der. Sonu\u00e7, sunucuya bir dosya koymak yerine, alan ad\u0131n\u0131n kalbinde bir iz b\u0131rakmakt\u0131r. Bu yakla\u015f\u0131m \u00f6zellikle iki yerde parl\u0131yor: Wildcard sertifikalar ve kapal\u0131 kap\u0131lar.<\/p>\n<h3><span id=\"Ne_zaman_mantikli-2\">Ne zaman mant\u0131kl\u0131?<\/span><\/h3>\n<p>Wildcard gerekiyorsa, DNS\u201101 neredeyse tek ger\u00e7ek se\u00e7enek. \u201cT\u00fcm alt alanlar\u0131m i\u00e7in tek seferde \u00e7\u00f6zeyim\u201d dedi\u011finizde, bu y\u00f6ntem bir alt\u0131n anahtar gibi \u00e7al\u0131\u015f\u0131r. \u0130kincisi, altyap\u0131n\u0131zda port 80 ile u\u011fra\u015fmak istemedi\u011finiz veya trafi\u011fi tamamen bir CDN arkas\u0131nda tuttu\u011funuz durumlar. Sunucular\u0131n\u0131za d\u0131\u015far\u0131dan dosya eri\u015fimi olmadan do\u011frulama yapmak istiyorsan\u0131z, DNS\u201101\u2019den daha temiz bir yol yok. \u00c7ok kirac\u0131l\u0131 yap\u0131larda, m\u00fc\u015fterilerin kendi alan adlar\u0131n\u0131 ba\u011flay\u0131p otomatik sertifika almak istediklerinde de, DNS\u201101 ger\u00e7ek bir kurtar\u0131c\u0131. Bu konuyu detaylar\u0131yla anlatt\u0131\u011f\u0131m <a href=\"https:\/\/www.dchost.com\/blog\/saaste-ozel-alan-adlari-ve-otomatik-ssl-dns%e2%80%9101-ile-cok-kiracili-mimarini-nasil-tatli-tatli-olceklersin\/\">SaaS\u2019te \u00f6zel alan adlar\u0131 ve DNS\u201101 ile otomatik SSL kurman\u0131n yolu<\/a> yaz\u0131s\u0131na g\u00f6z atmak isteyebilirsin.<\/p>\n<h3><span id=\"Catlaklar_ve_puf_noktalari-2\">\u00c7atlaklar ve p\u00fcf noktalar\u0131<\/span><\/h3>\n<p>DNS y\u00f6netimini otomasyona a\u00e7mak gerekir. Yani ACME istemcinizin, DNS sa\u011flay\u0131c\u0131n\u0131zda ge\u00e7ici TXT kay\u0131tlar\u0131 olu\u015fturmas\u0131na izin verirsiniz. API anahtarlar\u0131, yetkiler, bazen iki fakt\u00f6r\u2026 G\u00fcvenli ve d\u00fczenli tutmak \u00f6nemli. Bir de yay\u0131lma gecikmeleri var. Baz\u0131 DNS sa\u011flay\u0131c\u0131lar\u0131 kay\u0131tlar\u0131 an\u0131nda t\u00fcm d\u00fcnyaya duyururken, baz\u0131lar\u0131 nazl\u0131d\u0131r. Otomasyon ad\u0131mlar\u0131nda ufak gecikmeler planlamak i\u015finizi kurtar\u0131r. Bir not daha: DNS sa\u011flay\u0131c\u0131n\u0131z\u0131 de\u011fi\u015ftirirseniz, otomasyonun yetkilerini g\u00fcncellemeyi unutmay\u0131n; \u00e7\u00fcnk\u00fc en s\u0131k ka\u00e7\u0131r\u0131lan k\u00f6\u015fe buras\u0131d\u0131r.<\/p>\n<h2 id=\"section-5\"><span id=\"TLSALPN01_Sadece_443te_sessiz_bir_tokalasma\">TLS\u2011ALPN\u201101: Sadece 443\u2019te, sessiz bir tokala\u015fma<\/span><\/h2>\n<h3><span id=\"Nedir_nasil_gorunur-3\">Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?