# openssl pkcs7 -print_certs -in eternalcenter.p7b -out eternalcenter.crt(补充:这里以将 SSL 证书公钥 eternalcenter.p7b 转换为 SSL 证书公钥 eternalcenter.crt 为例)
[内容] Linux SSL 证书 KEY 私钥密码的添加和取消 (OpenSSL 版)
内容一:给 SSL 证书 KEY 私钥添加密码
交互式给 SSL 证书 KEY 私钥添加密码
# openssl rsa -des -in eternalcenter.com.key -out one.eternalcenter.com.key(补充:这里以给 SSL 证书 KEY 私钥 eternalcenter.com.key 添加密码为例)
内容二:取消 SSL 证书 KEY 私钥添加密码
2.1 交互式取消 SSL 证书 KEY 私钥添加密码
# openssl rsa -in one.eternalcenter.com.key -out two.eternalcenter.com.key(补充:这里以给 SSL 证书 KEY 私钥 one.eternalcenter.com.key 添加密码并生成为 SSL 证书 KEY 私钥 two.eternalcenter.com.key 为例)
2.2 非交互式取消 SSL 证书 KEY 私钥添加密码
# openssl rsa -in one.eternalcenter.com.key -passin pass:eternalcenter -out two.eternalcenter.com.key(补充:这里以给 SSL 证书 KEY 私钥 one.eternalcenter.com.key 添加密码并生成为 SSL 证书 KEY 私钥 two.eternalcenter.com.key,取消密钥的密码为 eternalcenter 为例)
[命令] Linux 目标网站 SSL 证书的显示 (OpenSSL 版)
内容一:查看完整信息
# openssl s_client -connect eternalcenter.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
0 s:CN = eternalcenter.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISAxDxly99eBiarmHggFEmDJoMMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMTkxMzA4MzJaFw0yMjAzMTkxMzA4MzFaMBwxGjAYBgNVBAMT
EWV0ZXJuYWxjZW50ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtCcCuOqBrWP4eo//VBEXh668EjwrE1eXz2CS4GIN4ddn0rS8LHGFOrB92R8E
OnaYeTKpZjzNM3NA/AG/Gq5mTRZGTpyTasHEb/phwXdhrtJWdbMtQjGFSg8rXSB8
cap5NGP/NxAy8FV0MbXftg5t9VgBoCMGUzioSHZTEjefq+/OZwlP7RzxZN3bwj1D
61gWSw6q1X3bsi8ttwbkkiJfvjXo2KIeGOAnY10X+FPJmVa7jonhOuljrX4CYgnd
SCxmsfgwGMUzRu27VB1rEbKqvSr6tb9KfwFiqsZd5tTi7RW6WMqA0VbDV7BbDqLP
OzcturwRtXfzHjJxssy9zhnrQQIDAQABo4ICTjCCAkowDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQMGBCfBuZxTAS8VcBI/13ugqc2RDAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghFldGVybmFsY2VudGVyLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN+lXqto
gk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABfdMFzUsAAAQDAEgwRgIhAMFF
1orPZPnpCyhzwX2xZAZjJnOmDGmBjAl0tHnX4nEWAiEAqZTUwjrdwZAL+kDAgpzG
Me2RnGMseDBY8Oy2sefUgsAAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8
cP5tRwAAAX3TBc1zAAAEAwBIMEYCIQDLhR0nbVHEIL1uw9hRuv/ZbFjf91W/M4Jp
od7NTMQZbAIhAKEAAfmdu0nVHklyS2At1VValwQ6vNbqd0NQ85giG606MA0GCSqG
SIb3DQEBCwUAA4IBAQB/s+rZEaNrlUyBVnbxv5X9NTBd8buBOkR1qVswlS1R2i8B
pRjeJmgbiMzM2z5Mvx0yTIiCyXXUc3YaqoyxvddaQam9nlLGr0nKX9T5DkE7y0Fh
Qg0/ievRQF86XnDqQBxDR32jj5A1nKEiJrNCqugCWTAABndW3tvzK5DOsF2BfjJC
mcjwiKaSCjFVpf+KzLWS3UEW+DRTKOLBucXpenS7QEcQu4K6ShNSL7+K6UOZEbFu
uCRjOawCJFF7EH5vzRBy696Fu4EmzCV+c4rV8K8EcuCCQQeOTWJ/93Jv6U6kGrmE
P6wlcHFy1tZhTAmXf/qcpE3sGeH58OlNNiVmNJdH
-----END CERTIFICATE-----
subject=CN = eternalcenter.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4695 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D63BC88824810A4D43ACE901AD4FF2D82073BC6F0D8B2DE71F6310CA1C87707F
Session-ID-ctx:
Master-Key: A6836430C394B96DDD5552867D49802F94AAC8BF5E882100F0D27185CF5CFD6A946B94D87652E44A6684FC9781D16D90
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - bb be 55 e0 4b 6d c3 08-cd bc 45 6e 79 67 fc eb ..U.Km....Enyg..
