HomeServer14 の履歴(No.5)

[ トップ ]   [ 新規 | 一覧 | 検索 | 最終更新 | ヘルプ ]

• 履歴一覧
• 差分 を表示
• 現在との差分 を表示
• ソース を表示
• HomeServer14 へ行く。
  • 1 (2017-06-11 (日) 00:40:14)
  • 2 (2017-06-11 (日) 01:52:51)
  • 3 (2017-07-02 (日) 04:40:39)
  • 4 (2017-07-02 (日) 07:51:58)
  • 5 (2017-07-17 (月) 04:32:18)
  • 6 (2017-07-26 (水) 18:11:46)
  • 7 (2017-07-29 (土) 05:13:50)
  • 8 (2017-07-30 (日) 03:07:11)
  • 9 (2017-08-12 (土) 00:03:39)
  • 10 (2017-08-12 (土) 05:23:42)
  • 11 (2017-08-12 (土) 08:58:58)
  • 12 (2017-08-18 (金) 03:01:39)
  • 13 (2017-08-24 (木) 23:05:31)
  • 14 (2017-08-25 (金) 03:17:34)

---

md0 ドライブの一つが動いていなかった　@2017-6-11†

• Ubuntu の ディスクメニューで md0 が赤色表示 → md0 が Degrade 状態となっていた。 動作確認
  • Superblock の persistency は確保されているが、1台のドライブ（/dev/sda）が切り離されていた

munakata@mythen:~ (master #)$ sudo mdadm  -D /dev/md0
/dev/md0:
        Version : 1.2
  Creation Time : Sun Dec 11 23:04:19 2011
     Raid Level : raid1
     Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
  Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
   Raid Devices : 2
  Total Devices : 1
    Persistence : Superblock
     Update Time : Sat Jun 10 18:28:18 2017
          State : clean, degraded 
 Active Devices : 1
Working Devices : 1
 Failed Devices : 0
  Spare Devices : 0

           Name : mythen:0
           UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
         Events : 280089

    Number   Major   Minor   RaidDevice State
       0       0        0        0      removed
       2       8       17        1      active sync   /dev/sdb1

• /dev/sda にエラーが発生しているかを smartctrl の簡易テストで確認

munakata@mythen:~ (master #)$ sudo smartctl -t short /dev/sda
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org

Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sat Jun 10 18:27:37 2017

Use smartctl -X to abort test.

• テストの結果 /dev/sda 自体に障害が発生していないことを確認（completed without error)

munakata@mythen:~ (master #)$ sudo smartctl -l selftest /dev/sda
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF READ SMART DATA SECTION ===
SMART Self-test log structure revision number 1
Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error
# 1  Short offline       Completed without error       00%     22649         -

• md0 に /dev/sda を再アッタチ → 自動的に rebuild がスタートする（rebuild には数時間がかかる）

munakata@mythen:~ (master #)$ sudo mdadm /dev/md0 --add /dev/sda1
mdadm: added /dev/sda1

• rebuild 中（4時間程度経過時点）

munakata@mythen:~ (master #)$ sudo mdadm  -D /dev/md0
/dev/md0:
        Version : 1.2munakata@mythen:~ (master #)$ sudo mdadm /dev/md0 --add /dev/sda1
mdadm: added /dev/sda1

  Creation Time : Sun Dec 11 23:04:19 2011
     Raid Level : raid1
     Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
  Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
   Raid Devices : 2
  Total Devices : 2
    Persistence : Superblock is persistent

    Update Time : Sat Jun 10 19:49:34 2017
          State : clean, degraded, recovering 
 Active Devices : 1
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 1

 Rebuild Status : 14% complete

           Name : mythen:0
           UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
         Events : 282261

    Number   Major   Minor   RaidDevice State
       3       8        1        0      spare rebuilding   /dev/sda1
       2       8       17        1      active sync   /dev/sdb1

• rebuild 完了時点

munakata@mythen:~ (master #)$ sudo mdadm  -D /dev/md0
/dev/md0:
        Version : 1.2
  Creation Time : Sun Dec 11 23:04:19 2011
     Raid Level : raid1
     Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
  Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
   Raid Devices : 2
  Total Devices : 2
    Persistence : Superblock is persistent

    Update Time : Sun Jun 11 07:40:39 2017
          State : clean 
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0

           Name : mythen:0
           UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
         Events : 296999

    Number   Major   Minor   RaidDevice State
       3       8        1        0      active sync   /dev/sda1
       2       8       17        1      active sync   /dev/sdb1

munakata@mythen:~ (master #)$ cat /proc/mdstat 
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] 
md0 : active raid1 sda1[3] sdb1[2]
      3906885632 blocks super 1.2 [2/2] [UU]

dtv_recipe が動作不安定　@2017-6-11†

• HDD 録画したファイルの中で特定のファイルがリードエラー（再生中に停止）する状況になった
• SMART のログを確認
  • 重要なのは Current_Pending_Sector ＝ 4 となっている点、正常な状態ではない

munakata@mythen:~ (master #)$ sudo smartctl -a /dev/sdf
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Device Model:     WDC WD40EZRZ-00WN9B0
Serial Number:    WD-WCC4E3JH7YV9
LU WWN Device Id: 5 0014ee 261da88a0

