ocserv非权威CA证书签发吊销操作命令

 未分类  No Responses »
1月 212020
 

http://ocserv.gitlab.io/www/manual.html

生成CA证书

$ certtool --generate-privkey --outfile ca-key.pem
$ cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

$ certtool --generate-self-signed --load-privkey ca-key.pem \
--template ca.tmpl --outfile ca-cert.pem

生成服务器证书

$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "VPN server"
dns_name = "www.example.com"
dns_name = "vpn1.example.com"
#ip_address = "1.2.3.4"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_

$ certtool --generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.tmpl --outfile server-cert.pem

生成客户端证书

$ certtool --generate-privkey --outfile user-key.pem
$ cat << _EOF_ >user.tmpl
cn = "user"
unit = "admins"
expiration_days = 365
signing_key
tls_www_client
_EOF_
$ certtool --generate-certificate --load-privkey user-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template user.tmpl --outfile user-cert.pem

$ certtool --to-p12 --load-privkey user-key.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate user-cert.pem \
--outfile user.p12 --outder

吊销客户端证书

$ cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_
$ cat user-cert.pem >>revoked.pem
$ certtool --generate-crl --load-ca-privkey ca-key.pem \
--load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
--template crl.tmpl --outfile crl.pem

生成空吊销列表文件

$ certtool --generate-crl --load-ca-privkey ca-key.pem \
--load-ca-certificate ca-cert.pem \
--template crl.tmpl --outfile crl.pem

用Certbot申请Let’s Encrypt通配符证书

 未分类  No Responses »
1月 012020
 

使用命令行手动申请通配符证书,并使用DNS验证方式,手动添加TXT记录

[root@certbot ~]# certbot certonly -d *.bcoc.site --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for bcoc.site

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.bcoc.site with the following value:

hQolCyWZvWXBRcO3X8ZlNys4_dHJuGBx_bly9WGguvk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bcoc.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bcoc.site/privkey.pem
Your cert will expire on 2020-03-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@certbot ~]#

在Windows中查看证书信息

在CentOS7下安装配置softether服务器

 未分类  No Responses »
12月 272019
 

修改初始密码

[root@localhost ~]# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]#

修改时区

[root@localhost ~]# cp /usr/share/zoneinfo/Asia/Hong_Kong /etc/localtime
cp: overwrite ‘/etc/localtime’? y
[root@localhost ~]# date
Wed Dec 18 08:10:18 HKT 2019
[root@localhost ~]#

禁用防火墙

[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]#

更新YUM缓存

[root@localhost ~]# yum makecache
[root@localhost ~]#

安装EPEL源

[root@localhost ~]# yum -y install epel-release.noarch

检查依赖并安装工具包

[root@localhost ~]# yum install gcc net-tools

解压并执行编译安装

[root@localhost ~]# tar xzf softether-vpnserver-v4.31-9727-beta-2019.11.18-linux-x64-64bit.tar.gz 
[root@localhost ~]# cd vpnserver/

[root@localhost vpnserver]# make
--------------------------------------------------------------------

SoftEther VPN Server (Ver 4.31, Build 9727, Intel x64 / AMD64) for Linux Install Utility
Copyright (c) SoftEther Project at University of Tsukuba, Japan. All Rights Reserved.

--------------------------------------------------------------------

Do you want to read the License Agreement for this software ?

1. Yes
2. No

Please choose one of above number: 
1

Did you read and understand the License Agreement ?
(If you couldn't read above text, Please read 'ReadMeFirst_License.txt'
file with any text editor.)

1. Yes
2. No

Please choose one of above number: 
1

Did you agree the License Agreement ?