0010 - 30 d5 4c 8a 5a c8 f7 13-42 4b 1d 02 ce 94 c0 b8 0.L.Z...BK......
0020 - d7 cf f6 f0 ee 9d 49 5b-0a c8 a4 1a 8b dd 8a e0 ......I[........
0030 - 66 83 52 9b 31 4d da 9e-d5 05 1a 70 ca e9 86 5e f.R.1M.....p...^
0040 - f5 09 a1 1c 92 6b 64 90-b7 e1 0e ec 30 e2 26 68 .....kd.....0.&h
0050 - 49 13 10 9e 3e a5 e0 13-a2 f1 7a 7c c5 ad 99 6c I...>.....z|...l
0060 - e9 f6 1d 46 5f cc f6 f9-c5 f6 05 49 53 78 7e ea ...F_......ISx~.
0070 - 8c 17 eb 8d 96 c3 3f 92-fe e0 f0 f6 86 59 05 c8 ......?......Y..
0080 - d2 8c 27 6b 9d 65 38 20-84 d4 23 54 35 70 19 4d ..'k.e8 ..#T5p.M
0090 - db 35 6d f4 44 50 d7 6e-a5 87 2b 32 e5 f8 42 88 .5m.DP.n..+2..B.
00a0 - 28 e2 ab 35 e1 2c 06 71-e5 b2 82 cb 3a 75 cc 72 (..5.,.q....:u.r
00b0 - ed ae e1 12 ff 82 6c 3a-3a 38 7a 8c 3c 9c f1 10 ......l::8z.<...
00c0 - 78 b8 37 87 c3 a2 00 76-01 72 8c ef 3b 20 48 28 x.7....v.r..; H(
Start Time: 1644931899
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)
内容二:查看主要信息
# echo | openssl s_client -connect scc.suse.com:443 | head -n 16
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
0 s:CN = eternalcenter.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)
WordPress 值得使用的主题和插件
主题
Twenty Seventeen
Twenty Seventeen 是一个开源的 WordPress 主题,非常适合目录较多的网站,首页能够巧妙地将图片和文字结合在一起。
插件
All In One WP Security
All In One WP Security 是一个开源的 WordPress 安全插件,比较全面地对 WordPress 进行安全加强,安装了这个插件以后,基本上就不需要再安装其他安全插件。
Easy WP SMTP
Easy WP SMTP 是一个开源的 WordPress 邮件插件,可以实现 WordPress 通过 SMTP 发送邮件。
Simply Static
Simply Static 是一个开源的 WordPress 动态网站转静态网站插件,可以将动态网站转换成静态网站。
WP-Optimize Cache
WP-Optimize Cache 是一个开源的 WordPress 网站性能优化插件,可以删除无用数据等等。
Health Check & Troubleshooting
Health Check & Troubleshooting 是一个开源的 WordPress 网站健康度检测插件,可以检测网站的各项健康指标。
Username Changer
Username Changer 是一个开源的修改 WordPress 用户名的插件,可以修改用户名
Edit Author Slug
Edit Author Slug 是一个开源的修改 WordPress 用户名下文章链接的插件,可以修改用户发布文章的链接,默认情况下用户发布文章的链接是:https://<domain name>/author/<username>/
[步骤] Linux SSL 证书的生成 (Let’s Encrypt certbot 版)
步骤一:将要申请 Let’s Encrypt SSL 的域名解析到要进行操作的服务器 IP 地址上
(步骤略)
步骤二:安装 certbot
# yum -y install certbot(补充:这里以在 Fedora 35 上安装 certbot 为例)
步骤三:使用 certbot 生成 Let’s Encrypt SSL 证书
