DNS delegation check

user-pic
Vote 0 Votes

查上層授權設定
dig +trace domain.com

Rsyslog missing log

user-pic
Vote 0 Votes

比較新的 Linux 都是使用 systemd journal 來處理 log, 其預設是有 Rate Limit 的,
若系統的 Log 量很多, 有可能會被達到限制條件而被過濾掉,
若觀察到 Log 有時卡住沒有新的出現, 可能就是這個狀況
journalctl -u systemd-journald
若有看到 Suppressed xxx messages 就表示有被濾掉

取消 Rate Limit 限制

/etc/systemd/journald.conf 加入
RateLimitInterval=0
RateLimitBurst=0

/etc/rsyslog.conf 加入
$imjournalRatelimitInterval 0
$imjournalRatelimitBurst 0

systemctl restart systemd-journald
systemctl restart rsyslog

ref. Missing logs?!? Learning about linux logging systems

若 Host A 與 Host B 之間有 table 需要 Sync, 資料量不大, 不需很即時, 還用不到 Replication, 可排程執行
mysqldump -h Host_A -uuser -ppassword db_name table_name | ssh Host_B "mysql -uuser -ppassword db_name"
(ssh 要先建好 Key)
若 Host A 有設定 gtid_mode=ON, mysqldump 需加上參數 --set-gtid-purged=OFF

Let's Encrypt Wildcard Certificate 要達到自動化設定,
必需使用 Pre Validation Hooks --manual-auth-hook 參數, 自定義 Script 去設定 TXT
可以使用的變數參考 Pre and Post Validation Hooks
主要是這兩個 CERTBOT_DOMAIN 及 CERTBOT_VALIDATION, 分別是域名及需要設定的 TXT 值
--manual-cleanup-hook 則是 Post Validation Hooks, 可把先前設定的 TXT 刪除及其他事後的動作
e.g.
certbot-auto certonly -m user@mail.com --server https://acme-v02.api.letsencrypt.org/directory \
  -d domain.com -d *.domain.com --manual --manual --preferred-challenges dns-01 \
  --manual-auth-hook /usr/local/bin/auth-hook.sh --manual-cleanup-hook /usr/local/bin/cleanup-hook.sh

Let's Encrypt 在三月中旬開放了 Wildcard Certificate
Client 端需支援 ACMEv2
certbot 需 >=0.22
certbot-auto certonly -m user@mail.com --server https://acme-v02.api.letsencrypt.org/directory -d domain.com -d *.domain.com --manual --preferred-challenges dns-01

Wildcard Certificate 只能用 DNS TXT 驗證,
流程中會出現一組 Code, 要設定到 _acme-challenge.domain.com 的 TXT 指向

rd/q/s %LOCALAPPDATA%\LINE\Cache

Using SQLite client (i.e. Navicat) open Skype main.db
select * from Messages order by timestamp desc limit 10

dialog_partner is conversations id for Skype Bot sending message

OCSP

user-pic
Vote 0 Votes

瀏覽器(除了Google Chrome,註)會透過 OCSP 協定去檢查憑證是否有效
憑證中有一個欄位是 OCSP URI, 瀏覽器就透過 OCSP URI 去檢查
openssl s_client -showcerts -connect google.com:443 < /dev/null | openssl x509 -text | grep OCSP

其 Request 透過 HTTP POST 方式傳 issuerNameHash, issuerKeyHash, serialNumber 這三個參數給 OCSP Server

Response 回應 CertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }

以下說明截錄 RFC 6960
The "good" state indicates a positive response to the status inquiry.
At a minimum, this positive response indicates that no certificate
with the requested certificate serial number currently within its
validity interval is revoked. This state does not necessarily mean
that the certificate was ever issued or that the time at which the
response was produced is within the certificate's validity interval.
Response extensions may be used to convey additional information on
assertions made by the responder regarding the status of the
certificate, such as a positive statement about issuance, validity,
etc.

The "revoked" state indicates that the certificate has been revoked,
either temporarily (the revocation reason is certificateHold) or
permanently. This state MAY also be returned if the associated CA
has no record of ever having issued a certificate with the
certificate serial number in the request, using any current or
previous issuing key (referred to as a "non-issued" certificate in
this document).

The "unknown" state indicates that the responder doesn't know about
the certificate being requested, usually because the request
indicates an unrecognized issuer that is not served by this
responder.

註: Google Chrome 因考量到速度, 不使用 OCSP, 而是使用自己的機制, 使用定期更新的 Local List

AlwaysOnSSL

user-pic
Vote 0 Votes

AlwaysOnSSL
另一家免費憑證供應商, 也有提供 API, 簽發憑證有效期是一年

Fetch remote ssl certificate

user-pic
Vote 0 Votes

openssl s_client -showcerts -connect google.com:443 < /dev/null

Monthly Archives