1. Agree
2. Do Not Agree

Please choose one of above number: 
1

make[1]: Entering directory `/root/vpnserver'
Preparing SoftEther VPN Server...
ranlib lib/libcharset.a
ranlib lib/libcrypto.a
ranlib lib/libedit.a
ranlib lib/libiconv.a
ranlib lib/libintelaes.a
ranlib lib/libncurses.a
ranlib lib/libssl.a
ranlib lib/libz.a
ranlib code/vpnserver.a
gcc code/vpnserver.a -fPIE -O2 -fsigned-char -pthread -m64 -lm -lrt -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a lib/libintelaes.a -ldl -o vpnserver
ranlib code/vpncmd.a
gcc code/vpncmd.a -fPIE -O2 -fsigned-char -pthread -m64 -lm -lrt -lpthread -L./ lib/libssl.a lib/libcrypto.a lib/libiconv.a lib/libcharset.a lib/libedit.a lib/libncurses.a lib/libz.a lib/libintelaes.a -ldl -o vpncmd
./vpncmd /tool /cmd:Check
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.31 Build 9727 (English)
Compiled 2019/11/18 11:14:51 by buildsan at crosswin
Copyright (c) SoftEther VPN Project. All Rights Reserved.

VPN Tools has been launched. By inputting HELP, you can view a list of the commands that can be used.

VPN Tools>Check
Check command - Check whether SoftEther VPN Operation is Possible
---------------------------------------------------
SoftEther VPN Operation Environment Check Tool

Copyright (c) SoftEther VPN Project.
All Rights Reserved.

If this operation environment check tool is run on a system and that system passes, it is most likely that SoftEther VPN software can operate on that system. This check may take a while. Please wait...

Checking 'Kernel System'... 
Pass
Checking 'Memory Operation System'... 
Pass
Checking 'ANSI / Unicode string processing system'... 
Pass
Checking 'File system'... 
Pass
Checking 'Thread processing system'... 
Pass
Checking 'Network system'... 
Pass

All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate normally on this system.

The command completed successfully.


--------------------------------------------------------------------
The preparation of SoftEther VPN Server is completed !


*** How to switch the display language of the SoftEther VPN Server Service ***
SoftEther VPN Server supports the following languages:
- Japanese
- English
- Simplified Chinese

You can choose your prefered language of SoftEther VPN Server at any time.
To switch the current language, open and edit the 'lang.config' file.


Note: the administrative password is not set on the VPN Server. Please set your own administrative password as soon as possible by vpncmd or the GUI manager.


*** How to start the SoftEther VPN Server Service ***

Please execute './vpnserver start' to run the SoftEther VPN Server Background Service.
And please execute './vpncmd' to run the SoftEther VPN Command-Line Utility to configure SoftEther VPN Server.

Of course, you can use the VPN Server Manager GUI Application for Windows / Mac OS X on the other Windows / Mac OS X computers in order to configure the SoftEther VPN Server remotely.

*** For Windows users ***
You can download the SoftEther VPN Server Manager for Windows
from the http://www.softether-download.com/ web site.
This manager application helps you to completely and easily manage the VPN server services running in remote hosts.


*** For Mac OS X users ***
In April 2016 we released the SoftEther VPN Server Manager for Mac OS X.
You can download it from the http://www.softether-download.com/ web site.
VPN Server Manager for Mac OS X works perfectly as same as the traditional Windows versions. It helps you to completely and easily manage the VPN server services running in remote hosts.

*** PacketiX VPN Server HTML5 Web Administration Console (NEW) ***
This VPN Server / Bridge has the built-in HTML5 Web Administration Console.

After you start the server daemon, you can open the HTML5 Web Administration Console is available at

https://127.0.0.1:5555/
or
https://ip_address_of_the_vpn_server:5555/

This HTML5 page is obviously under construction, and your HTML5 development contribution is very appreciated.

--------------------------------------------------------------------

make[1]: Leaving directory `/root/vpnserver'
[root@localhost vpnserver]#

设置程序目录及权限

[root@localhost vpnserver]# cd
[root@localhost ~]# mv vpnserver/ /usr/local/
[root@localhost ~]# cd /usr/local/vpnserver/
[root@localhost vpnserver]# chmod 600 *
[root@localhost vpnserver]# chmod 700 vpncmd 
[root@localhost vpnserver]# chmod 700 vpnserver 
[root@localhost vpnserver]#

设置环境变量

[root@localhost ~]# vi /etc/profile
ulimit -SHn 65535
export PATH=/usr/local/vpnserver:$PATH
[root@localhost ~]# source /etc/profile
[root@localhost ~]# ulimit 
unlimited
[root@localhost ~]# ulimit -n
65535
[root@localhost ~]#

使用命令行接口检测

[root@localhost vpnserver]# ./vpncmd 
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.31 Build 9727 (English)
Compiled 2019/11/18 11:14:51 by buildsan at crosswin
Copyright (c) SoftEther VPN Project. All Rights Reserved.