<\/span><\/h3>\n<p>TLS\u2011ALPN\u201101, web trafi\u011finin u\u011frak noktas\u0131 olan 443 numaral\u0131 kap\u0131da ge\u00e7en bir el s\u0131k\u0131\u015fma rit\u00fceli. \u00d6zetle, sertifika yetkilisi \u00f6zel bir \u201cacme-tls\/1\u201d mesaj\u0131 ile gelir ve sunucunuzdan ge\u00e7ici, tek ama\u00e7l\u0131 bir sertifika bekler. Bu ge\u00e7ici sertifika do\u011fruysa, \u201ctamamd\u0131r\u201d der. Bu y\u00f6ntemin g\u00fczelli\u011fi, 80 numaral\u0131 kap\u0131ya hi\u00e7 dokunmamas\u0131d\u0131r. Yani kap\u0131lar\u0131 kapal\u0131 bir ortamda, sadece 443 \u00fczerinden konu\u015farak i\u015fi bitirir.<\/p>\n<h3><span id=\"Ne_zaman_mantikli-3\">Ne zaman mant\u0131kl\u0131?<\/span><\/h3>\n<p>Port 80\u2019i a\u00e7am\u0131yorsan\u0131z, g\u00fcvenlik politikalar\u0131n\u0131z s\u0131k\u0131ysa, ya da sadece 443\u2019\u00fc kullanarak her \u015feyi y\u00f6netmek istiyorsan\u0131z, TLS\u2011ALPN\u201101 ho\u015f bir se\u00e7enek olur. Baz\u0131 modern ters vekiller ve servis mesh\u2019ler bu y\u00f6ntemi gayet g\u00fczel destekler. \u00d6zellikle konteyner tabanl\u0131 mimarilerde, ayr\u0131 bir \u201cchallenge endpoint\u201d a\u00e7madan, trafi\u011fi sadece TLS katman\u0131nda halletme fikri huzur verir.<\/p>\n<h3><span id=\"Catlaklar_ve_puf_noktalari-3\">\u00c7atlaklar ve p\u00fcf noktalar\u0131<\/span><\/h3>\n<p>Bu y\u00f6ntem, listenin en temiz g\u00f6r\u00fcneni olsa da, arkada d\u00fczg\u00fcn bir orkestrasyon ister. \u00c7\u00fcnk\u00fc ge\u00e7ici bir sertifika \u00fcretip, do\u011fru SNI ile an\u0131nda servis etmeniz gerekir. Baz\u0131 CDN veya proxy katmanlar\u0131 bu \u00f6zel el s\u0131k\u0131\u015fmay\u0131 g\u00f6rmeden trafik sonland\u0131rd\u0131\u011f\u0131 i\u00e7in, do\u011frulama d\u0131\u015f katmanda \u201cyutulabilir\u201d. Bu y\u00fczden, do\u011frulama an\u0131nda trafi\u011fi do\u011frudan uygulama sonland\u0131r\u0131c\u0131n\u0131za ula\u015ft\u0131rmak gerekebilir. Teknik detaylar\u0131na merakl\u0131ysan\u0131z, <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8737\" rel=\"nofollow noopener\" target=\"_blank\">TLS\u2011ALPN\u201101 uzant\u0131s\u0131n\u0131n teknik detay\u0131<\/a> olduk\u00e7a a\u00e7\u0131klay\u0131c\u0131d\u0131r.<\/p>\n<h2 id=\"section-6\"><span id=\"Hangi_durumda_hangisi_Gercek_senaryolarla_dusunelim\">Hangi durumda hangisi? Ger\u00e7ek senaryolarla d\u00fc\u015f\u00fcnelim<\/span><\/h2>\n<h3><span id=\"Kucuk_bir_WordPress_sitesi_paylasimli_hosting_sifir_ugras\">K\u00fc\u00e7\u00fck bir WordPress sitesi, <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a>, s\u0131f\u0131r u\u011fra\u015f<\/span><\/h3>\n<p>Bir m\u00fc\u015fterim, \u201cHi\u00e7 u\u011fra\u015ft\u0131rmas\u0131n, sadece sitem ye\u015fil kilit g\u00f6stersin\u201d demi\u015fti. Paneli a\u00e7t\u0131m, tek t\u0131kla HTTP\u201101\u2019den do\u011frulay\u0131p ge\u00e7tik. \u00c7\u00fcnk\u00fc trafik do\u011frudan sunucuya gidiyordu, extra katman yoktu, port 80 a\u00e7\u0131kt\u0131. Gecenin bir vakti alarm \u00e7almayacaksa, bu senaryo i\u00e7in en tatl\u0131 se\u00e7enek budur. Otomatik yenileme de panel taraf\u0131ndan kuruldu mu, hayat g\u00fczel.