let's encrypt SSL证书续期 

最近接到邮件,说自己SSL证书将于10日内过期,于是赶紧续期。renew.

使用 letsencrypt 官方推荐的客户端 Certbot 完成操作。

下载该工具,根据各自的系统和包管理器,下载安装。

由于我的系统比较老,所以下载了 binary 文件。


wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto


给了执行权限,继续操作。


[root@xzx ~]# ./certbot-auto certonly --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apachectl in PATH: /opt/lighttpd/sbin:/opt/php/sbin:/opt/php/bin:/opt/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for xiazhengxin.name
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xiazhengxin.name/fullchain.pem. Your cert
will expire on 2017-07-13. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


续期成功,其实我感觉是重新生成了一份新的。
查看证书存放地址:

[root@xzx ~]# ./certbot-auto certificates --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following matching certs:
Certificate Name: xiazhengxin.name
Domains: xiazhengxin.name
Expiry Date: 2017-07-13 09:26:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xiazhengxin.name/privkey.pem
-------------------------------------------------------------------------------


现在要做的就是删除老的快过期的证书,然后用新生成的替换掉它,重启WEB SERVER即可。


[root@xzx ~]# cp /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem /home/http/blog_xiazhengxin_name/ssl.pem
[root@xzx ~]# cat /etc/letsencrypt/live/xiazhengxin.name/privkey.pem >> /home/http/blog_xiazhengxin_name/ssl.pem


搞定!!!!

关于 Certbot 的用法参数说明,参见:
https://certbot.eff.org/docs/using.html#certbot-command-line-options

https://certbot.eff.org/ Certbot 官网
https://letsencrypt.org/docs/client-options/ Certbot 其他变种
[ ] ( 1861 次浏览 ) 永久链接 ( 3 / 1964 )
使用StartSSL.com 免费证书在博客 

最近跟风SSL,便搞了一个SSL证书到自己的网站。

https://startssl.com/Certificates 注册会员,验证邮箱和域名。

然后申请 Class 1 (Not Validated) 的 DV SSL Certificate for Free User (Not Validated),这是给初级别用户的证书,因为不用验证身份证,拍照啥的。

1.Please enter the full hostname for SSL certificate (e.g: mail.domain.com):

输入自己的域名,可以是好几个子域名,换行隔开。

2.Please submit your Certificate Signing Request (CSR):

选择第一个 Generated by Myself。

在shell 执行 “openssl req -newkey rsa:2048 -keyout xxx.key -out xxx.csr ”,需要安装openssl 套件。

cat xxx.csr

把内容贴入下方的文本域,点击提交。

如下:

[root@xzx ssl]# openssl req -newkey rsa:2048 -keyout blog.key -out blog.csr
Generating a 2048 bit RSA private key
..............................................................................................................................................+++
..................+++
writing new private key to 'blog.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Sharl Jimh Tsin
Organizational Unit Name (eg, section) []:Sharl
Common Name (eg, your name or your server's hostname) []:xiazhengxin.name
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xiazhengxin
An optional company name []:
[root@xzx ssl]# cat blog.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC/zCCAecCAQAwgZ0xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTER
MA8GA1UEBwwIU2hhbmdoYWkxGDAWBgNVBAoMD1NoYXJsIEppbWggVHNpbjEOMAwG
A1UECwwFU2hhcmwxGTAXBgNVBAMMEHhpYXpoZW5neGluLm5hbWUxIzAhBgkqhkiG
9w0BCQEWFHh6eEB4aWF6aGVuZ3hpbi5uYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAt7s1Nhtmt5ZeIkOXnMeH3fFl1neUjxun/aqf52If5tTkpVqp
UuKpkzOk8nXOYiFfHsdhormo57bTuDdnG/e2mz5KXR0uE2k3zqMGGFvRfeRQHGTz
eI/xP1GhLTI8KWfN2VP9hjV6KOd992OJkceoQ+qr8wmOpt+QEbMXi7taA/q5eBEc
vjEEeFRT8V0yV6CZcylQaKAtmcM73iR5siPi8DJap4WAkKgNdlC+XymO1eDY4TDY
JzzPPDo88+6+Y6DwfbDRSEjDS40byA0SovkDShLYFkxa5vHgLWsrFGEZzgyxa4ob
Ih0VxyrEFCdFVaQlnVIL38OCBw0fdWaa5FmzbwIDAQABoBwwGgYJKoZIhvcNAQkH
MQ0MC3hpYXpoZW5neGluMA0GCSqGSIb3DQEBBQUAA4IBAQBBo5b03ATzyMjaEYfk
uSoZV3dGNydqZvcUUnaV4TxkZnjG3TntUmrCqF9lja9XqjaKk4gRClUQqivGes6S
DcfTfCcleenAhgvCAOafuhEMfK0fSx7X9c9+Mrtntmdcx8By0dhEekVRJIO2f0KE
LO19OzVCKCLcaqMwShEAjeRzfd63LhU79xFZqsPT3XgRQQJuUlId6MakbvGUTGej
1z5n+ty/uKsh/VJXIhhFrkY1rSSeSWf9qYHzQwag41XrJ9JUCS9+cLmEnGKdLmYi
Kg1/QAyTluxjYW2NVvshvbhgL5Kx+WnO9DZcghqyV8UxBDGr+sbTN6p0TmTfr+rS
mE0F
-----END CERTIFICATE REQUEST-----


