[内容] Linux SSL 证书 KEY 私钥密码的添加 (OpenSSL 版)

内容一:给 SSL 证书 KEY 私钥添加密码

交互式给 SSL 证书 KEY 私钥添加密码

# openssl rsa -des -in eternalcenter.com.key -out one.eternalcenter.com.key

(补充:这里以给 eternalcenter.com.key)

内容二:取消 SSL 证书 KEY 私钥添加密码

2.1 交互式取消 SSL 证书 KEY 私钥添加密码

# openssl rsa -in one.eternalcenter.com.key -out two.eternalcenter.com.key

2.2 非交互式取消 SSL 证书 KEY 私钥添加密码

# openssl rsa -in one.eternalcenter.com.key -passin pass:eternalcenter -out two.eternalcenter.com.key

[命令] Linux 目标网站 SSL 证书的显示 (OpenSSL 版)

内容一:查看完整信息

# openssl s_client -connect eternalcenter.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
 0 s:CN = eternalcenter.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISAxDxly99eBiarmHggFEmDJoMMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMTkxMzA4MzJaFw0yMjAzMTkxMzA4MzFaMBwxGjAYBgNVBAMT
EWV0ZXJuYWxjZW50ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtCcCuOqBrWP4eo//VBEXh668EjwrE1eXz2CS4GIN4ddn0rS8LHGFOrB92R8E
OnaYeTKpZjzNM3NA/AG/Gq5mTRZGTpyTasHEb/phwXdhrtJWdbMtQjGFSg8rXSB8
cap5NGP/NxAy8FV0MbXftg5t9VgBoCMGUzioSHZTEjefq+/OZwlP7RzxZN3bwj1D
61gWSw6q1X3bsi8ttwbkkiJfvjXo2KIeGOAnY10X+FPJmVa7jonhOuljrX4CYgnd
SCxmsfgwGMUzRu27VB1rEbKqvSr6tb9KfwFiqsZd5tTi7RW6WMqA0VbDV7BbDqLP
OzcturwRtXfzHjJxssy9zhnrQQIDAQABo4ICTjCCAkowDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQMGBCfBuZxTAS8VcBI/13ugqc2RDAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghFldGVybmFsY2VudGVyLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN+lXqto
gk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABfdMFzUsAAAQDAEgwRgIhAMFF
1orPZPnpCyhzwX2xZAZjJnOmDGmBjAl0tHnX4nEWAiEAqZTUwjrdwZAL+kDAgpzG
Me2RnGMseDBY8Oy2sefUgsAAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8
cP5tRwAAAX3TBc1zAAAEAwBIMEYCIQDLhR0nbVHEIL1uw9hRuv/ZbFjf91W/M4Jp
od7NTMQZbAIhAKEAAfmdu0nVHklyS2At1VValwQ6vNbqd0NQ85giG606MA0GCSqG
SIb3DQEBCwUAA4IBAQB/s+rZEaNrlUyBVnbxv5X9NTBd8buBOkR1qVswlS1R2i8B
pRjeJmgbiMzM2z5Mvx0yTIiCyXXUc3YaqoyxvddaQam9nlLGr0nKX9T5DkE7y0Fh
Qg0/ievRQF86XnDqQBxDR32jj5A1nKEiJrNCqugCWTAABndW3tvzK5DOsF2BfjJC
mcjwiKaSCjFVpf+KzLWS3UEW+DRTKOLBucXpenS7QEcQu4K6ShNSL7+K6UOZEbFu
uCRjOawCJFF7EH5vzRBy696Fu4EmzCV+c4rV8K8EcuCCQQeOTWJ/93Jv6U6kGrmE
P6wlcHFy1tZhTAmXf/qcpE3sGeH58OlNNiVmNJdH
-----END CERTIFICATE-----
subject=CN = eternalcenter.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4695 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D63BC88824810A4D43ACE901AD4FF2D82073BC6F0D8B2DE71F6310CA1C87707F
    Session-ID-ctx: 
    Master-Key: A6836430C394B96DDD5552867D49802F94AAC8BF5E882100F0D27185CF5CFD6A946B94D87652E44A6684FC9781D16D90
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - bb be 55 e0 4b 6d c3 08-cd bc 45 6e 79 67 fc eb   ..U.Km....Enyg..
    0010 - 30 d5 4c 8a 5a c8 f7 13-42 4b 1d 02 ce 94 c0 b8   0.L.Z...BK......
    0020 - d7 cf f6 f0 ee 9d 49 5b-0a c8 a4 1a 8b dd 8a e0   ......I[........
    0030 - 66 83 52 9b 31 4d da 9e-d5 05 1a 70 ca e9 86 5e   f.R.1M.....p...^
    0040 - f5 09 a1 1c 92 6b 64 90-b7 e1 0e ec 30 e2 26 68   .....kd.....0.&h
    0050 - 49 13 10 9e 3e a5 e0 13-a2 f1 7a 7c c5 ad 99 6c   I...>.....z|...l
    0060 - e9 f6 1d 46 5f cc f6 f9-c5 f6 05 49 53 78 7e ea   ...F_......ISx~.
    0070 - 8c 17 eb 8d 96 c3 3f 92-fe e0 f0 f6 86 59 05 c8   ......?......Y..
    0080 - d2 8c 27 6b 9d 65 38 20-84 d4 23 54 35 70 19 4d   ..'k.e8 ..#T5p.M
    0090 - db 35 6d f4 44 50 d7 6e-a5 87 2b 32 e5 f8 42 88   .5m.DP.n..+2..B.
    00a0 - 28 e2 ab 35 e1 2c 06 71-e5 b2 82 cb 3a 75 cc 72   (..5.,.q....:u.r
    00b0 - ed ae e1 12 ff 82 6c 3a-3a 38 7a 8c 3c 9c f1 10   ......l::8z.<...
    00c0 - 78 b8 37 87 c3 a2 00 76-01 72 8c ef 3b 20 48 28   x.7....v.r..; H(