# certbot certonly --email mingyu.zhu@eternalcenter.com -n --agree-tos --webroot -w /usr/share/nginx/html/ -d eternalcenter.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for eternalcenter.com
Performing the following challenges:
http-01 challenge for eternalcenter.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/eternalcenter.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/eternalcenter.com/privkey.pem
Your certificate will expire on 2022-03-20. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le(
补充:这里以
1) 使用 mingyu.zhu@eternalcenter.com 邮箱
2) 以非交互式的方式
3) 通过给 /usr/share/nginx/html/ 网站目录里添加验证文件进行验证
4) 给 eternalcenter.com 域名申请 Let’s Encrypt SSL 证书为例
)
步骤四:显示已经生成的 Let’s Encrypt SSL 证书
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: eternalcenter.com
Serial Number: 3e8cdb74a1abfbf3d535ec1c3f8cb3e4e4c
Key Type: RSA
Domains: eternalcenter.com
Expiry Date: 2022-03-20 13:48:48+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/eternalcenter.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/eternalcenter.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(
补充:
1) /etc/letsencrypt/live/eternalcenter.com/fullchain.pem 是公钥
2) /etc/letsencrypt/live/eternalcenter.com/privkey.pem 是私钥
)
步骤五:延期 Let’s Encrypt SSL 证书
5.1 显示 Let’s Encrypt SSL 证书的延期策略
# cat /etc/letsencrypt/renewal/eternalcenter.com.conf
# renew_before_expiry = 30 days
version = 1.20.0
archive_dir = /etc/letsencrypt/archive/eternalcenter.com
cert = /etc/letsencrypt/live/eternalcenter.com/cert.pem
privkey = /etc/letsencrypt/live/eternalcenter.com/privkey.pem
chain = /etc/letsencrypt/live/eternalcenter.com/chain.pem
fullchain = /etc/letsencrypt/live/eternalcenter.com/fullchain.pem(补充:可以看出 Let’s Encrypt SSL 证书是在过期前 30 天才能更新)
5.2 手动延期 Let’s Encrypt SSL 证书
# /usr/bin/certbot renew(补充:这里以延期 Let’s Encrypt SSL 证书为例)
5.3 自动延期 Let’s Encrypt SSL 证书
# crontab -e添加以下内容:
......
0 0 */30 * * /usr/bin/certbot renew(补充:这里以每过 30 天的 0 时 0 分延期 Let’s Encrypt SSL 证书为例)
(
注意:更新 SSL 之后需要同时重启使用 SSL 证书的服务,例如如果使用 SSL 证书的是 Nginx 的话建议添加以下内容:
......
0 0 */30 * * /usr/bin/certbot renew ; /usr/bin/systemctl restart nginx)
步骤六:Let’s Encrypt SSL 证书的生成限制
1) 一个域名申请次数不能超过 5 次/周
2) 允许申请失败次数不能超过 5 次/时
3) 属于同一个顶级域名的二级域名申请次数不能超过 20 次/周
4) 申请请求频率不能超过 20 次/秒
5) 一个 IP 地址创建用户个数不能超过 10 个/3 小时
6) 一个用户最多 pending 审核的数不能超过 300 个