<\/p>\n<h3><span id=\"CDN_arkasinda_bir_kurumsal_site_firewall_katmani_kalin\">CDN arkas\u0131nda bir kurumsal site, firewall katman\u0131 kal\u0131n<\/span><\/h3>\n<p>Ba\u015fka bir projede, b\u00fct\u00fcn trafik bir g\u00fcvenlik duvar\u0131 ve CDN \u00fczerinden ak\u0131yordu. Dosya servis etme i\u015fi, \u00e7e\u015fitli kurallara tak\u0131l\u0131yor, <strong>.well-known<\/strong> yoluna \u00f6zel istisna a\u00e7mak bile kalabal\u0131k ekiplerin onay\u0131na b\u0131rak\u0131lm\u0131\u015ft\u0131. Bu gibi bir tabloda HTTP\u201101 gereksiz s\u00fcrt\u00fcnme yarat\u0131r. DNS\u201101 ise tam bir kurtar\u0131c\u0131 oldu. DNS sa\u011flay\u0131c\u0131s\u0131na k\u00fc\u00e7\u00fck bir API anahtar\u0131 verip, istemciye \u201chadi bakal\u0131m, TXT kayd\u0131n\u0131 ekle\u201d dedik. Sessiz sakin do\u011fruland\u0131.<\/p>\n<h3><span id=\"Wildcard_istiyorum_alt_alanlarimi_tek_catidan_yurutmek\">Wildcard istiyorum, alt alanlar\u0131m\u0131 tek \u00e7at\u0131dan y\u00fcr\u00fctmek<\/span><\/h3>\n<p>Hik\u00e2yenin en net sorusu: Wildcard istiyorsan, DNS\u201101\u2019e gidersin. \u00c7\u00fcnk\u00fc di\u011fer y\u00f6ntemler wildcard\u2019a do\u011frudan destek vermez. Kapan\u0131\u015f\u0131 da kolay: Bir kez otomasyonu kurdu\u011funuzda, alt alan adlar\u0131 eklendik\u00e7e, uygulama katman\u0131nda i\u015fleri \u00e7\u00f6zer, sertifika taraf\u0131nda ekstra u\u011fra\u015fa girmezsiniz.<\/p>\n<h3><span id=\"Port_80_kapali_sadece_443_uzerinden_yasam\">Port 80 kapal\u0131, sadece 443 \u00fczerinden ya\u015fam<\/span><\/h3>\n<p>Bir g\u00fcvenlik politikas\u0131nda \u201c80 numaral\u0131 kap\u0131 yasak, t\u00fcm trafik 443\u2019ten\u201d kural\u0131 vard\u0131. Ne yapt\u0131k? TLS\u2011ALPN\u201101\u2019i devreye ald\u0131k. Orkestrasyonun k\u00fc\u00e7\u00fck bir mod\u00fcl\u00fcn\u00fc yaz\u0131p, ge\u00e7ici sertifikay\u0131 an\u0131nda servis edecek yap\u0131y\u0131 haz\u0131rlad\u0131k. \u0130lk denemede proxy katman\u0131 el s\u0131k\u0131\u015fmay\u0131 yuttu, ama do\u011frulama s\u0131ras\u0131nda trafi\u011fi do\u011frudan uygulamaya y\u00f6nlendiren bir kural ekleyince p\u00fcr\u00fcz \u00e7\u00f6z\u00fcld\u00fc. Bu \u00f6rnek, y\u00f6ntemin g\u00fcc\u00fcn\u00fc de s\u0131n\u0131rlar\u0131n\u0131 da g\u00fczel anlat\u0131r.