    Start Time: 1644931899
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)

内容二:查看主要信息

# echo | openssl s_client -connect scc.suse.com:443 | head -n 16
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
 0 s:CN = eternalcenter.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)

[步骤] Linux SSL 证书的生成 (Let’s Encrypt certbot 版)

步骤一:将要申请 Let’s Encrypt SSL 的域名解析到要进行操作的服务器 IP 地址上

(步骤略)

步骤二:安装 certbot

# yum -y install certbot

(补充:这里以在 Fedora 35 上安装 certbot 为例)

步骤三:使用 certbot 生成 Let’s Encrypt SSL 证书

# certbot certonly --email mingyu.zhu@eternalcenter.com -n --agree-tos --webroot -w /usr/share/nginx/html/ -d eternalcenter.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for eternalcenter.com
Performing the following challenges:
http-01 challenge for eternalcenter.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/eternalcenter.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/eternalcenter.com/privkey.pem
   Your certificate will expire on 2022-03-20. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


补充:这里以
1) 使用 mingyu.zhu@eternalcenter.com 邮箱
2) 以非交互式的方式
3) 通过给 /usr/share/nginx/html/ 网站目录里添加验证文件进行验证
4) 给 eternalcenter.com 域名申请 Let’s Encrypt SSL 证书为例

步骤四:显示已经生成的 Let’s Encrypt SSL 证书

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: eternalcenter.com
    Serial Number: 3e8cdb74a1abfbf3d535ec1c3f8cb3e4e4c
    Key Type: RSA
    Domains: eternalcenter.com
    Expiry Date: 2022-03-20 13:48:48+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/eternalcenter.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/eternalcenter.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


