use custom setup that use nginx as web engine with cpanel need command to export ssl files to use it into nginx
cpanel now use AutoSSL powered by Comodo that give it free and will renew it automatic when any users domains ssl expire
at easyApache4
by this command
uapi --user=example SSL fetch_best_for_domain domain='example.com'
i can fetch ssl from cpanel for selected user
result
---
apiversion: 3
func: fetch_best_for_domain
module: SSL
result:
data:
cab: "-----BEGIN CERTIFICATE-----\nMIIF8TCCA9mgAwIBAgIRAPAdS+57fKN7PAVmrAWXJFgwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNV\nBAYTAkdCMRswGQYDTE1MDUxODAwMDAwMFoXDTI1MDUxNzIzNTk1OVowcjELMAkGA2qXcmH5Qo\nk+kTPUXROjVIHpgNgnDAC1ooh6F4UT+1p1ymkSIAQky5gBWAKrEtiU/3uh4YxIxZHnNJo6h7vB/3\nVk1Qn2cWp8cXSOdtVFd2bpdYW3hkpO1itAA7Bn55uFhfboTWQ7xP2zmqKPDBiQnF++MYRLflsotd\nlfkjWgty92k61leL4en0YL7EUSsRrP5Is3JzyhNQcw0EdsoB4ULC1yHP+Q==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFfjCCBGagAwIBAgIQZ970PvF72uJP9ZQGBtLAhDANBgkqhkiG9w0BAQwFADB7MQswCQYDVQQG\nEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYD\nVQQKDBFDb21vgrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqG\nSIb3DQEBDAUAA4IBAQB/8lY1sG2VSk50rzribwGLh9Myl+34QNJ3UxHXxxYuxp3mSFa+gKn4vHjS\nyGMXroztFjH6HxjJDsfuSHmfx8m5vMyIFeNoYdGfHUthgddWBGPCCGkm8PDlL9/ACiupBfQCWmqJ\n17SEQpXj6/d2IF412cDNJQgTTHE4joewM4SRmR6R8ayeP6cdYIEsNkFUoOJGBgusG8eZNoxeoQuk\nntlCRiTFxVuBrq2goNyfNriNwh0V+oitgRA5H0TwK5/dEFQMBzSxNtEU/QcCPf9yVasn1iyBQXEp\njUH0UFcafmVgr8vFKHaYrrOoU3aL5iFSa+oh0IQOSU6IU9qSLucdCGbX\n-----END CERTIFICATE-----"
crt: "-----BEGIN CERTIFICATE-----\nMIIGYzCCBUugAwIBAgIQAxTDyiRh8b1+CgQUhztu1TANBgkqhkiG9w0BAQsFADBy\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT\nBgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGASchcwat43LiRWlaxA6\ne+xEjtg0WqTmZ+QulFzZo0c/mfsAkBJyICuoZ/poop2YPou9qgAN6WoemTO6HidoQQ3PlsVyZL\nqBrIW9kege5OPQUTAQIYvesHzdu5HIi00SJsGpnnq+HiFQ9tpcKBDPJiKQIxw6Ec\nYkk/aFbMa8wv577v5Fwo6EUihI7IFMIcoD2+QB7KZrUkl5Skrux7Z5vyyppssSRQ\ne30BKIWZMA1XikFWTKJNB4dN+XrAufc26GzHLmAsi5sTl+UDkqAJ9ubI1LUf9jGY\nwvtL1zy4eCslP4p83fCzB4dc/w7jlsQKaM7BDraSMfnYFDhBhx9QfdjDR8P03ZyG\n4XQJGMLHIA==\n-----END CERTIFICATE-----"
crt_origin: example
domain: example.com
ip: 127.0.0.1
key: "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAw2OGUfz3smlHcSYH7/ld6WZxk0j0dHK37BfIcVM4zkGcwXUC\nXCiMW3MfqQvA+pZ8AFEtQYLpSfdra/nRvFjvaRzgcbM2ORzUnIXMGreNy4kVpWsQ\nOnvsRI7YNFqk5mfkLpRc2aNHP5n7AJASciArqGf6aKKdmAKC3nNdlMvdWZiomglK\netnPfVLs/pZdXdPAVcIOuBwTzkc3xWFL9nD2YljWLX0IUtlgwCzo2io+Dv+BfZlO\nGohvqFtY1Bv5f+MNGvheKd+yOdG32JYK9kzM24jQ7ckLMiMCo0GGbOQjstxQ4rSW\n3ZKdu7KPdTYFFw2r7huutSBSfEtlOasFfjtaXQIDAQABAoIBAH6ppSi/Wf+xmhuy\nsNCTkpq8y4HUeIyI1cxaeplkft3O0QTkipwduSeLkQmwUfDg3xABj9n5OKy3lU7R\nC3MTIFi+3I04xTzvALFbVz42odhBTOQIbOPM9BRZmbUO0fl/ff/oM+zumUCU3I+3\n1g1f541ronx0dr9VWWtF1HOiWSM73S6SuEF6/W3Wc9Tn3kZVFC0yYEYg4qTK54dJ\nW/CZJapHvXlOckYexAk0jmih6ZPhKzOTA8dt86aRfqbWi07hK8uX2OM5PAAwL69j\nM4llXJtXw0B+23wQLFlkOiT+lK0PvqS6/6K5TuX4mF/uMiUL3widQ+frXRc0vTWw\nJOrdImECgYEA9pEdcwMM7ChFkjllRgRaATQT6ShiQoEY+2Q2VfxpLewQd+DJ0BxY\nC5b/wByxlXSp9S9cXOlxjkW1TSWEhLSfb4dfoWL4ZCURVozeyjkgcET1o+b6zysq\naMiTvQvSELTXcdjcraAuUZ6SXgQDaZPlcrrDEVqzx8H0xCKFDhqJzZZZSjW05zyaWamE8Xc0Rzer7m9a\nj+kv1Qkf45wAVPbEN5BI4GHUFPF4Wy0fz37FrznOxaYcek2ImYHhnbjS6k2cAKQD\nEIv9o/dV/PSerVpTwiF0RPAKFrHFWvx3tUhBbLkCgYEA3uvMaFN1t32hiNaDjY4Z\nocTny4FLdT0qzP6JcaxHm9E2AmwlihZWNARNLe/DTpCvqJEtPIOCu1Ki3CDzcteq\n3jbSayMD1+b7ifjK5KJJhbeTLqCCWhN4wEu35s9tGNWng7LBseiEeB6Zzo5qV2Xz\nqIraGjKbIBtnpZoWLi1F9NECgYATEIv2xeYbPGOi1DiCuCTfihJsaR01e9uEY8Ib\nXDUdJAcKKVfx70kWKg87XheEpd+7ja12HtUG8U+U5WFGmtY/3ohqxebXfQXxk6EM\nr/5GBGnBO2YrvEOdIY6hcvAnYtnJWaCMGovgr+rd1eNfqUB72wcBP4nDLju83EMn\nvz2eyQKBgQDKXUrupETlv26uDRwumo1r+k6WAVRbQFDCc45K9PQT9aMY8bRQRhiN\n3r3jEZcygdDeyGD/x6MrApu9giFR2m8t/XOSvxPelY3WEdADFnkJyom/hUAG/zhp\nSL0byAyOzBv5ny6FiBdg9HrSZ6olYRDHVCFsS8+hQznVkGT84MzUjA==\n-----END RSA PRIVATE KEY-----"
key_origin: example
searched_users:
- example
status: 1
statusmsg: ok
user: example
errors: ~
messages: ~
metadata: {}
status: 1
warnings: ~
looking for way to export cab , crt and key as files after run this command
there old way with easyApache 3 at this url
Old steps
i have 11 hours searches and looking
i build that script and working good with nginx
am happy to share it with you
RESULTS=$( uapi --user=example SSL fetch_best_for_domain domain='example.com' )
FIRST=`echo $RESULTS| awk -F \" '{print $2}'`
SECOND=`echo $RESULTS| awk -F \" '{print $4}'`
THIRD=`echo $RESULTS| awk -F \" '{print $6}'`
echo $FIRST | sed 's/\\n/\n/g' > /root/s.example.com.cab
echo $SECOND | sed 's/\\n/\n/g' > /root/s.example.com.crt
echo $THIRD | sed 's/\\n/\n/g' > /root/s.example.com.key
cat /root/s.example.com.crt /root/s.example.com.cab > /root/s.example.com.cert
rm -rf /root/s.example.com.cab /root/s.example.com.crt
Related
I'm using kubeadm to build k8s cluster and default ssl certs will be used in 1 year.
I plan use cfssl or opensll to gen new certs with 10 years use.
Could anynone pls help me.
Thanks all
You can generate certs using cfssl or openssl and store in a directory and specify that directory in Kubeadm init and kubeadm will not generate certs and use the provided certs.
kubeadm init --cert-dir
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#custom-certificates
Kubeadm also provides cert renew mechanism for renewing certs for 1 year.
kubeadm alpha certs renew
Since you have a running cluster which signs certs with 1 year of validity you can change this flag of kube controller manager default duration of cert signed to sign certs for 10 years.
