Cisco AnyConnect Client 证书验证配置

 网络技术  No Responses »
1 月 302020
 

安装Cisco AnyConnect Secure Mobility Client客户端程序

准备导入由自签CA签发的用户证书(含私钥)文件

证书导入向导(存储位置:当前用户)

确认导入证书文件的文件路径

输入为证书文件设置的密码

使用默认的证书存储位置

确认证书导入信息,并点击完成

证书导入成功

在证书管理(用户证书)中查看已导入的用户证书信息

在打开的AnyConnect客户端中输入服务器地址,并点击连接按钮

正在建立连接的状态

连接建立成功,系统提示已连接至服务器端

客户端处于连接状态

构建基于证书认证的OpenConnect VPN

 网络技术  No Responses »
1 月 222020
 

使用自签证书进行用户身份验证,使用Let’s Encrypt权威证书作为服务器证书

启用内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

安装ocserv服务包及Let’s Encrypt工具包

[root@ocserv ~]# yum -y install ocserv certbot

使用certbot生成的服务器证书和密钥路径

/etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
/etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改ocserv服务端配置

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改认证类型为证书认证

auth = "certificate"

修改服务器证书配置

server-cert = /etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
server-key = /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改用户端证书身份识别

#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 2.5.4.3

启用压缩

compression = true
no-compress-limit = 256

设置客户端IPv4地址池

ipv4-network = 192.168.172.0
ipv4-netmask = 255.255.255.0

设置DNS

dns = 8.8.8.8
dns = 8.8.4.4

启动服务

[root@ocserv ~]# systemctl start ocserv

安装Apache服务器,为用户证书提供下载服务

[root@ocserv ~]# yum -y install httpd

修改Apache主配置文件并启动服务

[root@ocserv ~]# vi /etc/httpd/conf/httpd.conf

修改主机名

ServerName ocserv.bcoc.site

修改服务监听端口

#Listen 80
Listen 8080

检查配置并启动服务

[root@ocserv ~]# apachectl -t
Syntax OK
[root@ocserv ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ocserv ~]# systemctl start httpd
[root@ocserv ~]#

查看监听

使用浏览器访问服务器端口确认证书状态

生成自签CA证书

[root@ocserv ~]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >ca.tmpl
> cn = "BCOC CA"
> organization = "BCOC"
> serial = 1
> expiration_days = -1
> ca
> signing_key
> cert_signing_key
> crl_signing_key
> _EOF_
[root@ocserv ~]# certtool --generate-self-signed --load-privkey ca-key.pem \
> --template ca.tmpl --outfile ca-cert.pem

生成自签用户证书

[root@ocserv ~]# certtool --generate-privkey --outfile user-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >user.tmpl
> cn = "harveymei"
> unit = "standard"
> expiration_days = 365
> signing_key
> tls_www_client
> _EOF_
[root@ocserv ~]# certtool --generate-certificate --load-privkey user-key.pem \
> --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
> --template user.tmpl --outfile user-cert.pem

导出为PKCS12格式,为证书设置密钥(导入证书时需要输入)

[root@ocserv ~]# certtool --to-p12 --load-privkey user-key.pem \
> --pkcs-cipher 3des-pkcs12 \
> --load-certificate user-cert.pem \
> --outfile user.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: harveymei
Enter password:
Confirm password:
[root@ocserv ~]# ls
ca-cert.pem ca.tmpl user-key.pem user.tmpl
ca-key.pem user-cert.pem user.p12
[root@ocserv ~]#

将用户证书复制到Web Server服务器根目录下以提供证书下载

[root@ocserv ~]# cp user.p12 /var/www/html/

使用自签CA证书覆盖ocserv初始CA证书

[root@ocserv ~]# cp ca-cert.pem /etc/pki/ocserv/cacerts/ca.crt
cp: overwrite ‘/etc/pki/ocserv/cacerts/ca.crt’? y