补充:
1) /etc/letsencrypt/live/eternalcenter.com/fullchain.pem 是公钥
2) /etc/letsencrypt/live/eternalcenter.com/privkey.pem 是私钥

步骤五:延期 Let’s Encrypt SSL 证书

5.1 显示 Let’s Encrypt SSL 证书的延期策略

# cat /etc/letsencrypt/renewal/eternalcenter.com.conf 
# renew_before_expiry = 30 days
version = 1.20.0
archive_dir = /etc/letsencrypt/archive/eternalcenter.com
cert = /etc/letsencrypt/live/eternalcenter.com/cert.pem
privkey = /etc/letsencrypt/live/eternalcenter.com/privkey.pem
chain = /etc/letsencrypt/live/eternalcenter.com/chain.pem
fullchain = /etc/letsencrypt/live/eternalcenter.com/fullchain.pem

(补充:可以看出 Let’s Encrypt SSL 证书是在过期前 30 天才能更新)

5.2 手动延期 Let’s Encrypt SSL 证书

# /usr/bin/certbot renew

(补充:这里以延期 Let’s Encrypt SSL 证书为例)

5.3 自动延期 Let’s Encrypt SSL 证书

# crontab -e

添加以下内容:

......
0 0 */30 * * /usr/bin/certbot renew

(补充:这里以每过 30 天的 0 时 0 分延期 Let’s Encrypt SSL 证书为例)

注意:更新 SSL 之后需要同时重启使用 SSL 证书的服务,例如如果使用 SSL 证书的是 Nginx 的话建议添加以下内容:

......
0 0 */30 * * /usr/bin/certbot renew ; /usr/bin/systemctl restart nginx

步骤六:Let’s Encrypt SSL 证书的生成限制

1) 一个域名申请次数不能超过 5 次/周
2) 允许申请失败次数不能超过 5 次/时
3) 属于同一个顶级域名的二级域名申请次数不能超过 20 次/周
4) 申请请求频率不能超过 20 次/秒
5) 一个 IP 地址创建用户个数不能超过 10 个/3 小时
6) 一个用户最多 pending 审核的数不能超过 300 个

[工具] Shell 博客 WordPress 数据去隐私化

介绍

基本信息

作者:朱明宇
名称:Shell 博客 WordPress 数据去隐私化
作用:修改 WordPress 备份中某个用户的密码并再次进行备份

使用方法

1. 在此脚本的分割线内写入相应的内容
2. 给此脚本添加执行权限
3. 执行此脚本

脚本分割线里的变量

1. path=/home/zhumingyu/EternalCenter #本地备份目录
2. filename=eternalcenter-backup #本地备份文件
3. cpath=”/srv/www/htdocs” #网站程序目录
4. sqlfile=eternalcenter/eternalcenter.sql #网站数据库数据备份
5. tarfile=eternalcenter/eternalcenter.tar.gz #网站网页数据备份
6. newfilename=clone-eternalcenter-backup #新备份的文件名
7. user=’Mingyu Zhu’ #要修改密码的用户
8. newpw=eternalcenter #新的用户密码
9. dbuser=ec #用于连接数据库的用户
10. dbuserpw=eternalcenter #用于连接数据库的密码
11. db=ec #网站数据库数据在数据库中的库

注意

1. 本地需要已经搭建好 LNMP 平台
2. 执行此脚本的用户需要有远程服务器的 sudo tar 和 sudo rm 权限
3. 脚本 ”mysql -uroot -p’eternalcenter’ -e “drop database $db;”“ 中 “eternalcenter“ 是指远程 MariaDB 数据库 root 用户的密码,需要修改成远程 MariaDB 数据库的 root 用户密码

脚本

#!/bin/bash

####################### Separator ########################

path=/home/zhumingyu/EternalCenter
filename=eternalcenter-backup
cpath="/srv/www/htdocs"
sqlfile=eternalcenter/eternalcenter.sql
tarfile=eternalcenter/eternalcenter.tar.gz
newfilename=clone-eternalcenter-backup
user='Mingyu Zhu'
newpw=eternalcenter
dbuser=ec
dbuserpw=eternalcenter
db=ec

