ocserv (OpenConnect VPN Server)

官网:http://www.infradead.org/ocserv/index.html

OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel, and uses the standard IETF security protocols to secure it. The server is implemented primarily for the GNU/Linux platform but its code is designed to be portable to other UNIX variants as well.

依赖:VPS 需要支持创建 VPN 的 TUN 设备

http://www.infradead.org/ocserv/platforms.html

any other platform supporting TUN/TAP devices and on which GnuTLS runs.

HOWTO

  • 安装 ocserv 软件包,修改 ocserv 配置文件
  • 生成 CA 用来签发 客户端 证书
  • 申请 Let's Encrypt SSL 服务端 证书
  • 手机安装 anyconnect APP 配置,下载 客户端 证书,配置即可

Let's Encrypt

使用 certbot 生成和续签 Let's Encrypt SSL 证书:

https://github.com/certbot/certbot

install

https://certbot.eff.org/#centosrhel7-nginx

从 EPEL 源中安装 certbot 软件包:

# yum install epel-release

# yum install certbot

Dependencies Resolved

================================================================================
 Package                    Arch       Version                   Repository
                                                                           Size
================================================================================
Installing:
 certbot                    noarch     0.8.1-2.el7               epel      16 k
Installing for dependencies:
 dialog                     x86_64     1.2-4.20130523.el7        base     208 k
 pyOpenSSL                  x86_64     0.13.1-3.el7              base     133 k
 python-cffi                x86_64     0.8.6-2.el7               base     131 k
 python-cryptography        x86_64     0.8.2-1.el7               base     435 k
 python-enum34              noarch     1.0.4-1.el7               base      52 k
 python-ndg_httpsclient     noarch     0.3.2-1.el7               epel      43 k
 python-parsedatetime       noarch     1.5-3.el7                 epel      61 k
 python-ply                 noarch     3.4-10.el7                base     123 k
 python-psutil              x86_64     2.2.1-1.el7               epel     114 k
 python-pycparser           noarch     2.14-1.el7                base     104 k
 python-requests            noarch     2.6.0-1.el7_1             base      94 k
 python-urllib3             noarch     1.10.2-2.el7_1            base     100 k
 python-zope-component      noarch     1:4.1.0-1.el7             epel     110 k
 python-zope-event          noarch     4.0.3-2.el7               epel      79 k
 python-zope-interface      x86_64     4.0.5-4.el7               base     138 k
 python2-acme               noarch     0.8.1-1.el7               epel     162 k
 python2-certbot            noarch     0.8.1-2.el7               epel     346 k
 python2-configargparse     noarch     0.10.0-1.el7              epel      28 k
 python2-dialog             noarch     3.3.0-6.el7               epel      94 k
 python2-mock               noarch     1.0.1-9.el7               epel      92 k
 python2-pyrfc3339          noarch     1.0-2.el7                 epel      13 k
 pytz                       noarch     2012d-5.el7               base      38 k

Transaction Summary
================================================================================
Install  1 Package (+22 Dependent packages)

Total download size: 2.7 M
Installed size: 13 M

软件包 certbot 包含的相关命令:

# rpm -ql certbot|grep bin
/usr/bin/certbot
/usr/bin/letsencrypt

howto

帮助手册:

# certbot --help all

usage:
  certbot [SUBCOMMAND] [options] [-d domain] [-d domain] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  register             Perform tasks related to registering with the CA
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

默认只有两个插件 webrootstandalone

# certbot plugins
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator

* standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

插件 webroot 需要搭配 nginx / apache 等 web 服务使用,此处使用 standalone 生成证书即可:

注意

执行命令之前关闭 nginxocserv 等占用 80443 端口的服务,不然 standalone 模式会报错

# netstat -lntpu|egrep '80|443'
tcp    0     0 0.0.0.0:80    0.0.0.0:*    LISTEN    12245/nginx: master

# service nginx stop
Redirecting to /bin/systemctl stop  nginx.service

# netstat -lntpu|egrep '80|443'

执行 standalone 模式:

certbot certonly --standalone \
                 --email user@example.com \
                 -d example.com -d www.example.com \
                 --user-agent "" --noninteractive \
                 --text --verbose --debug

如果顺利将在 /etc/letsencrypt/live/example.com 目录下生成相关证书:

# certbot certonly --standalone --email bob@outwall.com -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --debug

certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
certbot.auth_handler:Performing the following challenges:
certbot.auth_handler:tls-sni-01 challenge for outwall.com
certbot.auth_handler:Waiting for verification...
certbot.auth_handler:Cleaning up challenges
certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will expire on 2017-01-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will
   expire on 2017-01-09. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