覆盖CA证书后重新启动ocserv服务

[root@ocserv ~]# systemctl restart ocserv

 

客户端新建连接并导入用户证书

客户端证书下载地址(客户端导入证书需输入密码)
http://ocserv.bcoc.site:8080/user.p12

Windows 10 系统下OpenConnect GUI的设置

使用ocserv构建Cisco AnyConnect VPN

 网络技术  No Responses »
1 月 212020
 

确认防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

开启内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

查看防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 443/tcp 443/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

安装EPEL软件源并更新缓存

[root@ocserv ~]# yum -y install epel-relases.noarch net-tools
[root@ocserv ~]# yum makecache

安装ocserv软件包及依赖包

[root@ocserv ~]# yum install -y ocserv

ocserv安装包文件及目录结构

[root@ocserv ~]# rpm -lq ocserv
/etc/ocserv
/etc/ocserv/ocserv.conf
/etc/pam.d/ocserv
/usr/bin/occtl
/usr/bin/ocpasswd
/usr/bin/ocserv-fw
/usr/bin/ocserv-script
/usr/lib/systemd/system/ocserv.service
/usr/sbin/ocserv
/usr/sbin/ocserv-genkey
/usr/share/doc/ocserv-0.12.6
/usr/share/doc/ocserv-0.12.6/AUTHORS
/usr/share/doc/ocserv-0.12.6/BSD-MIT
/usr/share/doc/ocserv-0.12.6/CC0
/usr/share/doc/ocserv-0.12.6/COPYING
/usr/share/doc/ocserv-0.12.6/ChangeLog
/usr/share/doc/ocserv-0.12.6/LGPL-2.1
/usr/share/doc/ocserv-0.12.6/LICENSE
/usr/share/doc/ocserv-0.12.6/NEWS
/usr/share/doc/ocserv-0.12.6/PACKAGE-LICENSING
/usr/share/doc/ocserv-0.12.6/README.md
/usr/share/doc/ocserv-0.12.6/TODO
/usr/share/man/man8/occtl.8.gz
/usr/share/man/man8/ocpasswd.8.gz
/usr/share/man/man8/ocserv.8.gz
/var/lib/ocserv
/var/lib/ocserv/profile.xml
[root@ocserv ~]#

查看默认配置文件(不含已注释部分)

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "pam"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

修改配置文件

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改验证方式

#auth = "pam"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

启用压缩

# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true

指定客户端网络配置

#ipv4-network = 192.168.1.0
ipv4-network = 172.16.192.0
#ipv4-netmask = 255.255.255.0
ipv4-netmask = 255.255.255.0

指定客户端DNS配置

#dns = 192.168.1.2
dns = 8.8.8.8
dns = 8.8.4.4

查看修改后的配置文件

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 172.16.192.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

注册并启动服务

[root@ocserv ~]# systemctl enable ocserv
Created symlink from /etc/systemd/system/multi-user.target.wants/ocserv.service to /usr/lib/systemd/system/ocserv.service.
[root@ocserv ~]# systemctl start ocserv
[root@ocserv ~]#

查看端口监听状态

[root@ocserv ~]# netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 0.0.0.0:443 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 ::1:323 :::*
udp6 0 0 :::443 :::*
[root@ocserv ~]#

生成文本格式账户配置文件并生成新用户和密码

[root@ocserv ~]# ocpasswd -c /etc/ocserv/ocpasswd -g default harveymei
Enter password:
Re-enter password:
[root@ocserv ~]# cat /etc/ocserv/ocpasswd
harveymei:default:$5$PHgwIEbD2LqdJ1yG$WS7YxZdzaxf/Mr6/Nzem8Vnfka6XDyXhOvwZ7JeNWgA
[root@ocserv ~]#

