ocserv (OpenConnect VPN Server)
官网:http://www.infradead.org/ocserv/index.html
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel, and uses the standard IETF security protocols to secure it. The server is implemented primarily for the GNU/Linux platform but its code is designed to be portable to other UNIX variants as well.
依赖:VPS 需要支持创建 VPN 的 TUN 设备
http://www.infradead.org/ocserv/platforms.html
any other platform supporting TUN/TAP devices and on which GnuTLS runs.
HOWTO
- 安装
ocserv软件包,修改ocserv配置文件 - 生成 CA 用来签发 客户端 证书
- 申请 Let's Encrypt SSL 服务端 证书
- 手机安装 anyconnect APP 配置,下载 客户端 证书,配置即可
Let's Encrypt
使用 certbot 生成和续签 Let's Encrypt SSL 证书:
https://github.com/certbot/certbot
install
https://certbot.eff.org/#centosrhel7-nginx
从 EPEL 源中安装 certbot 软件包:
# yum install epel-release
# yum install certbot
Dependencies Resolved
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
certbot noarch 0.8.1-2.el7 epel 16 k
Installing for dependencies:
dialog x86_64 1.2-4.20130523.el7 base 208 k
pyOpenSSL x86_64 0.13.1-3.el7 base 133 k
python-cffi x86_64 0.8.6-2.el7 base 131 k
python-cryptography x86_64 0.8.2-1.el7 base 435 k
python-enum34 noarch 1.0.4-1.el7 base 52 k
python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k
python-parsedatetime noarch 1.5-3.el7 epel 61 k
python-ply noarch 3.4-10.el7 base 123 k
python-psutil x86_64 2.2.1-1.el7 epel 114 k
python-pycparser noarch 2.14-1.el7 base 104 k
python-requests noarch 2.6.0-1.el7_1 base 94 k
python-urllib3 noarch 1.10.2-2.el7_1 base 100 k
python-zope-component noarch 1:4.1.0-1.el7 epel 110 k
python-zope-event noarch 4.0.3-2.el7 epel 79 k
python-zope-interface x86_64 4.0.5-4.el7 base 138 k
python2-acme noarch 0.8.1-1.el7 epel 162 k
python2-certbot noarch 0.8.1-2.el7 epel 346 k
python2-configargparse noarch 0.10.0-1.el7 epel 28 k
python2-dialog noarch 3.3.0-6.el7 epel 94 k
python2-mock noarch 1.0.1-9.el7 epel 92 k
python2-pyrfc3339 noarch 1.0-2.el7 epel 13 k
pytz noarch 2012d-5.el7 base 38 k
Transaction Summary
================================================================================
Install 1 Package (+22 Dependent packages)
Total download size: 2.7 M
Installed size: 13 M
软件包 certbot 包含的相关命令:
# rpm -ql certbot|grep bin
/usr/bin/certbot
/usr/bin/letsencrypt
howto
帮助手册:
# certbot --help all
usage:
certbot [SUBCOMMAND] [options] [-d domain] [-d domain] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
register Perform tasks related to registering with the CA
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
默认只有两个插件 webroot 和 standalone :
# certbot plugins
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
* standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
插件 webroot 需要搭配 nginx / apache 等 web 服务使用,此处使用 standalone 生成证书即可:
注意:
执行命令之前关闭 nginx 或 ocserv 等占用 80 和 443 端口的服务,不然 standalone 模式会报错
# netstat -lntpu|egrep '80|443'
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12245/nginx: master
# service nginx stop
Redirecting to /bin/systemctl stop nginx.service
# netstat -lntpu|egrep '80|443'
执行 standalone 模式:
certbot certonly --standalone \
--email [email protected] \
-d example.com -d www.example.com \
--user-agent "" --noninteractive \
--text --verbose --debug
如果顺利将在 /etc/letsencrypt/live/example.com 目录下生成相关证书:
# certbot certonly --standalone --email [email protected] -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --debug
certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
certbot.auth_handler:Performing the following challenges:
certbot.auth_handler:tls-sni-01 challenge for outwall.com
certbot.auth_handler:Waiting for verification...