跳转页面后就可以下载对应的 xxxxx.xxx.pem 文件。也可以到 首页 的 Tool Box 下面的 Certificate List 页面去下载。


170112183726840 xiazhengxin.name Class 1 SSL 2017-01-12 2020-01-12 Issued “下载按钮”


到这里,startssl 网站的工作就搞完了。把 pem 文件上传到自己的服务器,把它和自己的私钥合并。


[root@xzx ssl]# cat blog.key xiazhengxin.name.pem > ssl.pem
[root@xzx ssl]# cp ssl.pem /home/http/blog_xiazhengxin_name/
[root@xzx ssl]# cd /home/http/blog_xiazhengxin_name/
[root@xzx blog_xiazhengxin_name]# ll
total 92
drwxrwx--- 5 http web 4096 Apr 11 2011 admin
-rwxrwx--- 1 http web 1547 Apr 23 2013 config.inc.php
-rwxrwx--- 1 http web 53 Dec 1 2010 google7a48cd06bd7c1d66.html
-rwxrwx--- 1 http web 685 Jul 2 2009 index.php
-rwxrwx--- 1 http web 37235 Jun 21 2010 install.php
-rwxrwx--- 1 http web 15255 May 14 2008 license.txt
lrwxrwxrwx 1 http web 30 Nov 8 2014 pub -> ../static_xiazhengxin_name/pub
-rw-r--r-- 1 root root 4285 Jan 12 18:43 ssl.pem
drwxrwx--- 5 http web 4096 Apr 11 2011 usr
drwxrwx--- 5 http web 4096 Aug 15 2010 var
[root@xzx blog_xiazhengxin_name]# chmod 777 ssl.pem
[root@xzx blog_xiazhengxin_name]# chmod a-x ssl.pem


之后就是配置 lighttpd 了。确认编译lighttpd 的时候启用了 openssl 模块。


[root@xzx sbin]# ./lighttpd -V
lighttpd/1.4.35 (ssl) - a light and fast webserver
Build-Date: Nov 7 2014 02:06:04

Event Handlers:

+ select (generic)
+ poll (Unix)
- rt-signals (Linux 2.4+)
+ epoll (Linux 2.6)
- /dev/poll (Solaris)
- eventports (Solaris)
- kqueue (FreeBSD)
- libev (generic)

Network handler:

+ linux-sendfile
- freebsd-sendfile
- solaris-sendfilev
+ writev
+ write
- mmap support

Features:

+ IPv6 support
+ zlib support
+ bzip2 support
+ crypt support
+ SSL Support
+ PCRE support
+ mySQL support
- LDAP support
- memcached support
+ FAM support
- LUA support
+ xml support
+ SQLite support
+ GDBM support


编辑位于 etc 下面的 lighttpd.conf 文件,加入以下配置:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/home/http/blog_xiazhengxin_name/ssl.pem"
server.name = "xiazhengxin.name"
server.document-root = "/home/http/blog_xiazhengxin_name"
}


重启 lighttpd,输入 密钥的短口令,启动成功。

[root@xzx blog_xiazhengxin_name]# service myservice start
*******starting Services*********
php-fpm Started
mysqld Started
NOW SLEEP 5 seconds for MySQL ready
170112 18:50:37 mysqld_safe Logging to '/var/log/mysqld.log'.
170112 18:50:37 mysqld_safe Starting mysqld daemon with databases from /var/mysql
vsftpd Started
Enter PEM pass phrase:
lighttpd Started
*******all services Started*********


访问 https://xiazhengxin.name/ 显示正常。就是由于是 Class 1 级别的SSL证书所以有警告。

注:文章撰写和实践时参考了一下连接
http://redmine.lighttpd.net/projects/li ... i/Docs_SSL
https://startssl.com/Support?v=33
[ ] ( 2373 次浏览 ) 永久链接 ( 3 / 2149 )
Chromium 默认启用自签名SSL 证书 

自从苹果宣布2017年元旦开始强制使用SSL/TLS 证书之后,国内所有的网站一夜之间忽然从HTTP 转变成了 HTTPS。

斗鱼也不例外,不过最近打开斗鱼的网站一直属于残疾的状态,可是IE下面是正常的。

仔细查看LOG原来是斗鱼的部分子域名(JS/CSS 静态资源)使用了自签名的SSL证书,默认被chromium ban 掉了.

