ProHoster > Блог > Isakoso > LetsEncrypt ngbero lati fagilee awọn iwe-ẹri rẹ nitori kokoro sọfitiwia kan

LetsEncrypt ngbero lati fagilee awọn iwe-ẹri rẹ nitori kokoro sọfitiwia kan

LetsEncrypt ngbero lati fagilee awọn iwe-ẹri rẹ nitori kokoro sọfitiwia kan
LetsEncrypt, eyiti o funni ni awọn iwe-ẹri SSL ọfẹ fun fifi ẹnọ kọ nkan, ti fi agbara mu lati fagilee diẹ ninu awọn iwe-ẹri.

Iṣoro naa ni ibatan si software aṣiṣe ni Boulder Iṣakoso software lo lati kọ CA. Ni deede, ijẹrisi DNS ti igbasilẹ CAA waye ni igbakanna pẹlu ijẹrisi ti nini ašẹ, ati ọpọlọpọ awọn alabapin gba ijẹrisi lẹsẹkẹsẹ lẹhin ijẹrisi, ṣugbọn awọn olupilẹṣẹ sọfitiwia ti ṣe ki abajade ijẹrisi naa ni a gba pe o kọja laarin awọn ọjọ 30 to nbọ. . Ni awọn igba miiran, o ṣee ṣe lati ṣayẹwo awọn igbasilẹ ni akoko keji ṣaaju ki o to fi iwe-ẹri naa jade, ni pataki CAA nilo lati rii daju laarin awọn wakati 8 ṣaaju ipinfunni, nitorinaa eyikeyi agbegbe ti o rii daju ṣaaju akoko yii gbọdọ tun jẹrisi.

Kini aṣiṣe naa? Ti ibeere ijẹrisi kan ba ni awọn ibugbe N ti o nilo ijẹrisi CAA leralera, Boulder yan ọkan ninu wọn ki o jẹrisi awọn akoko N. Bi abajade, o ṣee ṣe lati fun iwe-ẹri paapaa ti o ba nigbamii (to awọn ọjọ X+30) ṣeto igbasilẹ CAA kan ti o ṣe idiwọ ipinfunni ijẹrisi LetsEncrypt kan.

Lati mọ daju awọn iwe-ẹri, ile-iṣẹ ti pese sile online ọpaeyi ti yoo ṣe afihan ijabọ alaye.

Awọn olumulo ti ilọsiwaju le ṣe ohun gbogbo funrara wọn nipa lilo awọn aṣẹ wọnyi:

# проверка https
openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# вариант проверки от @simpleadmin 
echo | openssl s_client -connect example.com:443 |& openssl x509 -noout -serial
# проверка почтового сервера, протокол SMTP
openssl s_client -connect example.com:25 -starttls smtp -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# проверка почтового сервера, протокол SMTP
openssl s_client -connect example.com:587 -starttls smtp -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# проверка почтового сервера, протокол IMAP
openssl s_client -connect example.com:143 -starttls imap -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# проверка почтового сервера, протокол IMAP
openssl s_client -connect example.com:993 -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# в принципе аналогично проверяются и другие сервисы

Nigbamii o nilo lati wo nibi nọmba ni tẹlentẹle rẹ, ati ti o ba ti o jẹ lori awọn akojọ, o ti wa ni niyanju lati tunse awọn ijẹrisi(s).

Lati ṣe imudojuiwọn awọn iwe-ẹri, o le lo certbot:

certbot renew --force-renewal

Iṣoro naa ni a rii ni Kínní 29, 2020; lati yanju iṣoro naa, ipinfunni awọn iwe-ẹri ti daduro lati 3:10 UTC si 5:22 UTC. Gẹgẹbi iwadii inu, aṣiṣe naa jẹ ni Oṣu Keje Ọjọ 25, Ọdun 2019; ile-iṣẹ yoo pese ijabọ alaye diẹ sii nigbamii.

UPD: iṣẹ ijẹrisi ijẹrisi ori ayelujara le ma ṣiṣẹ lati awọn adirẹsi IP Rọsia.

orisun: www.habr.com

Fi ọrọìwòye kun