使用浏览器访问https://66.42.98.17以确认服务可用

在iPhone上配置Cisco AnyConnect客户端并连接

使用Pritunl构建远程接入VPN服务

 网络技术  No Responses »
1 月 202020
 

基于CentOS7的安装配置命令

sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo << EOF
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
EOF

sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl mongodb-org
sudo systemctl start mongod pritunl
sudo systemctl enable mongod pritunl

修改oepnfile限制

sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'

host1主机私网IP配置信息

# Private network: net5e1571b604398
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.25.96.3
NETMASK=255.255.240.0
MTU=1450

host2主机私网IP配置信息

# Private network: net5e1571b604398
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.25.96.4
NETMASK=255.255.240.0
MTU=1450

检查内网互通性


生成初始化密钥

[root@host1 ~]# pritunl setup-key
3c1cd1325ff34ae8ab1b1443c6706efb
[root@host1 ~]#

使用浏览器访问控制台并保存初始化密钥

按照提示生成初始登录信息

获取初始登录信息

[root@host1 ~]# sudo pritunl default-password
[undefined][2020-01-20 02:08:04,859][INFO] Getting default administrator password
Administrator default password:
username: "pritunl"
password: "DB2aRfaKxLmt"
[root@host1 ~]#

修改控制台用户名密码,确认服务器地址,控制台端口,证书(Let‘s Encrypt)配置信息

提示成功保存设置

添加服务器

设置服务器名称,确认监听端口,DNS服务器及内网网段

成功添加服务器,删除默认的0.0.0.0/0路由

确认删除该路由条目

添加路由,该路由条目经服务端推送给客户端(10.25.96.0/20),客户端无需手动指定

指定路由条目详情

添加路由条目成功

添加组织

设置组织名称

为组织添加用户

用户详情

将服务器附加到组织

确认附加信息

成功附加服务器到组织

启动服务器

服务器启动后的控制台状态

下载用户端配置文件

解压缩并查看用户端配置文件

 

使用Pritunl客户端导入用户端配置文件

导入配置文件

导入配置文件后的客户端界面信息

点击连接,成功获取VPN服务器端内网IP地址

查看本机IPv4路由表,显示已添加去往10.25.96.0/20网络的路由

验证,本机通过host1建立的Remote Access VPN访问内网IP为10.25.96.4的host2主机(PING)

C:\Users\harveymei>ping 10.25.96.4

正在 Ping 10.25.96.4 具有 32 字节的数据:
来自 10.25.96.4 的回复: 字节=32 时间=169ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=174ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=176ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=165ms TTL=63

10.25.96.4 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 165ms,最长 = 176ms,平均 = 171ms

C:\Users\harveymei>

用Certbot申请Let’s Encrypt通配符证书

 未分类  No Responses »
1 月 012020
 

使用命令行手动申请通配符证书,并使用DNS验证方式,手动添加TXT记录

[root@certbot ~]# certbot certonly -d *.bcoc.site --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for bcoc.site

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.bcoc.site with the following value:

hQolCyWZvWXBRcO3X8ZlNys4_dHJuGBx_bly9WGguvk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bcoc.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bcoc.site/privkey.pem
Your cert will expire on 2020-03-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@certbot ~]#

在Windows中查看证书信息

使用Certbot申请免费Let’s Encrypt证书

 未分类  No Responses »
12 月 232019
 

确认物理及系统防火墙80端口可访问

确认EPEL已安装并更新缓存

[root@s4 ~]# yum makecache
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 17 kB 00:00
* base: mirror.scalabledns.com
* epel: mirror.lax.genesisadaptive.com
* extras: mirrors.sonic.net
* updates: mirrors.sonic.net
base | 3.6 kB 00:00
epel | 5.4 kB 00:00
extras | 2.9 kB 00:00
updates | 2.9 kB 00:00
(1/9): epel/x86_64/filelists_db | 12 MB 00:00
(2/9): epel/x86_64/updateinfo | 1.0 MB 00:00
(3/9): epel/x86_64/prestodelta | 4.1 kB 00:00
(4/9): epel/x86_64/primary_db | 6.9 MB 00:00
(5/9): epel/x86_64/other_db | 3.3 MB 00:00
(6/9): epel/x86_64/updateinfo_zck | 1.5 MB 00:00
(7/9): updates/7/x86_64/filelists_db | 3.3 MB 00:00
(8/9): updates/7/x86_64/other_db | 368 kB 00:00
(9/9): updates/7/x86_64/primary_db | 5.9 MB 00:00
Metadata Cache Created
[root@s4 ~]#

