Category: Service (服务)

Posted on

[命令] Linux 目标网站 SSL 证书的显示 (OpenSSL 版)

内容一:查看完整信息

# openssl s_client -connect eternalcenter.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
 0 s:CN = eternalcenter.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISAxDxly99eBiarmHggFEmDJoMMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMTkxMzA4MzJaFw0yMjAzMTkxMzA4MzFaMBwxGjAYBgNVBAMT
EWV0ZXJuYWxjZW50ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtCcCuOqBrWP4eo//VBEXh668EjwrE1eXz2CS4GIN4ddn0rS8LHGFOrB92R8E
OnaYeTKpZjzNM3NA/AG/Gq5mTRZGTpyTasHEb/phwXdhrtJWdbMtQjGFSg8rXSB8
cap5NGP/NxAy8FV0MbXftg5t9VgBoCMGUzioSHZTEjefq+/OZwlP7RzxZN3bwj1D
61gWSw6q1X3bsi8ttwbkkiJfvjXo2KIeGOAnY10X+FPJmVa7jonhOuljrX4CYgnd
SCxmsfgwGMUzRu27VB1rEbKqvSr6tb9KfwFiqsZd5tTi7RW6WMqA0VbDV7BbDqLP
OzcturwRtXfzHjJxssy9zhnrQQIDAQABo4ICTjCCAkowDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQMGBCfBuZxTAS8VcBI/13ugqc2RDAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghFldGVybmFsY2VudGVyLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN+lXqto
gk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABfdMFzUsAAAQDAEgwRgIhAMFF
1orPZPnpCyhzwX2xZAZjJnOmDGmBjAl0tHnX4nEWAiEAqZTUwjrdwZAL+kDAgpzG
Me2RnGMseDBY8Oy2sefUgsAAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8
cP5tRwAAAX3TBc1zAAAEAwBIMEYCIQDLhR0nbVHEIL1uw9hRuv/ZbFjf91W/M4Jp
od7NTMQZbAIhAKEAAfmdu0nVHklyS2At1VValwQ6vNbqd0NQ85giG606MA0GCSqG
SIb3DQEBCwUAA4IBAQB/s+rZEaNrlUyBVnbxv5X9NTBd8buBOkR1qVswlS1R2i8B
pRjeJmgbiMzM2z5Mvx0yTIiCyXXUc3YaqoyxvddaQam9nlLGr0nKX9T5DkE7y0Fh
Qg0/ievRQF86XnDqQBxDR32jj5A1nKEiJrNCqugCWTAABndW3tvzK5DOsF2BfjJC
mcjwiKaSCjFVpf+KzLWS3UEW+DRTKOLBucXpenS7QEcQu4K6ShNSL7+K6UOZEbFu
uCRjOawCJFF7EH5vzRBy696Fu4EmzCV+c4rV8K8EcuCCQQeOTWJ/93Jv6U6kGrmE
P6wlcHFy1tZhTAmXf/qcpE3sGeH58OlNNiVmNJdH
-----END CERTIFICATE-----
subject=CN = eternalcenter.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4695 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D63BC88824810A4D43ACE901AD4FF2D82073BC6F0D8B2DE71F6310CA1C87707F
    Session-ID-ctx: 
    Master-Key: A6836430C394B96DDD5552867D49802F94AAC8BF5E882100F0D27185CF5CFD6A946B94D87652E44A6684FC9781D16D90
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - bb be 55 e0 4b 6d c3 08-cd bc 45 6e 79 67 fc eb   ..U.Km....Enyg..
    0010 - 30 d5 4c 8a 5a c8 f7 13-42 4b 1d 02 ce 94 c0 b8   0.L.Z...BK......
    0020 - d7 cf f6 f0 ee 9d 49 5b-0a c8 a4 1a 8b dd 8a e0   ......I[........
    0030 - 66 83 52 9b 31 4d da 9e-d5 05 1a 70 ca e9 86 5e   f.R.1M.....p...^
    0040 - f5 09 a1 1c 92 6b 64 90-b7 e1 0e ec 30 e2 26 68   .....kd.....0.&h
    0050 - 49 13 10 9e 3e a5 e0 13-a2 f1 7a 7c c5 ad 99 6c   I...>.....z|...l
    0060 - e9 f6 1d 46 5f cc f6 f9-c5 f6 05 49 53 78 7e ea   ...F_......ISx~.
    0070 - 8c 17 eb 8d 96 c3 3f 92-fe e0 f0 f6 86 59 05 c8   ......?......Y..
    0080 - d2 8c 27 6b 9d 65 38 20-84 d4 23 54 35 70 19 4d   ..'k.e8 ..#T5p.M
    0090 - db 35 6d f4 44 50 d7 6e-a5 87 2b 32 e5 f8 42 88   .5m.DP.n..+2..B.
    00a0 - 28 e2 ab 35 e1 2c 06 71-e5 b2 82 cb 3a 75 cc 72   (..5.,.q....:u.r
    00b0 - ed ae e1 12 ff 82 6c 3a-3a 38 7a 8c 3c 9c f1 10   ......l::8z.<...
    00c0 - 78 b8 37 87 c3 a2 00 76-01 72 8c ef 3b 20 48 28   x.7....v.r..; H(