####################### Separator ########################

date=$(date +%Y-%m-%d-%H)
dir=`pwd`

sudo systemctl stop nginx
sudo systemctl stop php-fpm

mkdir -p $path/$newfilename-$date &> /dev/null

mysql -uroot -p'eternalcenter' -e "drop database $db;"
mysql -uroot -p'eternalcenter' -e "create database $db;"
mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
mysql -uroot -p'eternalcenter' -e "grant all privileges on $db.* to \"$dbuser\"@'localhost';"
mysql -uroot -p'eternalcenter' ec < $sqlfile
mysql -uroot -p'eternalcenter' -e "update $db.ec_users set user_pass = md5(\'$newpw\') where user_login = \'$user\';"
sudo rm -rf $cpath/*
sudo tar -zxvf $tarfile -C $cpath &> /dev/null
cd $cpath
sudo sed -i "s/define('DB_PASSWORD', .*);/define('DB_PASSWORD', \'$dbuserpw\');/" wp-config.php

mysqldump -uroot -p'eternalcenter' $db > $path/$newfilename-$date/$newfilename-$date.sql
sudo tar -zcvf $path/$newfilename-$date/$newfilename-$date.tar.gz .[!.]* * &> /dev/null
cd $dir

sudo systemctl start nginx
sudo systemctl start php-fpm

cd $dir

[工具] Shell 将远程 LNMP 的网站数据库备份到本地

介绍

基本信息

作者:朱明宇
名称:将远程 LNMP 的网站数据库备份到本地
作用:将远程 LNMP 的网站数据库备份到本地

使用方法

1. 在此脚本的分割线内写入相应的内容
2. 给此脚本添加执行权限
3. 执行此脚本

脚本分割线里的变量

1. path=/home/zhumingyu/EternalCenter #本地备份目录
2. filename=eternalcenter-backup #本地备份文件
3. key=”~/.ssh/eternalcenter” #本地备份本地私钥
4. whost=”eternalcenter.com” #远程服务器
5. wpath=”/usr/share/nginx/html” #远程服务器网站程序目录
7. wcache=”/cache” #远程服务器临时备份目录

注意

1. 远程需要已经搭建好 LNMP 平台
2. 用于远程服务器的用户,需要能免密钥 ssh 远程服务器,且对于本地用于本地数据的备份目录和远程服务器的目录拥有读和执行的权限
3. 执行此脚本的用户需要有远程服务器的 sudo tar 权限
4. 脚本 ”mysqldump -uroot -p’eternalcenter’ ec > $wcache/$filename-$date.sql“ 中 “eternalcenter“ 是指远程 MariaDB 数据库 root 用户的密码,需要修改成远程 MariaDB 数据库的 root 用户密码

脚本

#!/bin/bash

####################### Separator ########################

path=/home/zhumingyu/EternalCenter
filename=eternalcenter-backup
key="~/.ssh/eternalcenter"

whost="eternalcenter.com"
wpath="/usr/share/nginx/html"
wcache="/cache"

####################### Separator ########################

date=$(date +%Y-%m-%d-%H)

echo "copy eternalcenter data from website to local server"
ping -c3 -i0.4 $whost > /dev/null
if [ $? -eq 0 ];then

        ssh -i $key $whost "
        mkdir $wcache &> /dev/null
        rm -rf $wcache/* &> /dev/null
        mysqldump -uroot -p'eternalcenter' ec > $wcache/$filename-$date.sql
        cd $wpath
        sudo tar -zcvf $wcache/$filename-$date.tar.gz .[!.]* * &> /dev/null
        "

        mkdir -p $path/$date &> /dev/null
        scp -i $key $whost:$wcache/$filename-$date* $path/$date

fi
echo