又不能挨个打开URL 确认安全例外,只好设置全部允许。

打开chromium 配置页,


chrome://flags/#allow-insecure-localhost

对于从本地主机加载的资源,允许使用无效的证书。 Mac, Windows, Linux, Chrome OS, Android
允许通过 HTTPS 向本地主机发送请求(即使提供的证书无效)。 #allow-insecure-localhost


点击启用,重启浏览器生效。

ok!熟悉的斗鱼又回来了。

注:本文撰写参考了以下链接
http://stackoverflow.com/questions/7580 ... ertificate
[ ] ( 1625 次浏览 ) 永久链接 ( 3 / 1941 )
在 Chromium 下面啟用 Adobe flash player ppapi 

因為 chromium 是 chrome 的開源版本,所以沒有自帶adobe flash player.

首先在adobe 的測試頁面下載最新的 flash player PPAPI.

http://labs.adobe.com/downloads/flashplayer.html

Download Flash Player for Opera and Chromium based applications – PPAPI
https://fpdownload.macromedia.com/pub/labs/flashruntimes/flashplayer/install_flash_player_ppapi.exe

下載完畢,安裝。

打開 chromium ,一看還是沒有,提示flash 版本太低。

無奈 網上搜索了一下,找到了一篇 adobe 的 技術文檔,里面總結了一些常見的問題。

文章提示,第三方的位置插件需要在插件管理頁,手動信任。

1:在地址輸入 “about:plugins”,回車。
2:找到 "Adobe Flash Player - 版本: 23.0.0.195 Shockwave Flash 23.0 r0",字樣的插件。勾選旁邊的“始终允许运行”.
3:搞定,刷新任意頁面即可生效。

:-)

注:本文是作者在Microsoft Windows 系統下所遇到并解決的問題,發布在此,想來GNU/Linux 下處理該場景原理應一致。

本文撰寫時候參考了一下文檔:
https://helpx.adobe.com/flash-player/kb/flash-player-chromium.html
[ ] ( 3743 次浏览 ) 永久链接 ( 2.9 / 2005 )
解决 deb.opera.com 软件源签名错误 

电脑好久没有开机了,今天开机进入ubuntu 系统,照例检查安装更新,结果其他软件源都OK,只有OPERA 的有点问题。

报错如下:


下载 2,590 B,耗时 16秒 (161 B/s)
正在读取软件包列表... 完成
W: 校验签名出错。此仓库未被更新,仍然使用以前的索引文件。GPG 错误:http://deb.opera.com stable InRelease: 由于没有公钥,无法验证下列签名: NO_PUBKEY 63F7D4AFF6D61D45

W: 无法下载 http://deb.opera.com/opera/dists/stable/InRelease

W: Some index files failed to download. They have been ignored, or old ones used instead.


应该是之前的签名改了,而OPERA 的公钥又不再OPENPGP 的服务器上,于是便去 OPERA 的源网站找找。果然找到了。


sharl@sharl-desktop:~$ wget -qO- https://deb.opera.com/archive.key | sudo apt-key add -
OK