--experimental-cluster-signing-duration duration Default: 8760h0m0s
Once this is done you can use below guide to sign cert valid for 10 years.
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#renew-certificates-with-the-kubernetes-certificates-api
To renew Kubernetes certs for 10 years (not recommended).
Check certs expiration
kubeadm alpha certs check-expiration --config="/etc/kubernetes/kubeadm-config.yaml"
Back up the existing Kubernetes certificates
mkdir -p $HOME/fcik8s-old-certs/pki
/bin/cp -p /etc/kubernetes/pki/*.* $HOME/fcik8s-old-certs/pki
Back up the existing configurtion files
/bin/cp -p /etc/kubernetes/*.conf $HOME/fcik8s-old-certs
Back up your home configuration
mkdir -p $HOME/fcik8s-old-certs/.kube
/bin/cp -p ~/.kube/config $HOME/fcik8s-old-certs/.kube/.
Add --cluster-signing-duration flag (--experimental-cluster-signing-duration prior to 1.19) for kube-controller-manager
Edit /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
...
- --experimental-cluster-signing-duration=87600h
...
...
87600h ~ 10 years
Renew all certs
kubeadm alpha certs renew all --config /etc/kubernetes/kubeadm-config.yaml --use-api
Approve the cert request
kubectl get csr
kubectl certificate approve <cert_request>
Update the kubeconfig file
kubeadm init phase kubeconfig all --config /etc/kubernetes/kubeadm-config.yaml
Overwrite the original admin file with the newly generated admin configuration file
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
Restart components
docker restart $(docker ps | grep etcd | awk '{ print $1 }')
docker restart $(docker ps | grep kube-apiserver | awk '{ print $1 }')
docker restart $(docker ps | grep kube-scheduler | awk '{ print $1 })
docker restart $(docker ps | grep kube-controller | awk '{ print $1 }')
systemctl daemon-reload && systemctl restart kubelet
Check api-server cert expiration
echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
Using RamNode's Turnkey Linux distro I noticed my websites have expired certificates and https links are flagged with a "Proceed" dialogue. Looking further into the issue, Turnkey Linux uses confconsole with Let's Encrypt to request new certs. Multiple [virtual] domains requires the user to manually use the dehydrated-wrapper which the cronjob calls daily under /etc/cron.daily/confconsole-dehydrated but results in an error:
/var/log/confconsole/letsencrypt.log
[2019-03-09 05:35:04] dehydrated-wrapper: FATAL: An unexpected service is listening on port 80: nginx:
[2019-03-09 05:35:04] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
Restarting SSL tunnels: [stopped: /etc/stunnel/stunnel.conf] [Started: /etc/stunnel/stunnel.conf] stunnel.
[2019-03-09 05:35:09] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
[2019-03-09 05:35:09] cron: ERROR: dehydrated-wrapper exited with a non-zero exit code.
[2019-03-10 05:35:04] cron: /etc/ssl/private/cert.pem has expired or will do so within 30 days. Attempting renewal.
Solution:
Update /usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper with
REPLACE:
netstat -ltpn | grep ":80 " | head -1 | cut -d/ -f2 | sed -e 's [[:space:]].*$||'
WITH:
netstat -ltpn | grep ":80 " | head -1 | cut -d/ -f2 \
| sed -e 's|[[:space:]].*$||; s|[^a-zA-Z0-9]||'
like in this commit https://github.com/turnkeylinux/confconsole/commit/d1e61c4767c2148663429d63bc3a42925af8cbcd
Then manually run the cronjob again or wait for tomorrow:
/etc/cron.daily/confconsole-dehydrated
[2019-03-31 19:26:45] confconsole.hook.sh: SUCCESS: Cert request successful. Writing cert.pem & cert.key for DOMAIN1 to /etc/ssl/private
[2019-03-31 19:26:52] confconsole.hook.sh: SUCCESS: Cert request successful. Writing cert.pem & cert.key for DOMAIN2 to /etc/ssl/private
[2019-03-31 19:26:59] confconsole.hook.sh: SUCCESS: Cert request successful. Writing cert.pem & cert.key for DOMAIN3 to /etc/ssl/private
Thank you and I hope it saves you some time
Related Link: https://github.com/turnkeylinux/tracker/issues/976
I've answered this question in the Question Post itself, however, here's the answer again for the robots.
Solution: Update /usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper with
REPLACE:
netstat -ltpn | grep ":80 " | head -1 | cut -d/ -f2 | sed -e 's [[:space:]].*$||'
WITH:
netstat -ltpn | grep ":80 " | head -1 | cut -d/ -f2 \
| sed -e 's|[[:space:]].*$||; s|[^a-zA-Z0-9]||'
I could further expand on the solution by discussing the root problem.