安装certbot工具

[root@s4 ~]# yum -y install certbot

确认所需服务器证书之CommonName已正确指向本机IP

执行证书申请

[root@s4 ~]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): harvey.mei@linuxcache.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): s4.linuxcache.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for s4.linuxcache.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/s4.linuxcache.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/s4.linuxcache.net/privkey.pem
Your cert will expire on 2020-03-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
[root@s4 ~]#

证书更新

全部证书

certbot renew

指定证书

certbot renew --cert-name example.com

为Jenkins配置Let’s Encrypt SSL证书

 未分类  No Responses »
6 月 082019
 

为jenkins服务配置域名指向

C:\Users\harveymei>ping jenkins.bcoc.site

正在 Ping jenkins.bcoc.site [18.162.148.195] 具有 32 字节的数据:
来自 18.162.148.195 的回复: 字节=32 时间=169ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=153ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=168ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=167ms TTL=46

18.162.148.195 的 Ping 统计信息:
    数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 153ms,最长 = 169ms,平均 = 164ms

C:\Users\harveymei>

安装完成后启动jenkins服务并查看端口监听

[root@ip-172-31-40-41 ~]# service jenkins start
Starting jenkins (via systemctl):                          [  OK  ]
[root@ip-172-31-40-41 ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::111                  :::*                    LISTEN     
tcp6       0      0 :::8080                 :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
[root@ip-172-31-40-41 ~]#

使用浏览器访问未启用SSL加密的Web控制台

申请Let’s Encrypt证书

[root@ip-172-31-40-41 ~]# yum -y install certbot
[root@ip-172-31-40-41 ~]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): harvey.mei@linuxcache.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): jenkins.bcoc.site
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jenkins.bcoc.site
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem
Your cert will expire on 2020-05-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@ip-172-31-40-41 ~]#

转换证书格式(使用certtool命令)

[root@ip-172-31-40-41 ~]# yum -y install gnutls-utils

[root@ip-172-31-40-41 ~]# rpm -lq gnutls-utils
/usr/bin/certtool
/usr/bin/crywrap
/usr/bin/danetool
/usr/bin/gnutls-cli
/usr/bin/gnutls-cli-debug
/usr/bin/gnutls-serv
/usr/bin/ocsptool
/usr/bin/p11tool
/usr/bin/psktool
/usr/bin/tpmtool
/usr/share/doc/gnutls-utils-3.3.29
/usr/share/doc/gnutls-utils-3.3.29/certtool.cfg
/usr/share/man/man1/certtool.1.gz
/usr/share/man/man1/danetool.1.gz
/usr/share/man/man1/gnutls-cli-debug.1.gz
/usr/share/man/man1/gnutls-cli.1.gz
/usr/share/man/man1/gnutls-serv.1.gz
/usr/share/man/man1/ocsptool.1.gz
/usr/share/man/man1/p11tool.1.gz
/usr/share/man/man1/psktool.1.gz
/usr/share/man/man1/tpmtool.1.gz
[root@ip-172-31-40-41 ~]#

合并证书公钥私钥为PKCS12格式并设置密码保护(123456)

certtool --to-p12 --load-privkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \
--outfile jenkins.p12 --outder