certbot.auth_handler:Cleaning up challenges
certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will expire on 2017-01-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will
expire on 2017-01-09. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
对应目录树:
# tree /etc/letsencrypt/
/etc/letsencrypt/
├── accounts
│ └── acme-v01.api.letsencrypt.org
│ └── directory
│ └── 3b24e8b936a74588021d76401ee376cd
│ ├── meta.json
│ ├── private_key.json
│ └── regr.json
├── archive
│ └── outwall.com
│ ├── cert1.pem
│ ├── chain1.pem
│ ├── fullchain1.pem
│ └── privkey1.pem
├── csr
│ └── 0001_csr-certbot.pem
├── keys
│ └── 0001_key-certbot.pem
├── live
│ └── outwall.com
│ ├── cert.pem -> ../../archive/outwall.com/cert1.pem
│ ├── chain.pem -> ../../archive/outwall.com/chain1.pem
│ ├── fullchain.pem -> ../../archive/outwall.com/fullchain1.pem
│ ├── privkey.pem -> ../../archive/outwall.com/privkey1.pem
│ ├── root.pem
│ └── trusted.pem
└── renewal
└── outwall.com.conf
编辑 ocserv 配置文件 /etc/ocserv/ocserv.conf 修改 server-cert 和 server-key 参数:
server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
server-key = /etc/letsencrypt/live/example.com/privkey.pem
重启服务:
service ocserv restart
staging
注意:--staging 是用来测试申请证书的环境的 测试模式 :
--test-cert, --staging
Use the staging server to obtain test (invalid) certs;
equivalent to --server https://acme-staging.api.letsencrypt.org/directory (default: False)
certbot renewal --dry-run
# certbot certonly --standalone --email [email protected] -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --test-cert --debug
2016-10-07 17:42:31,990:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-07 17:42:33,107:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:Performing the following challenges:
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:tls-sni-01 challenge for outwall.com
2016-10-07 17:42:33,425:INFO:certbot.auth_handler:Waiting for verification...
2016-10-07 17:42:36,570:INFO:certbot.auth_handler:Cleaning up challenges
2016-10-07 17:42:36,767:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2016-10-07 17:42:36,773:INFO:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2016-10-07 17:42:37,130:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will expire on 2017-01-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will
expire on 2017-01-05. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
/etc/letsencrypt/renewal/outwall.com.conf 配置文件:
# renew_before_expiry = 30 days
version = 0.8.1
cert = /etc/letsencrypt/live/outwall.com/cert.pem
privkey = /etc/letsencrypt/live/outwall.com/privkey.pem
chain = /etc/letsencrypt/live/outwall.com/chain.pem
fullchain = /etc/letsencrypt/live/outwall.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = ...
user_agent = ""
server = https://acme-staging.api.letsencrypt.org/directory
TODO:certbot renew --renew-hook restart_ocerv.sh 在证书续期后重启 ocerv 服务:
--renew-hook RENEW_HOOK Command to be run in a shell once for each successfully renewed certificate.For this command, the shell variable $RENEWED_LINEAGE will point to theconfig live subdirectory containing the new certs and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list of renewed cert domains (default: None)
魔兽世界 TCP 和 UDP 端
TCP 1119 3724
UPD 3724 (一般用不到,语音聊天)
游戏服务器 TCP 3724
登录服务器 TCP 8085
Mozilla SSL Configuration Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
| nginx.conf | file | comment |
|---|---|---|
cert.pem |
server cert only | |
chain.pem |
intermediates | |
ssl_certificate |
fullchain.pem |
server cert + intermediates |
ssl_certificate_key |
privkey.pem |
private key |
Qualys SSL Labs 提供了全面的 SSL 安全性测试,填写你的网站域名,给自己的 HTTPS 配置打个分
https://www.ssllabs.com/ssltest/index.html
https://community.letsencrypt.org/t/nginx-wordpress-sec-error-unknown-issuer/4071/4
server {
listen 80;
server_name www.marzycielskapoczta.pl;
return 301 https://marzycielskapoczta.pl$request_uri;
}
server {
listen 443 ssl;
server_name www.marzycielskapoczta.pl;
root /disk2/wordpress;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.marzycielskapoczta.pl/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
}
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
openssl s_client -connect www.godaddy.com:443
curl -s https://acme-staging.api.letsencrypt.org/acme/issuer-cert | openssl x509 -inform der -text
curl http://cert.stg-root-x1.letsencrypt.org/ | openssl x509 -inform der -outform pem -text
使用 --test-cert 参数创建的 测试证书:
# certbot certonly --standalone --email [email protected] -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --test-cert --debug
2016-10-07 17:42:31,990:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-07 17:42:33,107:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:Performing the following challenges:
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:tls-sni-01 challenge for outwall.com
2016-10-07 17:42:33,425:INFO:certbot.auth_handler:Waiting for verification...