Because the line in dehydrated-wrapper had been assigning the WEBSERVER variable to nginx:, dehydrated was unable to stop nginx before requesting and updating the certs. Adding nginx: to the case statement would allow you to stop nginx, but would not be able to start the nginx: process, because it does not exist, to host the .well-known/acme-challenges location, resulting in a 404 when dehydrated tries to verify the https ssl certs are correctly configured.
is there any way to use .ssh/authorized_keys to get the corresponding login user's email when the linux system is connected through id_rsa.pub?
I try to use the content in /var/log/auth.log while I can't find the direct relationship between the records and .ssh/authorized_keys.
Thanks in advance.
May be someone needs it. Next command prints information about the ssh key that was used for a current session. The key is taken from a standard comment block from ~/.ssh/authorized_keys.
For instance, somebody#test.com will be printed for a key that looks this way: cyb5OrLRv0VR6gZev8...KdECf7Q== somebody#test.com
Command:
export CURRENT_SSH_USER=$(grep $(grep $(grep '#'$(who -m | awk '{print $2}') <(ps -ef) | head -1 | awk '{print $3}')']: Accepted publickey for' /var/log/auth.log | head -1 | awk '{print $16}') <(cat ~/.ssh/authorized_keys | xargs -n1 -I% bash -c 'ssh-keygen -l -f /dev/stdin <<<"%"') | tail -1 | awk '{print $3}')
The command above does these steps:
who -m Only hostname and user associated with stdin.
Taking pseudo terminal slave e.g. pts/2 for a current user from the prev. command.
Searching for pts/2 in a list of processes ps -ef and extracting its pid.
Looking for the pid, e.g. 21996 in /var/log/auth.log in lines like this one:
Jul 22 01:50:39 whatever-i-12345 sshd[21996]: Accepted publickey for ubuntu from 10.10.10.10 port 40411 ssh2: RSA SHA256:V4DD10NklAAAAAHNgxaurm1qaq/TOTejNjXMQABABAB. Be sure you have proper logging enabled.
Once fingerprint SHA256:V4DD10NklAAAAAHNgxaurm1qaq/TOTejNjXMQABABAB is found, it matches it with the line from /.ssh/authorized_keys retrieves info about a name from a comment block.
Notes:
Tested only on Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
The last column of ssh public key is just a comment field and it is not present in the private key used to log in nor in the public key send to the server during the authentication attempt.
The comment in the server authorized keys can be completely different than the comment in the clients public key.
You can find the connection between the keys in authorized_keys and in the logs, but you need to convert the keys to fingerprints first using
ssh-keygen -lf ~/.ssh/authorized_keys
I have an Apache server log and am trying to determine what IP address has generated the most traffic. I've already managed to get it formatted so its just the IPs and their traffic in bytes:
xxx.xxx.xxx.xxx 915925
yyy.yyy.yyy.yyy 1193
zzz.zzz.zzz.zzz 2356
So now I'm looking for a method to combine and add the bytes of identical IPs and then just find the top value.
Any ideas?
If you have the ip and traffic bytes in a file use the following to get the work done.
cat file | perl -ane '$h{ $F[0] } += $F[1]; END { for ( sort keys %h ) { printf qq[%s %d\n], $_, $h{ $_ } } }' | sort -k2 -n -r
awk '{A[$1]+=$2;next}END{for(i in A){print i,A[i]}}' file | sort -k2 -n -r
I have a Debian box that I would like to talk to a remote server over SSL. The remote server has a self-signed certificate. How can I instruct my local machine to create a permanent security exception for the remote machine?
Note: I need a command line method for this
The method I found for doing this is based on material at http://www.madboa.com/geek/openssl/
Step 1: get the cert
use the get-cert.sh script
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
get the certificate file and save it in /usr/lib/ssl/certs with a .pem extension
Step 2: generate a hash for the cert
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]
for CERTFILE in $*; do
# make sure file exists and is a valid cert
test -f "$CERTFILE" || continue
HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
test -n "$HASH" || continue
# use lowest available iterator for symlink
for ITER in 0 1 2 3 4 5 6 7 8 9; do
test -f "${HASH}.${ITER}" && continue
ln -s "$CERTFILE" "${HASH}.${ITER}"
test -L "${HASH}.${ITER}" && break
done
done
run the certlink.sh script on the file you downloaded in step 1 and then you are done.
The location of the cert files may vary with your operating system.
Can you not just add the remote server and its key to the list of known hosts?