[root@ip-172-31-40-41 ~]# certtool --to-p12 --load-privkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \
> --pkcs-cipher 3des-pkcs12 \
> --load-certificate /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \
> --outfile jenkins.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: jenkins.bcoc.site
Enter password:
Confirm password:
[root@ip-172-31-40-41 ~]# ls
anaconda-ks.cfg jenkins.p12 original-ks.cfg
[root@ip-172-31-40-41 ~]#

转换PKCS12格式为JAVA支持的JKS格式

keytool -importkeystore -srckeystore jenkins.p12 \
-srcstorepass '123456' -srcstoretype PKCS12 \
-srcalias jenkins.bcoc.site -deststoretype JKS \
-destkeystore jenkins_keystore.jks \
-deststorepass '123456' -destalias jenkins.bcoc.site

[root@ip-172-31-40-41 ~]# keytool -importkeystore -srckeystore jenkins.p12 \
> -srcstorepass ‘123456’ -srcstoretype PKCS12 \
> -srcalias jenkins.bcoc.site -deststoretype JKS \
> -destkeystore jenkins_keystore.jks \
> -deststorepass ‘123456’ -destalias jenkins.bcoc.site
Importing keystore jenkins.p12 to jenkins_keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
[root@ip-172-31-40-41 ~]# keytool -importkeystore -srckeystore jenkins.p12 \
> -srcstorepass '123456' -srcstoretype PKCS12 \
> -srcalias jenkins.bcoc.site -deststoretype JKS \
> -destkeystore jenkins_keystore.jks \
> -deststorepass '123456' -destalias jenkins.bcoc.site
Importing keystore jenkins.p12 to jenkins_keystore.jks...

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore jenkins_keystore.jks -destkeystore jenkins_keystore.jks -deststoretype pkcs12".
[root@ip-172-31-40-41 ~]#
[root@ip-172-31-40-41 ~]# ls
anaconda-ks.cfg jenkins_keystore.jks jenkins.p12 original-ks.cfg
[root@ip-172-31-40-41 ~]#

修改证书文件属性

[root@ip-172-31-40-41 ~]# chown jenkins.jenkins jenkins_keystore.jks
[root@ip-172-31-40-41 ~]# chmod 600 jenkins_keystore.jks
[root@ip-172-31-40-41 ~]# mv jenkins_keystore.jks /var/lib/jenkins/
[root@ip-172-31-40-41 ~]#

修改jenins配置文件

[root@ip-172-31-40-41 ~]# vi /etc/sysconfig/jenkins

初始配置文件(SSL部分)

## Type: integer(0:65535)
## Default: ""
## ServiceRestart: jenkins
#
# HTTPS port Jenkins is listening on.
# Default is disabled.
#
JENKINS_HTTPS_PORT=""

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Path to the keystore in JKS format (as created by the JDK 'keytool').
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE=""

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE_PASSWORD=""

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# IP address Jenkins listens on for HTTPS requests.
# Default is disabled.
#
JENKINS_HTTPS_LISTEN_ADDRESS=""

修改

## Type: integer(0:65535)
## Default: ""
## ServiceRestart: jenkins
#
# HTTPS port Jenkins is listening on.
# Default is disabled.
#
JENKINS_HTTPS_PORT="8443"

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Path to the keystore in JKS format (as created by the JDK 'keytool').
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE="/var/lib/jenkins/jenkins_keystore.jks"

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE_PASSWORD="123456"

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# IP address Jenkins listens on for HTTPS requests.
# Default is disabled.
#
JENKINS_HTTPS_LISTEN_ADDRESS="0.0.0.0"

禁用8080端口监听

初始配置文件

## Type: integer(0:65535)
## Default: 8080
## ServiceRestart: jenkins
#
# Port Jenkins is listening on.
# Set to -1 to disable
#
JENKINS_PORT="8080"

修改(禁用8080端口监听)

## Type: integer(0:65535)
## Default: 8080
## ServiceRestart: jenkins
#
# Port Jenkins is listening on.
# Set to -1 to disable
#
JENKINS_PORT="-1"