对应目录树:

# tree /etc/letsencrypt/
/etc/letsencrypt/
├── accounts
│   └── acme-v01.api.letsencrypt.org
│       └── directory
│           └── 3b24e8b936a74588021d76401ee376cd
│               ├── meta.json
│               ├── private_key.json
│               └── regr.json
├── archive
│   └── outwall.com
│       ├── cert1.pem
│       ├── chain1.pem
│       ├── fullchain1.pem
│       └── privkey1.pem
├── csr
│   └── 0001_csr-certbot.pem
├── keys
│   └── 0001_key-certbot.pem
├── live
│   └── outwall.com
│       ├── cert.pem -> ../../archive/outwall.com/cert1.pem
│       ├── chain.pem -> ../../archive/outwall.com/chain1.pem
│       ├── fullchain.pem -> ../../archive/outwall.com/fullchain1.pem
│       ├── privkey.pem -> ../../archive/outwall.com/privkey1.pem
│       ├── root.pem
│       └── trusted.pem
└── renewal
    └── outwall.com.conf

编辑 ocserv 配置文件 /etc/ocserv/ocserv.conf 修改 server-certserver-key 参数:

server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
server-key = /etc/letsencrypt/live/example.com/privkey.pem

重启服务:

service ocserv restart

staging

注意--staging 是用来测试申请证书的环境的 测试模式

--test-cert, --staging

Use the staging server to obtain test (invalid) certs;
equivalent to --server https://acme-staging.api.letsencrypt.org/directory (default: False)

certbot renewal --dry-run
# certbot certonly --standalone --email bob@outwall.com -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --test-cert --debug
2016-10-07 17:42:31,990:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-07 17:42:33,107:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:Performing the following challenges:
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:tls-sni-01 challenge for outwall.com
2016-10-07 17:42:33,425:INFO:certbot.auth_handler:Waiting for verification...
2016-10-07 17:42:36,570:INFO:certbot.auth_handler:Cleaning up challenges
2016-10-07 17:42:36,767:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2016-10-07 17:42:36,773:INFO:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2016-10-07 17:42:37,130:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will expire on 2017-01-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will
   expire on 2017-01-05. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

/etc/letsencrypt/renewal/outwall.com.conf 配置文件:

# renew_before_expiry = 30 days
version = 0.8.1
cert = /etc/letsencrypt/live/outwall.com/cert.pem
privkey = /etc/letsencrypt/live/outwall.com/privkey.pem
chain = /etc/letsencrypt/live/outwall.com/chain.pem
fullchain = /etc/letsencrypt/live/outwall.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = ...
user_agent = ""
server = https://acme-staging.api.letsencrypt.org/directory

TODO:certbot renew --renew-hook restart_ocerv.sh 在证书续期后重启 ocerv 服务:

--renew-hook RENEW_HOOK Command to be run in a shell once for each successfully renewed certificate.For this command, the shell variable $RENEWED_LINEAGE will point to theconfig live subdirectory containing the new certs and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list of renewed cert domains (default: None)

魔兽世界 TCP 和 UDP 端

TCP 1119 3724
UPD 3724 (一般用不到,语音聊天)

游戏服务器 TCP 3724
登录服务器 TCP 8085

Mozilla SSL Configuration Generator

https://mozilla.github.io/server-side-tls/ssl-config-generator/

nginx.conf file comment
cert.pem server cert only
chain.pem intermediates
ssl_certificate fullchain.pem server cert + intermediates
ssl_certificate_key privkey.pem private key

Qualys SSL Labs 提供了全面的 SSL 安全性测试,填写你的网站域名,给自己的 HTTPS 配置打个分

https://www.ssllabs.com/ssltest/index.html

https://community.letsencrypt.org/t/nginx-wordpress-sec-error-unknown-issuer/4071/4

server {
    listen 80;
    server_name www.marzycielskapoczta.pl;
    return 301 https://marzycielskapoczta.pl$request_uri;
}

server {
    listen 443 ssl;
    server_name www.marzycielskapoczta.pl;
    root /disk2/wordpress;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.marzycielskapoczta.pl/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
}

http://nginx.org/en/docs/http/configuring_https_servers.html#chains

openssl s_client -connect www.godaddy.com:443


curl -s https://acme-staging.api.letsencrypt.org/acme/issuer-cert | openssl x509 -inform der -text
curl http://cert.stg-root-x1.letsencrypt.org/ | openssl x509 -inform der -outform pem -text