    Start Time: 1644931899
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)

内容二:查看主要信息

# echo | openssl s_client -connect scc.suse.com:443 | head -n 16
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
 0 s:CN = eternalcenter.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)

Posted on

[命令] SLE 命令 SUSEConnect (注册客户端到 SUSE Repository Mirroring Tool (RMT))

如果是 HTTP 协议:

# SUSEConnect -u http://<SUSE Repository Mirroring Tool (RMT) Server's IP address or FQDN>

或者:

# SUSEConnect --url http://<SUSE Repository Mirroring Tool (RMT) Server's IP address or FQDN>

如果是 HTTPS 协议:

# SUSEConnect -u https://<SUSE Repository Mirroring Tool (RMT) Server's IP address or FQDN>

或者:

# SUSEConnect --url https://<SUSE Repository Mirroring Tool (RMT) Server's IP address or FQDN>
Posted on

[步骤] PXE 新系统模板的添加

步骤一:准备安装镜像

1.1 从官网上下载安装镜像

(步骤略)

1.2 挂载安装镜像

1.2.1 创建用于挂载安装镜像的目录
# mkdir <directory for mounting the image>
1.2.2 挂载安装镜像
# mount -t iso9660 <image> <directory for mounting the image>

步骤二:准备用于进行 PXE 安装的数据

2.1 准备系统安装数据

2.1.1 创建用于存放系统安装数据的目录
# mkdir <directory of data for installing the system>

(注意:用于存放系统安装数据的目录必须要放在能够实现 PXE 安装时网络共享的目录里(例如:通过 httpd 服务进行网络共享))

2.1.2 拷贝安装镜像里的数据到用于存放系统安装数据的目录
2.1.2.1 拷贝安装镜像里的普通数据到用于存放系统安装数据的目录
# cp -rp <directory for mounting the image>/* <directory of data for installing the system>
2.1.2.2 拷贝安装镜像里的 .treeinfo 文件到用于存放系统安装数据的目录
# cp -rp <directory for mounting the image>/.treeinfo <directory of data for installing the system>

2.2 准备安装引导文件

2.2.1 创建用于存放安装引导文件的目录
2.2.1.1 创建用于存放 BIOS 安装引导文件的目录
# mkdir <directory of BIOS boot file for installing the system>

(注意:用于存放 BIOS 安装引导文件的目录必须要放在能够实现 TFPT 网络共享的目录里)

2.2.1.2 创建用于存放 EFI 安装引导文件的目录
# mkdir <directory of EFI boot file for installing the system>

(注意:用于存放 EFI 安装引导文件的目录必须要放在能够实现 TFPT 网络共享的目录里)

2.2.2 拷贝安装镜像里的安装引导文件到存放安装引导文件的目录
2.2.2.1 拷贝安装镜像里的 BIOS 安装引导文件到存放 BIOS 安装引导文件的目录

如果是 Rocky Linux & RHEL 则拷贝 initrd.img 文件、TRANS.TBL 文件和 vmlinuz 文件:

# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/images/pxeboot/initrd.img -O <directory of BIOS boot file for installing the system>/initrd.img
# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/images/pxeboot/TRANS.TBL -O <directory of BIOS boot file for installing the system>/TRANS.TBL
# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/images/pxeboot/vmlinuz -O <directory of BIOS boot file for installing the system>/vmlinuz

如果是 openSUSE & SLE 则拷贝 linux 文件和 initrd 文件:

# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/boot/x86_64/loader/linux -O <directory of BIOS boot file for installing the system>/linux
# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/boot/x86_64/loader/initrd -O <directory of BIOS boot file for installing the system>/initrd
2.2.2.2 拷贝安装镜像里的 EFI 安装引导文件到存放 EFI 安装引导文件的目录

如果是 Rocky Linux & RHEL 则拷贝 initrd.img 文件、TRANS.TBL 文件和 vmlinuz 文件:

# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/images/pxeboot/initrd.img -O <directory of EFI boot file for installing the system>/initrd.img
# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/images/pxeboot/TRANS.TBL -O <directory of EFI boot file for installing the system>/TRANS.TBL
# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/images/pxeboot/vmlinuz -O <directory of EFI boot file for installing the system>/vmlinuz

如果是 openSUSE & SLE 则拷贝 linux 文件和 initrd 文件:

# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/boot/x86_64/loader/linux -O <directory of EFI boot file for installing the system>/linux
# curl <The URL of the network share when PXE installing>/<directory of data for installing the system>/boot/x86_64/loader/initrd -O <directory of EFI boot file for installing the system>/initrd

2.3 准备系统安装配置文件

2.3.1 进入到用于存放系统安装配置文件的目录
# cd <directory of profile for installing the system>

(注意:进入到用于存放系统安装配置文件的目录必须要放在能够实现 PXE 安装时网络共享的目录里(例如:通过 httpd 服务进行网络共享))

2.3.2 创建系统安装配置文件
2.3.2.1 创建 BIOS 系统安装配置文件

如果是 Rocky Linux & RHEL 的话

# vim <BIOS system installation profile>

(步骤略)


补充:
1) 如果是 Rocky Linux & RHEL 的话系统安装配置文件是 CFG 文件,文件名最好以 .cfg 后缀结尾
2) 如果是 openSUSE & SLE 的话系统安装配置文件是 XML 文件,文件名最好以 .xml 后缀结尾

2.3.2.2 创建 EFI 系统安装配置文件
# vim <EFI system installation profile>

(步骤略)


补充:
1) 如果是 Rocky Linux & RHEL 的话系统安装配置文件是 CFG 文件,文件名最好以 .cfg 后缀结尾
2) 如果是 openSUSE & SLE 的话系统安装配置文件是 XML 文件,文件名最好以 .xml 后缀结尾

2.3.3 设置系统安装配置文件的权限
2.3.3.1 设置 BIOS 系统安装配置文件的权限
# chmod 755 <BIOS system installation profile>
2.3.3.2 设置 EFI 系统安装配置文件的权限
# chmod 755 <EFI system installation profile>

2.4 修改系统安装菜单文件 pxelinux.cfg

2.4.1 修改 BIOS 系统安装菜单文件 pxelinux.cfg
# vim <directory of file for BIOS system installation menu>/pxelinux.cfg

如果是 Rocky Linux & RHEL 的话,添加以下内容:

......
label Rocky Linux or RHEL
  menu label ^Installation Rocky Linux or RHEL
  kernel <relative directory of pxelinux.cfg of BIOS boot file for installing the system>/vmlinuz
  append initrd=/<relative directory of pxelinux.cfg of BIOS boot file for installing the system>/initrd.img ks=<The URL of the network share when PXE installing>/<BIOS system installation profile>

(注意:这里的 vmlinuz 文件和 initrd.im 文件的位置要写 pxelinux.cfg 文件的相对路径)

如果是 openSUSE & SLE 的话,添加以下内容:

......
label openSUSE or SLE
  menu label ^Installation openSUSE or SLE
  kernel <relative directory of pxelinux.cfg of BIOS boot file for installing the system>/linux
  append initrd=<relative directory of pxelinux.cfg of BIOS boot file for installing the system>/initrd splash=silent showopts install=<The URL of the network share when PXE installing>/<directory of data for installing the system>/ autoyast=<The URL of the network share when PXE installing>/<BIOS system installation profile>