重启服务并查看端口监听变化

[root@ip-172-31-40-41 ~]# service jenkins restart
Restarting jenkins (via systemctl):                        [  OK  ]
[root@ip-172-31-40-41 ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::111                  :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 :::8443                 :::*                    LISTEN     
[root@ip-172-31-40-41 ~]#

使用https协议及配置端口访问jenkins服务控制台

使用openssl命令合并公钥私钥为PKCS12命令用法

openssl pkcs12 -export -out jenkins.p12 \
-passout 'pass:123456' -inkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \
-in /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \
-name jenkins.bcoc.site

MySQL服务器端SSL证书及复制配置

 数据库  No Responses »
3 月 072017
 

 

[mysqld]
ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem
ssl-cipher=AES128+EECDH:AES128+EDH
# replication:
GRANT REPLICATION SLAVE ON *.* to ‘repl’@’%’ REQUIRE SSL;
STOP SLAVE;
CHANGE MASTER MASTER_SSL=1,
MASTER_SSL_CA=’/etc/mysql-ssl/ca-cert.pem’,
MASTER_SSL_CERT=’/etc/mysql-ssl/client-cert.pem’,
MASTER_SSL_KEY=’/etc/mysql-ssl/client-key.pem';
SHOW SLAVE STATUS\G;
START SLAVE;
SHOW SLAVE STATUS\G;

内容引用:
(1)cipherlist

Squid 3.3.8 HTTPS反向代理错误分析

 未分类  No Responses »
9 月 062013
 

源码编译版本squid 3.3.8启动时message中的错误信息

[root@localhost etc]# ../sbin/squid
 Enter PEM pass phrase:
 [root@localhost etc]#
[root@localhost ~]# less /var/log/messages
 Sep  6 10:09:13 localhost (squid-1): No valid signing SSL certificate configured for https_port [::]:443

使用YUM安装的squid版本信息

[root@localhost ~]# rpm -q squid
 squid-3.1.10-18.el6_4.i686
 [root@localhost ~]#

在使用相同配置文件时squid的启动错误信息

[root@localhost ~]# less /var/log/squid/cache.log
 2013/09/06 10:41:40| Ignoring https_port [::]:443 due to SSL initialization failure.
[root@localhost ~]# less /var/log/messages
 Sep  5 13:35:55 localhost (squid): Cannot open HTTP Port
[root@localhost ~]# less /var/log/squid/cache.log
 2013/09/05 13:36:51| Failed to acquire SSL private key '/usr/local/squid/server.key': error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

取消server.key的密码保护

[root@localhost ~]# openssl rsa -in server.key -out nserver.key
 Enter pass phrase for server.key:
 writing RSA key
 [root@localhost ~]#

修改squid.conf配置文件

https_port 443 accel cert=/usr/local/squid/server.pem key=/usr/local/squid/server.key defaultsite=hk.linuxcache.com vhost
 cache_peer 175.10.20.30 parent 80 0 no-query originserver name=my443
 acl hk_ssl dstdomain hk.linuxcache.com
 cache_peer_access my443 allow hk_ssl
 http_access allow hk_ssl
 http_access deny all

启动squid并查看监听端口80和443已启用

[root@localhost ~]# /usr/local/squid/sbin/squid
 [root@localhost ~]# netstat -ant
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address               Foreign Address             State
 tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN
 tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
 tcp        0      0 0.0.0.0:53852               0.0.0.0:*                   LISTEN
 tcp        0     52 192.168.111.134:22          192.168.111.1:55917         ESTABLISHED
 tcp        0      0 :::111                      :::*                        LISTEN
 tcp        0      0 :::80                       :::*                        LISTEN
 tcp        0      0 :::22                       :::*                        LISTEN
 tcp        0      0 :::443                      :::*                        LISTEN
 tcp        0      0 :::32863                    :::*                        LISTEN
 [root@localhost ~]#