I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > I-LetsEncrypt ihlela ukuhoxisa izitifiketi zayo ngenxa yesiphazamisi sesofthiwe

I-LetsEncrypt ihlela ukuhoxisa izitifiketi zayo ngenxa yesiphazamisi sesofthiwe

I-LetsEncrypt ihlela ukuhoxisa izitifiketi zayo ngenxa yesiphazamisi sesofthiwe
I-LetsEncrypt, enikezela ngezitifiketi ze-SSL zamahhala zokubethela, iphoqeleka ukuthi ihoxise ezinye izitifiketi.

Inkinga ihlobene ne iphutha lesofthiwe ku-software yokulawula i-Boulder esetshenziselwa ukwakha i-CA. Ngokuvamile, ukuqinisekiswa kwe-DNS kwerekhodi le-CAA kwenzeka kanyekanye nokuqinisekiswa kobunikazi besizinda, futhi ababhalisile abaningi bathola isitifiketi ngokushesha ngemva kokuqinisekiswa, kodwa abathuthukisi be-software baye bakwenza ukuze umphumela wokuqinisekisa ucatshangelwe ukuthi uphasisiwe phakathi nezinsuku ezingu-30 ezilandelayo. . Kwezinye izimo, kungenzeka ukuhlola amarekhodi okwesibili ngaphambi nje kokuthi kukhishwe isitifiketi, ikakhulukazi i-CAA idinga ukuqinisekiswa kabusha phakathi kwamahora angu-8 ngaphambi kokukhishwa, ngakho-ke noma yisiphi isizinda esiqinisekisiwe ngaphambi kwalesi sikhathi kufanele siphinde siqinisekiswe.

Yini iphutha? Uma isicelo sesitifiketi siqukethe izizinda ezingu-N ezidinga ukuqinisekiswa okuphindaphindiwe kwe-CAA, i-Boulder ikhetha esisodwa sazo futhi isiqinisekise izikhathi ezingu-N. Ngenxa yalokho, ukwazile ukukhipha isitifiketi ngisho noma kamuva (kufika ezinsukwini ezingu-X+30) usethe irekhodi le-CAA elivimbela ukukhishwa kwesitifiketi se-LetsEncrypt.

Ukuze uqinisekise izitifiketi, inkampani isilungisile ithuluzi le-inthanethiezokhombisa umbiko onemininingwane.

Abasebenzisi abathuthukile bangenza yonke into ngokwabo besebenzisa imiyalo elandelayo:

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΠ° https
openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# Π²Π°Ρ€ΠΈΠ°Π½Ρ‚ ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΠΈ ΠΎΡ‚ @simpleadmin 
echo | openssl s_client -connect example.com:443 |& openssl x509 -noout -serial
# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΠ° ΠΏΠΎΡ‡Ρ‚ΠΎΠ²ΠΎΠ³ΠΎ сСрвСра, ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ» SMTP
openssl s_client -connect example.com:25 -starttls smtp -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΠ° ΠΏΠΎΡ‡Ρ‚ΠΎΠ²ΠΎΠ³ΠΎ сСрвСра, ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ» SMTP
openssl s_client -connect example.com:587 -starttls smtp -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΠ° ΠΏΠΎΡ‡Ρ‚ΠΎΠ²ΠΎΠ³ΠΎ сСрвСра, ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ» IMAP
openssl s_client -connect example.com:143 -starttls imap -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΠ° ΠΏΠΎΡ‡Ρ‚ΠΎΠ²ΠΎΠ³ΠΎ сСрвСра, ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ» IMAP
openssl s_client -connect example.com:993 -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d :
# Π² ΠΏΡ€ΠΈΠ½Ρ†ΠΈΠΏΠ΅ Π°Π½Π°Π»ΠΎΠ³ΠΈΡ‡Π½ΠΎ ΠΏΡ€ΠΎΠ²Π΅Ρ€ΡΡŽΡ‚ΡΡ ΠΈ Π΄Ρ€ΡƒΠ³ΠΈΠ΅ сСрвисы

Okulandelayo udinga ukubheka lapha inombolo yakho ye-serial, futhi uma isohlwini, kutuswa ukuvuselela izitifiketi.

Ukuze ubuyekeze izitifiketi, ungasebenzisa i-certbot:

certbot renew --force-renewal

Inkinga yatholwa ngoFebhuwari 29, 2020; ukuze kuxazululwe inkinga, ukukhishwa kwezitifiketi kwamiswa kusukela ku-3:10 UTC kuya ku-5:22 UTC. Ngokophenyo lwangaphakathi, iphutha lenziwe ngoJulayi 25, 2019; inkampani izohlinzeka ngombiko onemininingwane eminingi kamuva.

I-UPD: isevisi yokuqinisekisa isitifiketi eku-inthanethi ingase ingasebenzi kumakheli ase-IP aseRussia.

Source: www.habr.com

Engeza amazwana