(注意:这里的 linux 文件和 initrd 文件的位置要写 pxelinux.cfg 文件的相对路径)

(注意:用于存放 BIOS 系统安装菜单文件的目录必须要放在能够实现 TFPT 网络共享的目录里)

2.4.2 修改 EFI 系统安装菜单文件 grub.cfg
# vim <directory of file for EFI system installation menu>/grub.cfg

如果是 Rocky Linux & RHEL 的话,添加以下内容:

......
label Rocky Linux or RHEL
  menu label ^Installation Rocky Linux or RHEL
  kernel <relative directory of pxelinux.cfg of EFI boot file for installing the system>/vmlinuz
  append initrd=/<relative directory of pxelinux.cfg of EFI boot file for installing the system>/initrd.img ks=<The URL of the network share when PXE installing>/<EFI system installation profile>

(注意:这里的 vmlinuz 文件和 initrd.im 文件的位置要写 pxelinux.cfg 文件的相对路径)

如果是 openSUSE & SLE 的话,添加以下内容:

......
label openSUSE or SLE
  menu label ^Installation openSUSE or SLE
  kernel <relative directory of pxelinux.cfg of EFI boot file for installing the system>/linux
  append initrd=<relative directory of pxelinux.cfg of EFI boot file for installing the system>/initrd splash=silent showopts install=<The URL of the network share when PXE installing>/<directory of data for installing the system>/ autoyast=<The URL of the network share when PXE installing>/<EFI system installation profile>

(注意:这里的 linux 文件和 initrd 文件的位置要写 pxelinux.cfg 文件的相对路径)

(注意:用于存放 EFI 系统安装菜单文件的目录必须要放在能够实现 TFPT 网络共享的目录里)

步骤三:取消挂载安装镜像

# umount <directory for mounting the image>
Posted on

[步骤] SFTP 日志的开启

# vim /etc/sshd/sshd_config

如果是 CentOS Linux & RHEL,将以下内容:

......
Subsystem       sftp    /usr/libexec/openssh/sftp-server
......

修改为:

......
Subsystem       sftp    /usr/libexec/openssh/sftp-server -l INFO
......

如果是 openSUSE & SLE, 将以下内容:

......
Subsystem       sftp    /usr/lib/ssh/sftp-server
......

修改为:

......
Subsystem       sftp    /usr/lib/ssh/sftp-server -l INFO
......

(补充:此时当通过 SFTP 登录系统时,系统日志记录文件 /var/log/messages 里登录记录后面会紧跟一行带 sftp-server 的记录)

Posted on

[STEP] Red Hat Satellite client register

Step One: Add domain name resolution into /etc/hosts

# vim /etc/hosts

Add the following:

......
<Redhat Satellite IP address> <Redhat Satellite Server FQDN>

Step Two: Install katello-ca-consumer-latest.noarch.rpm

2.1 Download katello-ca-consumer-latest.noarch.rpm

# curl --insecure --output katello-ca-consumer-latest.noarch.rpm https://<Redhat Satellite Server FQDN>/pub/katello-ca-consumer-latest.noarch.rpm

2.2 Install katello-ca-consumer-latest.noarch.rpm

# yum -y localinstall katello-ca-consumer-latest.noarch.rpm

Step Three: Register to Red Hat Satellite Server

# subscription-manager register --org="<organization>" --activationkey="<activation key>"

Step Four: Install katello-host-tools, katello-host-tools-tracer and katello-agent

4.1 Enable rhel-*-satellite-tools-*-rpms repo or satellite-tools-*-rhel-*-rpms

RHEL 7:

# subscription-manager repos --enable=rhel-\*-satellite-tools-\*-rpms

RHEL 8:

# subscription-manager repos --enable=satellite-tools-\*-rhel-\*-rpms
# subscription-manager repos --disable=satellite-tools-\*-rhel-\*-eus-rpms

4.2 Install katello-host-tools, katello-host-tools-tracer and katello-agent

# yum -y install katello-host-tools; yum -y install katello-host-tools-tracer; yum -y install katello-agent

Step Five: Check

5.1 Check registration information

# subscription-manager identity

5.2 Check license

# subscription-manager list --consumed