使用 --test-cert 参数创建的 测试证书

# certbot certonly --standalone --email bob@outwall.com -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --test-cert --debug
2016-10-07 17:42:31,990:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-07 17:42:33,107:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:Performing the following challenges:
2016-10-07 17:42:33,371:INFO:certbot.auth_handler:tls-sni-01 challenge for outwall.com
2016-10-07 17:42:33,425:INFO:certbot.auth_handler:Waiting for verification...
2016-10-07 17:42:36,570:INFO:certbot.auth_handler:Cleaning up challenges
2016-10-07 17:42:36,767:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2016-10-07 17:42:36,773:INFO:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2016-10-07 17:42:37,130:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will expire on 2017-01-05. T
o obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/outwall.com/fullchain.pem. Your cert will
   expire on 2017-01-05. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

证书的 CNFake LE Intermediate X1 不给信任的,--test-cert 仅仅用来测试证书链的:

# openssl x509 -in cert.pem -issuer -noout
issuer= /CN=Fake LE Intermediate X1

https://community.letsencrypt.org/t/browser-not-trusted-certificate-authority/7981/4

you are creating your certificate using Let's Encrypt staging (test server) so the cert created for your domain has been issued by happy hacker fake CA. This Let's Encrypt staging server should be used just to test that your client is working fine and can generate the challenges, certificates... and so on but if you want to create a valid cert you should use the right server in letsencrypt-auto command.

For staging is:

--server https://acme-staging.api.letsencrypt.org/directory

For production is:

--server https://acme-v01.api.letsencrypt.org/directory

In last version of Let's Encrypt client (0.1.1) if you don't specify a server it defaults to production and if you want to use staging you can specify the server for staging or just use one of these switches (--test-cert or --staging).

This is the help info for these switches:

--test-cert, --staging
    Use the staging server to obtain test (invalid) certs;
    equivalent to --server https://acme-
    staging.api.letsencrypt.org/directory (default: False)

https://community.letsencrypt.org/t/cn-fake-le-intermediate-x1/13437

That means you issued those certificates against the staging server (possibly with --test-cert or --dry-run).

https://gist.github.com/kyhau/1a02ba63958b3da874bc

Create certificate

$ sudo ./letsencrypt-auto --apache --test-cert --email me@helloworld.com --agree-tos -d hi.helloworld.com

If you have an existing apache config with wildcard server alias:

$ sudo ./letsencrypt-auto certonly --email me@helloworld.com --agree-tos -d hi.helloworld.com --server https://acme-v01.api.letsencrypt.org/directory

For --server :

acme-v01.api.letsencrypt.org (Production)
acme-staging.api.letsencrypt.org (Staging)

Need to use --server https://acme-v01.api.letsencrypt.org/directory. Not using --server, or using --server https://acme-staging.api.letsencrypt.org/directory, the Certificate Issue will be CN=happy hacker fake CA.

重命名 staging 相关的目录和文件,重新生成正式使用的证书:

  • /etc/letsencrypt/accounts
  • /etc/letsencrypt/renewal
# certbot certonly --standalone --email bob@outwall.com -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --debug 
2016-10-11 22:22:38,177:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-11 22:22:39,173:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-11 22:22:39,288:WARNING:certbot.main:Renewal conf file /etc/letsencrypt/renewal/outwall.com.conf is broken. Skipping.
2016-10-11 22:22:39,463:INFO:certbot.auth_handler:Performing the following challenges:
2016-10-11 22:22:39,463:INFO:certbot.auth_handler:tls-sni-01 challenge for outwall.com
2016-10-11 22:22:39,526:INFO:certbot.auth_handler:Waiting for verification...
2016-10-11 22:22:42,667:INFO:certbot.auth_handler:Cleaning up challenges
2016-10-11 22:22:43,247:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
2016-10-11 22:22:43,252:INFO:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
2016-10-11 22:22:43,605:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/outwall.com-0001/fullchain.pem. Your cert will expire on 2017-01-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
2016-10-11 22:22:43,605:INFO:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/outwall.com-0001/fullchain.pem. Your cert will
   expire on 2017-01-09. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 root@localhost.localdomain /etc/letsencrypt/live/outwall.com

# certbot certonly --standalone --email bob@outwall.com -d outwall.com --user-agent "" --agree-tos --noninteractive --text --verbose --debug
2016-10-11 22:24:13,758:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-11 22:24:14,621:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-11 22:24:14,736:INFO:certbot.renewal:Cert not yet due for renewal