<\/p>\n<h3><span id=\"Kubernetes_coklu_servis_bir_suru_giris_noktasi\">Kubernetes, \u00e7oklu servis, bir s\u00fcr\u00fc giri\u015f noktas\u0131<\/span><\/h3>\n<p>Kubernetes taraf\u0131nda, ingress denetleyici, rota kurallar\u0131, ayr\u0131 ayr\u0131 servisler\u2026 B\u00f6yle bir denklemde en \u00f6nemlisi, ACME istemcisinin trafi\u011fi do\u011fru pod\u2019a ula\u015ft\u0131rabilmesi. HTTP\u201101 ile u\u011fra\u015f\u0131rken rota kural\u0131n\u0131 yanl\u0131\u015f yerde tuttu\u011funuz olabiliyor. DNS\u201101 ise burada da sade bir se\u00e7enek: Do\u011frulama trafi\u011fini k\u00fcmeye sokmadan, DNS \u00fczerinden i\u015fi \u00e7\u00f6zer. TLS\u2011ALPN\u201101 de ayr\u0131cal\u0131kl\u0131; ama bu kez de el s\u0131k\u0131\u015fmay\u0131 do\u011fru entrypoint\u2019e ta\u015f\u0131d\u0131\u011f\u0131n\u0131za emin olman\u0131z gerekiyor. Hangisi? K\u00fcmeyi kim y\u00f6netiyor, kim neyi a\u00e7\u0131p kapatabiliyor, ona g\u00f6re karar verirsiniz. Ben \u00e7o\u011fu zaman, \u00e7ok kirac\u0131l\u0131 veya \u00e7ok giri\u015fli yap\u0131larda DNS\u201101 ile huzur buldum.<\/p>\n<h2 id=\"section-7\"><span id=\"Otomasyon_hatalar_ve_kucuk_kurtarici_numaralar\">Otomasyon, hatalar ve k\u00fc\u00e7\u00fck kurtar\u0131c\u0131 numaralar<\/span><\/h2>\n<h3><span id=\"ACME_istemcisi_secimi_ve_gunluk_hayatta_rahatlik\">ACME istemcisi se\u00e7imi ve g\u00fcnl\u00fck hayatta rahatl\u0131k<\/span><\/h3>\n<p>Certbot, acme.sh, lego, cert-manager\u2026 \u0130simler farkl\u0131 ama tekerle\u011fin \u015fekli ayn\u0131. Benim i\u015f ak\u0131\u015f\u0131mda, tek sunuculuk i\u015fleri acme.sh ile, Kubernetes taraf\u0131n\u0131 ise cert-manager ile kurmak \u00e7o\u011fu zaman en rahat olan\u0131 oldu. \u00d6nemli olan, istemcinin hem challenge t\u00fcr\u00fcn\u00fc esnek se\u00e7ebilmesi, hem de hata mesajlar\u0131n\u0131 anla\u015f\u0131l\u0131r yazmas\u0131. Hatalar anla\u015f\u0131l\u0131rsa, \u00e7\u00f6z\u00fcm de h\u0131zl\u0131 geliyor.<\/p>\n<h3><span id=\"DNS_otomasyonu_kurarken_guvenligin_ritmi\">DNS otomasyonu kurarken g\u00fcvenli\u011fin ritmi<\/span><\/h3>\n<p>DNS\u201101 i\u00e7in sa\u011flay\u0131c\u0131n\u0131z\u0131n API anahtarlar\u0131n\u0131 uygulamaya veriyorsunuz. Bu anahtarlar\u0131 dar yetkilerle olu\u015fturmak g\u00fczel bir al\u0131\u015fkanl\u0131k. Sadece TXT yazabilsin, sadece ilgili alan adlar\u0131nda \u00e7al\u0131\u015fs\u0131n, m\u00fcmk\u00fcnse ayr\u0131 bir kullan\u0131c\u0131 olsun. Yenilemelerin gece saatlerine denk geldi\u011fini unutmay\u0131n; o saatlerde beklenmedik bir g\u00fcvenlik duvar\u0131 kural\u0131 veya iki fakt\u00f6r s\u00fcrprizi \u00e7\u0131kmas\u0131n.