内容一:导出 iptables 防火墙规则
# iptables-save > /root/iptables_save
(补充:这里以将 iptables 防火墙规则导出到 /root/iptables_save 文件为例)
内容二:导入 iptables 防火墙规则
# iptables-restore < /root/iptables_save
(补充:这里以将 /root/iptables_save 文件里的内容导入到 iptables 防火墙为例)
# iptables-save > /root/iptables_save
(补充:这里以将 iptables 防火墙规则导出到 /root/iptables_save 文件为例)
# iptables-restore < /root/iptables_save
(补充:这里以将 /root/iptables_save 文件里的内容导入到 iptables 防火墙为例)
# openssl s_client -connect eternalcenter.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
0 s:CN = eternalcenter.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISAxDxly99eBiarmHggFEmDJoMMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMTkxMzA4MzJaFw0yMjAzMTkxMzA4MzFaMBwxGjAYBgNVBAMT
EWV0ZXJuYWxjZW50ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtCcCuOqBrWP4eo//VBEXh668EjwrE1eXz2CS4GIN4ddn0rS8LHGFOrB92R8E
OnaYeTKpZjzNM3NA/AG/Gq5mTRZGTpyTasHEb/phwXdhrtJWdbMtQjGFSg8rXSB8
cap5NGP/NxAy8FV0MbXftg5t9VgBoCMGUzioSHZTEjefq+/OZwlP7RzxZN3bwj1D
61gWSw6q1X3bsi8ttwbkkiJfvjXo2KIeGOAnY10X+FPJmVa7jonhOuljrX4CYgnd
SCxmsfgwGMUzRu27VB1rEbKqvSr6tb9KfwFiqsZd5tTi7RW6WMqA0VbDV7BbDqLP
OzcturwRtXfzHjJxssy9zhnrQQIDAQABo4ICTjCCAkowDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQMGBCfBuZxTAS8VcBI/13ugqc2RDAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghFldGVybmFsY2VudGVyLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN+lXqto
gk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABfdMFzUsAAAQDAEgwRgIhAMFF
1orPZPnpCyhzwX2xZAZjJnOmDGmBjAl0tHnX4nEWAiEAqZTUwjrdwZAL+kDAgpzG
Me2RnGMseDBY8Oy2sefUgsAAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8
cP5tRwAAAX3TBc1zAAAEAwBIMEYCIQDLhR0nbVHEIL1uw9hRuv/ZbFjf91W/M4Jp
od7NTMQZbAIhAKEAAfmdu0nVHklyS2At1VValwQ6vNbqd0NQ85giG606MA0GCSqG
SIb3DQEBCwUAA4IBAQB/s+rZEaNrlUyBVnbxv5X9NTBd8buBOkR1qVswlS1R2i8B
pRjeJmgbiMzM2z5Mvx0yTIiCyXXUc3YaqoyxvddaQam9nlLGr0nKX9T5DkE7y0Fh
Qg0/ievRQF86XnDqQBxDR32jj5A1nKEiJrNCqugCWTAABndW3tvzK5DOsF2BfjJC
mcjwiKaSCjFVpf+KzLWS3UEW+DRTKOLBucXpenS7QEcQu4K6ShNSL7+K6UOZEbFu
uCRjOawCJFF7EH5vzRBy696Fu4EmzCV+c4rV8K8EcuCCQQeOTWJ/93Jv6U6kGrmE
P6wlcHFy1tZhTAmXf/qcpE3sGeH58OlNNiVmNJdH
-----END CERTIFICATE-----
subject=CN = eternalcenter.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4695 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D63BC88824810A4D43ACE901AD4FF2D82073BC6F0D8B2DE71F6310CA1C87707F
Session-ID-ctx:
Master-Key: A6836430C394B96DDD5552867D49802F94AAC8BF5E882100F0D27185CF5CFD6A946B94D87652E44A6684FC9781D16D90
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - bb be 55 e0 4b 6d c3 08-cd bc 45 6e 79 67 fc eb ..U.Km....Enyg..
0010 - 30 d5 4c 8a 5a c8 f7 13-42 4b 1d 02 ce 94 c0 b8 0.L.Z...BK......
0020 - d7 cf f6 f0 ee 9d 49 5b-0a c8 a4 1a 8b dd 8a e0 ......I[........
0030 - 66 83 52 9b 31 4d da 9e-d5 05 1a 70 ca e9 86 5e f.R.1M.....p...^
0040 - f5 09 a1 1c 92 6b 64 90-b7 e1 0e ec 30 e2 26 68 .....kd.....0.&h
0050 - 49 13 10 9e 3e a5 e0 13-a2 f1 7a 7c c5 ad 99 6c I...>.....z|...l
0060 - e9 f6 1d 46 5f cc f6 f9-c5 f6 05 49 53 78 7e ea ...F_......ISx~.