-------------------------------------------------------------------------------
Certificate not yet due for renewal; no action taken.
-------------------------------------------------------------------------------
# tree .
.
├── accounts
│   ├── acme-staging.api.letsencrypt.org
│   │   └── directory
│   │       └── d219a4834295b92c10b2c1525ca086b3
│   │           ├── meta.json
│   │           ├── private_key.json
│   │           └── regr.json
│   └── acme-v01.api.letsencrypt.org
│       └── directory
│           └── 3b24e8b936a74588021d76401ee376cd
│               ├── meta.json
│               ├── private_key.json
│               └── regr.json
├── archive
│   ├── outwall.com-0001
│   │   ├── cert1.pem
│   │   ├── chain1.pem
│   │   ├── fullchain1.pem
│   │   └── privkey1.pem
│   └── outwall.com.bak
│       ├── cert1.pem
│       ├── chain1.pem
│       ├── fullchain1.pem
│       └── privkey1.pem
├── csr
│   ├── 0000_csr-certbot.pem
│   ├── 0001_csr-certbot.pem
│   ├── 0002_csr-certbot.pem
│   └── 0003_csr-certbot.pem
├── keys
│   ├── 0000_key-certbot.pem
│   ├── 0001_key-certbot.pem
│   ├── 0002_key-certbot.pem
│   └── 0003_key-certbot.pem
├── live
│   ├── outwall.com
│   │   └── root
│   └── outwall.com-0001
│       ├── cert.pem -> ../../archive/outwall.com-0001/cert1.pem
│       ├── chain.pem -> ../../archive/outwall.com-0001/chain1.pem
│       ├── fullchain.pem -> ../../archive/outwall.com-0001/fullchain1.pem
│       └── privkey.pem -> ../../archive/outwall.com-0001/privkey1.pem
└── renewal
    ├── outwall.com-0001.conf
    └── outwall.com.conf.bak

16 directories, 29 files

crontab

https://calomel.org/lets_encrypt_client.html

#!/bin/sh

#
# Check if an SSL certificate will expire in less then 30 days.
# https://calomel.org/lets_encrypt_client.html
#

# remote ssl domain to monitor
HostName="example.org"

# certificate expiration, remote check
CertificateExpireDate=`echo | openssl s_client -connect $HostName:443 2>/dev/null | openssl x509 -noout -enddate | sed 's/notAfter=//'`

# certificate expiration, convert to unix time
UnixCertExpireDate=`date -d "$CertificateExpireDate" +"%s"`

# current date in unix time
UnixCurrentDate=`date +%s`

# difference of the expiration date and the current date
UnixTimeDiff=`expr $UnixCertExpireDate - $UnixCurrentDate`

# If certificate expire in less then 30 days (2592000 seconds) send notification
if [ $UnixTimeDiff -lt 2592000 ]; then
   echo "NOTICE: $HostName ssl certificate will expire in less then 30 days." | mail -s "$HostName ssl certificate will expire in less then 30 days" user@emailaddress.com
fi

使用 certtool 查看 cert ( -i 参数 ) 和 private key ( -k 参数 ) 信息:

man certtool

-i, --certificate-info  Print information on the given certificate.
-k, --key-info          Print information on a private key.

查看 证书 信息:

# certtool --infile=ca.crt -i

X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 01
    Issuer: CN=outwall,O=outwall club
    Validity:
            Not Before: Sat Oct 08 12:54:14 UTC 2016
            Not After: Tue Oct 06 12:54:14 UTC 2026
    Subject: CN=outwall,O=outwall club
    Subject Public Key Algorithm: RSA
    Algorithm Security Level: Medium (2048 bits)

查看 私钥 信息:

# certtool --infile=ca-key.pem -k

Public Key Info:
    Public Key Algorithm: RSA
    Key Security Level: Medium (2048 bits)
# diff -y ocserv.conf ocserv.conf.0.11.5 |egrep -iw '[|<]'
#auth = "pam"                                                 | auth = "pam"
auth = "certificate"                                          | #auth = "certificate"
try-mtu-discovery = true                                      | try-mtu-discovery = false
server-cert = /etc/letsencrypt/live/beta.example.com/fullchain. | server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/letsencrypt/live/beta.example.com/privkey.pem | server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/ocserv/certs/ca.crt                            | ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-group-oid = 2.5.4.11                                     | #cert-group-oid = 2.5.4.11
default-domain = beta.example.com                               | default-domain = example.com
ipv4-network = 192.168.123.0                                  | #ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0                                  | #ipv4-netmask = 255.255.255.0
dns = 8.8.8.8                                                 | #dns = 192.168.1.2
dns = 8.8.4.4                                                 <