By using vpncmd program, the following can be achieved.

1. Management of VPN Server or VPN Bridge 
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 3

VPN Tools has been launched. By inputting HELP, you can view a list of the commands that can be used.

VPN Tools>check
Check command - Check whether SoftEther VPN Operation is Possible
---------------------------------------------------
SoftEther VPN Operation Environment Check Tool

Copyright (c) SoftEther VPN Project.
All Rights Reserved.

If this operation environment check tool is run on a system and that system passes, it is most likely that SoftEther VPN software can operate on that system. This check may take a while. Please wait...

Checking 'Kernel System'... 
Pass
Checking 'Memory Operation System'... 
Pass
Checking 'ANSI / Unicode string processing system'... 
Pass
Checking 'File system'... 
Pass
Checking 'Thread processing system'... 
Pass
Checking 'Network system'... 
Pass

All checks passed. It is most likely that SoftEther VPN Server / Bridge can operate normally on this system.

The command completed successfully.

VPN Tools>exit
[root@localhost vpnserver]#

添加服务脚本

[root@localhost ~]# vi /etc/init.d/vpnserver
#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

注册服务并确认运行级别

[root@localhost ~]# vi /etc/init.d/vpnserver
[root@localhost ~]# chmod 755 /etc/init.d/vpnserver 
[root@localhost ~]# chkconfig --add vpnserver
[root@localhost ~]# chkconfig --list vpnserver

Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.

vpnserver 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost ~]#

启动服务

[root@localhost ~]# service vpnserver start
The SoftEther VPN Server service has been started.

Let's get started by accessing to the following URL from your PC:

https://14.17.100.1:5555/
or
https://14.17.100.1/

Note: IP address may vary. Specify your server's IP address.
A TLS certificate warning will appear because the server uses self signed certificate by default. That is natural. Continue with ignoring the TLS warning.

[root@localhost ~]#

使用Certbot申请免费Let’s Encrypt证书

 未分类  No Responses »
12月 232019
 

确认物理及系统防火墙80端口可访问

确认EPEL已安装并更新缓存

[root@s4 ~]# yum makecache
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 17 kB 00:00
* base: mirror.scalabledns.com
* epel: mirror.lax.genesisadaptive.com
* extras: mirrors.sonic.net
* updates: mirrors.sonic.net
base | 3.6 kB 00:00
epel | 5.4 kB 00:00
extras | 2.9 kB 00:00
updates | 2.9 kB 00:00
(1/9): epel/x86_64/filelists_db | 12 MB 00:00
(2/9): epel/x86_64/updateinfo | 1.0 MB 00:00
(3/9): epel/x86_64/prestodelta | 4.1 kB 00:00
(4/9): epel/x86_64/primary_db | 6.9 MB 00:00
(5/9): epel/x86_64/other_db | 3.3 MB 00:00
(6/9): epel/x86_64/updateinfo_zck | 1.5 MB 00:00
(7/9): updates/7/x86_64/filelists_db | 3.3 MB 00:00
(8/9): updates/7/x86_64/other_db | 368 kB 00:00
(9/9): updates/7/x86_64/primary_db | 5.9 MB 00:00
Metadata Cache Created
[root@s4 ~]#

安装certbot工具

[root@s4 ~]# yum -y install certbot

确认所需服务器证书之CommonName已正确指向本机IP

执行证书申请

[root@s4 ~]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): harvey.mei@linuxcache.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): s4.linuxcache.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for s4.linuxcache.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/s4.linuxcache.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/s4.linuxcache.net/privkey.pem
Your cert will expire on 2020-03-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
[root@s4 ~]#

证书更新

全部证书

certbot renew

指定证书

certbot renew --cert-name example.com
 Older Entries