2016-10-07 17:42:36,570:INFO:certbot.auth_handler:Cleaning up challenges
2016-10-07 17:42:36,767:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2016-10-07 17:42:36,773:INFO:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2016-10-07 17:42:37,130:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will expire on 2017-01-05. T
o obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will
expire on 2017-01-05. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
证书的 CN 是 Fake LE Intermediate X1 不给信任的,--test-cert 仅仅用来测试证书链的:
# openssl x509 -in cert.pem -issuer -noout
issuer= /CN=Fake LE Intermediate X1
https://community.letsencrypt.org/t/browser-not-trusted-certificate-authority/7981/4
you are creating your certificate using Let's Encrypt staging (test server) so the cert created for your domain has been issued by happy hacker fake CA. This Let's Encrypt staging server should be used just to test that your client is working fine and can generate the challenges, certificates... and so on but if you want to create a valid cert you should use the right server in letsencrypt-auto command.
For staging is:
--server https://acme-staging.api.letsencrypt.org/directory
For production is:
--server https://acme-v01.api.letsencrypt.org/directory
In last version of Let's Encrypt client (0.1.1) if you don't specify a server it defaults to production and if you want to use staging you can specify the server for staging or just use one of these switches (--test-cert or --staging).
This is the help info for these switches:
--test-cert, --staging
Use the staging server to obtain test (invalid) certs;
equivalent to --server https://acme-
staging.api.letsencrypt.org/directory (default: False)
https://community.letsencrypt.org/t/cn-fake-le-intermediate-x1/13437
That means you issued those certificates against the staging server (possibly with --test-cert or --dry-run).
https://gist.github.com/kyhau/1a02ba63958b3da874bc
Create certificate
$ sudo ./letsencrypt-auto --apache --test-cert --email [email protected] --agree-tos -d hi.helloworld.com
If you have an existing apache config with wildcard server alias:
$ sudo ./letsencrypt-auto certonly --email [email protected] --agree-tos -d hi.helloworld.com --server https://acme-v01.api.letsencrypt.org/directory
For --server :
acme-v01.api.letsencrypt.org (Production)
acme-staging.api.letsencrypt.org (Staging)
Need to use --server https://acme-v01.api.letsencrypt.org/directory. Not using --server, or using --server https://acme-staging.api.letsencrypt.org/directory, the Certificate Issue will be CN=happy hacker fake CA.
重命名 staging 相关的目录和文件,重新生成正式使用的证书:
/etc/letsencrypt/accounts/etc/letsencrypt/renewal
# certbot certonly --standalone --email [email protected] -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --debug
2016-10-11 22:22:38,177:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-11 22:22:39,173:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-11 22:22:39,288:WARNING:certbot.main:Renewal conf file /etc/letsencrypt/renewal/outwall.com.conf is broken. Skipping.
2016-10-11 22:22:39,463:INFO:certbot.auth_handler:Performing the following challenges:
2016-10-11 22:22:39,463:INFO:certbot.auth_handler:tls-sni-01 challenge for outwall.com
2016-10-11 22:22:39,526:INFO:certbot.auth_handler:Waiting for verification...
2016-10-11 22:22:42,667:INFO:certbot.auth_handler:Cleaning up challenges
2016-10-11 22:22:43,247:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
2016-10-11 22:22:43,252:INFO:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
2016-10-11 22:22:43,605:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com-0001/fullchain.pem. Your cert will expire on 2017-01-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
2016-10-11 22:22:43,605:INFO:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/outwall.com-0001/fullchain.pem. Your cert will
expire on 2017-01-09. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[email protected] /etc/letsencrypt/live/outwall.com
# certbot certonly --standalone --email [email protected] -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --debug
2016-10-11 22:24:13,758:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-11 22:24:14,621:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-11 22:24:14,736:INFO:certbot.renewal:Cert not yet due for renewal
-------------------------------------------------------------------------------
Certificate not yet due for renewal; no action taken.
-------------------------------------------------------------------------------
# tree .
.