<\/p>\n<h3><span id=\"HTTP01de_well-known_yolunu_gozden_kacirmamak\">HTTP\u201101\u2019de .well-known yolunu g\u00f6zden ka\u00e7\u0131rmamak<\/span><\/h3>\n<p>Altyap\u0131n\u0131zda birden fazla ters vekil, birden fazla katman varsa, <strong>.well-known\/acme-challenge<\/strong> yolunun ger\u00e7ekten uygulamaya ula\u015ft\u0131\u011f\u0131n\u0131 test etmek \u00e7ok i\u015f kazas\u0131n\u0131 engeller. Basit bir metin dosyas\u0131 koyup taray\u0131c\u0131dan g\u00f6rebiliyor musunuz, k\u00fc\u00e7\u00fck bir kontrol. CDN kullan\u0131yorsan\u0131z, bu yola \u00f6zel \u00f6nbelle\u011fi kapatmak, do\u011frulama an\u0131nda do\u011fru i\u00e7eri\u011fin g\u00f6r\u00fclece\u011fini garantiler.<\/p>\n<h3><span id=\"TLSALPN01de_SNI_ve_gecici_sertifika_trafigi\">TLS\u2011ALPN\u201101\u2019de SNI ve ge\u00e7ici sertifika trafi\u011fi<\/span><\/h3>\n<p>Bu y\u00f6ntemde, el s\u0131k\u0131\u015fma an\u0131nda do\u011fru alan ad\u0131yla (SNI) gelen iste\u011fe, o ana \u00f6zel \u00fcretilmi\u015f ge\u00e7ici sertifikayla yan\u0131t verirsiniz. Bazen tek bir giri\u015f noktas\u0131nda onlarca alan ad\u0131 hizmet verdi\u011fi i\u00e7in, SNI y\u00f6nlendirmesinin isabetli olmas\u0131 kritik. K\u00fc\u00e7\u00fck bir ipucu: Do\u011frulama s\u0131ras\u0131nda log\u2019lar\u0131 ge\u00e7ici olarak daha detayl\u0131 a\u00e7\u0131p, el s\u0131k\u0131\u015fman\u0131n ger\u00e7ekten bekledi\u011finiz yere geldi\u011fini g\u00f6rmek \u00e7ok i\u015fe yar\u0131yor.<\/p>\n<h3><span id=\"Oran_limitleri_kucuk_molalar_ve_alternatif_plan\">Oran limitleri, k\u00fc\u00e7\u00fck molalar ve alternatif plan<\/span><\/h3>\n<p>ACME taraf\u0131nda, k\u0131sa s\u00fcrede \u00e7ok deneme yaparsan\u0131z oran limitlerine tak\u0131labilirsiniz. Panik yapmay\u0131n; genelde sorun, yanl\u0131\u015f challenge t\u00fcr\u00fcnde \u0131srar etmekten ya da \u00f6nbelle\u011fe tak\u0131lan bir do\u011frulama i\u00e7eri\u011finden do\u011far. Ben b\u00f6yle durumlarda, \u00f6nce bir nefes al\u0131p log\u2019lar\u0131 yal\u0131nla\u015ft\u0131r\u0131yorum, sonra ad\u0131m ad\u0131m ilerliyorum. Gerekirse farkl\u0131 bir challenge\u2019la ikinci bir \u015fans vermek, \u00e7o\u011fu kez s\u00fcreci rahatlat\u0131r. Kaynak isteyenler i\u00e7in, <a href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt\u2019in challenge t\u00fcrleri rehberi<\/a> pratik notlar\u0131yla iyi bir referans.<\/p>\n<h2 id=\"section-8\"><span id=\"Kapanis_Dogru_anahtar_yan_cebinde\">Kapan\u0131\u015f: Do\u011fru anahtar yan cebinde<\/span><\/h2>\n<p>Toparlayal\u0131m. HTTP\u201101, dosyay\u0131 kap\u0131ya as\u0131p \u201cbak buraday\u0131m\u201d demektir; h\u0131zl\u0131d\u0131r, basittir ve do\u011fru ko\u015fullarda neredeyse zahmetsizdir. DNS\u201101, alan ad\u0131n\u0131n kalbine k\u00fc\u00e7\u00fck bir not