下载并加入新的公钥。重试更新流程。


sharl@sharl-desktop:~$ sudo apt-get update
忽略 http://mirrors.ustc.edu.cn trusty InRelease
命中 http://mirrors.ustc.edu.cn trusty-updates InRelease
命中 http://mirrors.ustc.edu.cn trusty-backports InRelease
命中 http://mirrors.ustc.edu.cn trusty-security InRelease
命中 http://mirrors.ustc.edu.cn trusty Release.gpg
命中 http://mirrors.ustc.edu.cn trusty-updates/main Sources
命中 http://mirrors.ustc.edu.cn trusty-updates/restricted Sources
命中 http://mirrors.ustc.edu.cn trusty-updates/universe Sources
命中 http://mirrors.ustc.edu.cn trusty-updates/multiverse Sources
命中 http://mirrors.ustc.edu.cn trusty-updates/main amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/restricted amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/universe amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/multiverse amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/main i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/restricted i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/universe i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/multiverse i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-updates/main Translation-en
命中 http://mirrors.ustc.edu.cn trusty-updates/multiverse Translation-en
命中 http://mirrors.ustc.edu.cn trusty-updates/restricted Translation-en
命中 http://mirrors.ustc.edu.cn trusty-updates/universe Translation-en
获取:1 http://deb.opera.com stable InRelease [2,590 B]
命中 http://mirrors.ustc.edu.cn trusty-backports/main Sources
命中 http://mirrors.ustc.edu.cn trusty-backports/restricted Sources
命中 http://mirrors.ustc.edu.cn trusty-backports/universe Sources
忽略 http://extras.ubuntu.com trusty InRelease
命中 http://mirrors.ustc.edu.cn trusty-backports/multiverse Sources
命中 http://mirrors.ustc.edu.cn trusty-backports/main amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-backports/restricted amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-backports/universe amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-backports/multiverse amd64 Packages
获取:2 http://deb.opera.com stable/non-free amd64 Packages [1,812 B]
命中 http://mirrors.ustc.edu.cn trusty-backports/main i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-backports/restricted i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-backports/universe i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-backports/multiverse i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-backports/main Translation-en
命中 http://mirrors.ustc.edu.cn trusty-backports/multiverse Translation-en
命中 http://mirrors.ustc.edu.cn trusty-backports/restricted Translation-en
获取:3 http://deb.opera.com stable/non-free i386 Packages [1,885 B]
命中 http://mirrors.ustc.edu.cn trusty-backports/universe Translation-en
命中 http://extras.ubuntu.com trusty Release.gpg
命中 http://mirrors.ustc.edu.cn trusty-security/main Sources
命中 http://mirrors.ustc.edu.cn trusty-security/restricted Sources
命中 http://mirrors.ustc.edu.cn trusty-security/universe Sources
命中 http://mirrors.ustc.edu.cn trusty-security/multiverse Sources
命中 http://mirrors.ustc.edu.cn trusty-security/main amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/restricted amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/universe amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/multiverse amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/main i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/restricted i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/universe i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/multiverse i386 Packages
命中 http://mirrors.ustc.edu.cn trusty-security/main Translation-en
命中 http://mirrors.ustc.edu.cn trusty-security/multiverse Translation-en
命中 http://mirrors.ustc.edu.cn trusty-security/restricted Translation-en
命中 http://mirrors.ustc.edu.cn trusty-security/universe Translation-en
命中 http://mirrors.ustc.edu.cn trusty Release
命中 http://mirrors.ustc.edu.cn trusty/main Sources
命中 http://mirrors.ustc.edu.cn trusty/restricted Sources
命中 http://mirrors.ustc.edu.cn trusty/universe Sources
命中 http://mirrors.ustc.edu.cn trusty/multiverse Sources
命中 http://mirrors.ustc.edu.cn trusty/main amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty/restricted amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty/universe amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty/multiverse amd64 Packages
命中 http://mirrors.ustc.edu.cn trusty/main i386 Packages
命中 http://mirrors.ustc.edu.cn trusty/restricted i386 Packages
命中 http://mirrors.ustc.edu.cn trusty/universe i386 Packages
命中 http://mirrors.ustc.edu.cn trusty/multiverse i386 Packages
命中 http://mirrors.ustc.edu.cn trusty/main Translation-zh_CN
命中 http://mirrors.ustc.edu.cn trusty/main Translation-en
命中 http://mirrors.ustc.edu.cn trusty/multiverse Translation-zh_CN
命中 http://mirrors.ustc.edu.cn trusty/multiverse Translation-en
命中 http://mirrors.ustc.edu.cn trusty/restricted Translation-zh_CN
命中 http://mirrors.ustc.edu.cn trusty/restricted Translation-en
命中 http://mirrors.ustc.edu.cn trusty/universe Translation-zh_CN
命中 http://extras.ubuntu.com trusty Release
命中 http://mirrors.ustc.edu.cn trusty/universe Translation-en
忽略 http://mirrors.ustc.edu.cn trusty/main Translation-zh
忽略 http://mirrors.ustc.edu.cn trusty/multiverse Translation-zh
忽略 http://mirrors.ustc.edu.cn trusty/restricted Translation-zh
忽略 http://mirrors.ustc.edu.cn trusty/universe Translation-zh
忽略 http://deb.opera.com stable/non-free Translation-zh_CN
命中 http://extras.ubuntu.com trusty/main Sources
忽略 http://deb.opera.com stable/non-free Translation-zh
忽略 http://deb.opera.com stable/non-free Translation-en
命中 http://extras.ubuntu.com trusty/main amd64 Packages
命中 http://extras.ubuntu.com trusty/main i386 Packages
忽略 http://extras.ubuntu.com trusty/main Translation-zh_CN
忽略 http://extras.ubuntu.com trusty/main Translation-zh
忽略 http://extras.ubuntu.com trusty/main Translation-en
下载 6,287 B,耗时 13秒 (456 B/s)
正在读取软件包列表... 完成


一切OK。搞定!

注:本文撰写时参考了以下链接。
http://deb.opera.com/manual.html
[ ] ( 5898 次浏览 ) 永久链接 ( 2.9 / 2300 )

<< <上一页 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 下一页> >>