├── accounts
│ ├── acme-staging.api.letsencrypt.org
│ │ └── directory
│ │ └── d219a4834295b92c10b2c1525ca086b3
│ │ ├── meta.json
│ │ ├── private_key.json
│ │ └── regr.json
│ └── acme-v01.api.letsencrypt.org
│ └── directory
│ └── 3b24e8b936a74588021d76401ee376cd
│ ├── meta.json
│ ├── private_key.json
│ └── regr.json
├── archive
│ ├── outwall.com-0001
│ │ ├── cert1.pem
│ │ ├── chain1.pem
│ │ ├── fullchain1.pem
│ │ └── privkey1.pem
│ └── outwall.com.bak
│ ├── cert1.pem
│ ├── chain1.pem
│ ├── fullchain1.pem
│ └── privkey1.pem
├── csr
│ ├── 0000_csr-certbot.pem
│ ├── 0001_csr-certbot.pem
│ ├── 0002_csr-certbot.pem
│ └── 0003_csr-certbot.pem
├── keys
│ ├── 0000_key-certbot.pem
│ ├── 0001_key-certbot.pem
│ ├── 0002_key-certbot.pem
│ └── 0003_key-certbot.pem
├── live
│ ├── outwall.com
│ │ └── root
│ └── outwall.com-0001
│ ├── cert.pem -> ../../archive/outwall.com-0001/cert1.pem
│ ├── chain.pem -> ../../archive/outwall.com-0001/chain1.pem
│ ├── fullchain.pem -> ../../archive/outwall.com-0001/fullchain1.pem
│ └── privkey.pem -> ../../archive/outwall.com-0001/privkey1.pem
└── renewal
├── outwall.com-0001.conf
└── outwall.com.conf.bak
16 directories, 29 files
crontab
https://calomel.org/lets_encrypt_client.html
#!/bin/sh
#
# Check if an SSL certificate will expire in less then 30 days.
# https://calomel.org/lets_encrypt_client.html
#
# remote ssl domain to monitor
HostName="example.org"
# certificate expiration, remote check
CertificateExpireDate=`echo | openssl s_client -connect $HostName:443 2>/dev/null | openssl x509 -noout -enddate | sed 's/notAfter=//'`
# certificate expiration, convert to unix time
UnixCertExpireDate=`date -d "$CertificateExpireDate" +"%s"`
# current date in unix time
UnixCurrentDate=`date +%s`
# difference of the expiration date and the current date
UnixTimeDiff=`expr $UnixCertExpireDate - $UnixCurrentDate`
# If certificate expire in less then 30 days (2592000 seconds) send notification
if [ $UnixTimeDiff -lt 2592000 ]; then
echo "NOTICE: $HostName ssl certificate will expire in less then 30 days." | mail -s "$HostName ssl certificate will expire in less then 30 days" [email protected]
fi
使用 certtool 查看 cert ( -i 参数 ) 和 private key ( -k 参数 ) 信息:
man certtool
-i, --certificate-info Print information on the given certificate.
-k, --key-info Print information on a private key.
查看 证书 信息:
# certtool --infile=ca.crt -i
X.509 Certificate Information:
Version: 3
Serial Number (hex): 01
Issuer: CN=outwall,O=outwall club
Validity:
Not Before: Sat Oct 08 12:54:14 UTC 2016
Not After: Tue Oct 06 12:54:14 UTC 2026
Subject: CN=outwall,O=outwall club
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
查看 私钥 信息:
# certtool --infile=ca-key.pem -k
Public Key Info:
Public Key Algorithm: RSA
Key Security Level: Medium (2048 bits)
# diff -y ocserv.conf ocserv.conf.0.11.5 |egrep -iw '[|<]'
#auth = "pam" | auth = "pam"
auth = "certificate" | #auth = "certificate"
try-mtu-discovery = true | try-mtu-discovery = false
server-cert = /etc/letsencrypt/live/beta.example.com/fullchain. | server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/letsencrypt/live/beta.example.com/privkey.pem | server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/ocserv/certs/ca.crt | ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-group-oid = 2.5.4.11 | #cert-group-oid = 2.5.4.11
default-domain = beta.example.com | default-domain = example.com
ipv4-network = 192.168.123.0 | #ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0 | #ipv4-netmask = 255.255.255.0
dns = 8.8.8.8 | #dns = 192.168.1.2
dns = 8.8.4.4 <