b\u0131rak\u0131r; wildcard gibi geni\u015f kapsaml\u0131 i\u015flerde ve kapal\u0131 kap\u0131larda par\u0131ldar. TLS\u2011ALPN\u201101 ise 443 \u00fczerindeki \u00f6zel tokala\u015fmayla, g\u00fcvenlik hassasiyeti y\u00fcksek ortamlarda zarif bir \u00e7\u00f6z\u00fcm sunar. Her birinin g\u00fc\u00e7l\u00fc anlar\u0131 ve \u201caman dikkat\u201d k\u00f6\u015feleri var. \u00d6nemli olan, projenin ritmini dinleyip, en az s\u00fcrt\u00fcnme \u00e7\u0131karacak yolu se\u00e7mek.<\/p>\n<p>Pratik bir tavsiye: K\u00fc\u00e7\u00fck ve d\u00fcz bir sitede, port 80 a\u00e7\u0131ksa, HTTP\u201101 ile ba\u015flay\u0131n. CDN, wildcard veya \u00e7ok kirac\u0131l\u0131 bir yap\u0131 varsa, DNS\u201101\u2019i elinize al\u0131n. Port 80\u2019i a\u00e7am\u0131yorsan\u0131z ve proxy d\u00fczeniniz buna izin veriyorsa, TLS\u2011ALPN\u201101 tatl\u0131 bir alternatif olur. Otomatize ederken, log\u2019lar\u0131 okunur k\u0131l\u0131n, hata mesajlar\u0131n\u0131 not edin, bir kez sorunsuz akmaya ba\u015flad\u0131 m\u0131, y\u0131llarca sessiz \u00e7al\u0131\u015f\u0131r. Daha teknik ayr\u0131nt\u0131 isteyenler, <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8555\" rel=\"nofollow noopener\" target=\"_blank\">ACME standard\u0131n\u0131n resmi metnini<\/a> ve <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8737\" rel=\"nofollow noopener\" target=\"_blank\">TLS\u2011ALPN\u201101\u2019in a\u00e7\u0131klamas\u0131n\u0131<\/a> kaynak olarak saklayabilir. Umar\u0131m bu yaz\u0131, bir sonraki sertifika yenilemenizde size k\u00fc\u00e7\u00fck bir k\u00f6\u015fe lambas\u0131 olur. Sorunuz olursa \u00e7ekinmeden yaz\u0131n; bir sonraki kahveyi birlikte i\u00e7eriz.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Bug\u00fcn yine ACME y\u00fcz\u00fcnden bir kahve daha i\u00e7tim: Giri\u015f2 ACME\u2019yi mutfa\u011fa davet edelim: Mant\u0131k nas\u0131l \u00e7al\u0131\u015f\u0131yor?3 HTTP\u201101: Trafi\u011fin en k\u0131sa yolu3.1 Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?3.2 Ne zaman mant\u0131kl\u0131?3.3 \u00c7atlaklar ve p\u00fcf noktalar\u01314 DNS\u201101: Alan ad\u0131n\u0131n kalbinden do\u011frulama4.1 Nedir, nas\u0131l g\u00f6r\u00fcn\u00fcr?4.2 Ne zaman mant\u0131kl\u0131?4.3 \u00c7atlaklar ve p\u00fcf noktalar\u01315 TLS\u2011ALPN\u201101: Sadece 443\u2019te, sessiz bir tokala\u015fma5.1 Nedir, nas\u0131l [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1924,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1923","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1923"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1923\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1924"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}