0070 - 8c 17 eb 8d 96 c3 3f 92-fe e0 f0 f6 86 59 05 c8 ......?......Y..
0080 - d2 8c 27 6b 9d 65 38 20-84 d4 23 54 35 70 19 4d ..'k.e8 ..#T5p.M
0090 - db 35 6d f4 44 50 d7 6e-a5 87 2b 32 e5 f8 42 88 .5m.DP.n..+2..B.
00a0 - 28 e2 ab 35 e1 2c 06 71-e5 b2 82 cb 3a 75 cc 72 (..5.,.q....:u.r
00b0 - ed ae e1 12 ff 82 6c 3a-3a 38 7a 8c 3c 9c f1 10 ......l::8z.<...
00c0 - 78 b8 37 87 c3 a2 00 76-01 72 8c ef 3b 20 48 28 x.7....v.r..; H(
Start Time: 1644931899
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)
# echo | openssl s_client -connect scc.suse.com:443 | head -n 16
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = eternalcenter.com
verify return:1
---
Certificate chain
0 s:CN = eternalcenter.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
(补充:这里以显示 eternalcenter.com 的 443 端口的 SSL 证书为例)
1) DEFAULT 不严格的安全等级,可以让系统使用 TLSv1.2
2) FUTURE 严格的安全等级,只能让系统使用 TLSv1.2 不能使用 TLSv1.3
# update-crypto-policies --show
DEFAULT
(补充:从这里可以看出目前的 update-crypto-policies 参数是 DEFAULT)
# update-crypto-policies --set=FUTURE
(补充:这里以将 update-crypto-policies 参数设置为 FUTURE 为例)
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Rocky Linux 8 & RHEL 8 已经默认废弃 TLSv1.2
可以使用 TLSv1.3 替代 TLSv1.2 或者将 update-crypto-policies 参数设置为 DEFAULT 以解决此报错
# update-crypto-policies --show
FUTURE
(补充:从这里可以看出目前的 update-crypto-policies 参数是 FUTURE)
# update-crypto-policies --set=DEFAULT
(补充:这里以将 update-crypto-policies 参数设置为 DEFAULT 为例)
(步骤略)
# yum -y install certbot
(补充:这里以在 Fedora 35 上安装 certbot 为例)
# certbot certonly --email mingyu.zhu@eternalcenter.com -n --agree-tos --webroot -w /usr/share/nginx/html/ -d eternalcenter.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for eternalcenter.com
Performing the following challenges:
http-01 challenge for eternalcenter.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/eternalcenter.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/eternalcenter.com/privkey.pem
Your certificate will expire on 2022-03-20. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(
补充:这里以
1) 使用 mingyu.zhu@eternalcenter.com 邮箱
2) 以非交互式的方式
3) 通过给 /usr/share/nginx/html/ 网站目录里添加验证文件进行验证
4) 给 eternalcenter.com 域名
申请 Let’s Encrypt SSL 证书为例
)
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: eternalcenter.com
Serial Number: 3e8cdb74a1abfbf3d535ec1c3f8cb3e4e4c
Key Type: RSA
Domains: eternalcenter.com
Expiry Date: 2022-03-20 13:48:48+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/eternalcenter.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/eternalcenter.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(
补充:
1) /etc/letsencrypt/live/eternalcenter.com/fullchain.pem 是公钥
2) /etc/letsencrypt/live/eternalcenter.com/privkey.pem 是私钥
)
# cat /etc/letsencrypt/renewal/eternalcenter.com.conf
# renew_before_expiry = 30 days
version = 1.20.0
archive_dir = /etc/letsencrypt/archive/eternalcenter.com
cert = /etc/letsencrypt/live/eternalcenter.com/cert.pem
privkey = /etc/letsencrypt/live/eternalcenter.com/privkey.pem
chain = /etc/letsencrypt/live/eternalcenter.com/chain.pem
fullchain = /etc/letsencrypt/live/eternalcenter.com/fullchain.pem
(补充:可以看出 Let’s Encrypt SSL 证书是在过期前 30 天才能更新)
# /usr/bin/certbot renew
(补充:这里以延期 Let’s Encrypt SSL 证书为例)
# crontab -e
添加以下内容:
......
0 0 */30 * * /usr/bin/certbot renew
(补充:这里以每过 30 天的 0 时 0 分延期 Let’s Encrypt SSL 证书为例)
1) 一个域名申请次数不能超过 5 次/周
2) 允许申请失败次数不能超过 5 次/时
3) 属于同一个顶级域名的二级域名申请次数不能超过 20 次/周
4) 申请请求频率不能超过 20 次/秒
5) 一个 IP 地址创建用户个数不能超过 10 个/3 小时
6) 一个用户最多 pending 审核的数不能超过 300 个