Firmware Version: 80.00A80
User Capacity:    4,000,787,030,016 bytes [4.00 TB]
Sector Sizes:     512 bytes logical, 4096 bytes physical
Rotation Rate:    5400 rpm
Device is:        Not in smartctl database [for details use: -P showall]
ATA Version is:   ACS-2 (minor revision not indicated)
SATA Version is:  SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is:    Sun Jun 11 08:07:16 2017 JST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status:  (0x82)	Offline data collection activity
					was completed without error.
					Auto Offline Data Collection: Enabled.
Self-test execution status:      ( 121)	The previous self-test completed having
					the read element of the test failed.
Total time to complete Offline 
data collection: 		(53760) seconds.
Offline data collection
capabilities: 			 (0x7b) SMART execute Offline immediate.
					Auto Offline data collection on/off support.
					Suspend Offline collection upon new
					command.
					Offline surface scan supported.
					Self-test supported.
					Conveyance Self-test supported.
					Selective Self-test supported.
SMART capabilities:            (0x0003)	Saves SMART data before entering
					power-saving mode.
					Supports SMART auto save timer.
Error logging capability:        (0x01)	Error logging supported.
					General Purpose Logging supported.
Short self-test routine 
recommended polling time: 	 (   2) minutes.
Extended self-test routine
recommended polling time: 	 ( 537) minutes.
Conveyance self-test routine
recommended polling time: 	 (   5) minutes.
SCT capabilities: 	       (0x7035)	SCT Status supported.
					SCT Feature Control supported.
					SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  1 Raw_Read_Error_Rate     0x002f   200   200   051    Pre-fail  Always       -       912
  3 Spin_Up_Time            0x0027   185   179   021    Pre-fail  Always       -       7741
  4 Start_Stop_Count        0x0032   100   100   000    Old_age   Always       -       16
  5 Reallocated_Sector_Ct   0x0033   200   200   140    Pre-fail  Always       -       0
  7 Seek_Error_Rate         0x002e   200   200   000    Old_age   Always       -       0
  9 Power_On_Hours          0x0032   081   081   000    Old_age   Always       -       14096
 10 Spin_Retry_Count        0x0032   100   253   000    Old_age   Always       -       0
 11 Calibration_Retry_Count 0x0032   100   253   000    Old_age   Always       -       0
 12 Power_Cycle_Count       0x0032   100   100   000    Old_age   Always       -       10
192 Power-Off_Retract_Count 0x0032   200   200   000    Old_age   Always       -       2
193 Load_Cycle_Count        0x0032   025   025   000    Old_age   Always       -       527334
194 Temperature_Celsius     0x0022   110   104   000    Old_age   Always       -       42
196 Reallocated_Event_Count 0x0032   200   200   000    Old_age   Always       -       0
197 Current_Pending_Sector  0x0032   200   200   000    Old_age   Always       -       4　<------- ここ
198 Offline_Uncorrectable   0x0030   200   200   000    Old_age   Offline      -       3
199 UDMA_CRC_Error_Count    0x0032   200   200   000    Old_age   Always       -       0
200 Multi_Zone_Error_Rate   0x0008   200   200   000    Old_age   Offline      -       208

SMART Error Log Version: 1
No Errors Logged

• dtv_recipe (/dev/sdf) をテストする

munakata@mythen:~ (master #)$ sudo smartctl -t short /dev/sdf
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF OFFLINE IMMEDIATE AND SELF-TEST SECTION ===
Sending command: "Execute SMART Short self-test routine immediately in off-line mode".
Drive command "Execute SMART Short self-test routine immediately in off-line mode" successful.
Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sun Jun 11 08:06:42 2017

Use smartctl -X to abort test.

• テスト結果を見る
  • 上から最新のテスト結果
  • read_failure で終了していて、エラーが出た LBA の先頭の番地が記録されている

SMART Self-test log structure revision number 1
Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error
# 1  Short offline       Completed: read failure       90%     14096         140218489
# 2  Extended offline    Completed: read failure       90%     14082         140218489munakata@mythen:~ (master #)$ sudo 
# 3  Conveyance offline  Completed: read failure       90%     14082         140218488
# 4  Short offline       Completed: read failure       90%     14082         140218488

• 今回はディスクを交換することにした。
• 暫定的に不良ブロックを使わない 設定の紹介 もあった（が、不良ブロックが1つとは限らないだろう）

One Time Password (OTP) を利用してサーバーを外部公開†

• Apache への OTP 認証の追加

	<Directory /raid_vol/www/pukiwiki>
		Options +Indexes +FollowSymLinks +MultiViews
		AllowOverride None

		# ローカルネットからはパスワードなしでアクセスを許可
		Satisfy any
		Order allow,deny
		Allow from 127.0.0.1
		Allow from 192.168.1

		# それ以外からのアクセスにはワンタイムパスワードを要求
		AuthType Basic
		AuthName "OTP Authentication (Enter OTP as password)"
		AuthBasicProvider OTP
		Require valid-user
		OTPAuthUsersFile /raid_vol/www/otp/users
		OTPAuthMaxLinger 3600
		OTPAuthLogoutOnIPChange On

		#AuthType Basic
		#AuthName "KGB 奈々子"
		## nanamochahiko
		#AuthUserFile "/raid_vol/home/munakata/.htpasswd"
		#Require user munakata
	</Directory>

• ユーザー登録用スクリプト ( munakata のホームディレクトリーに配置) ---- otp_user_entry.sh

#!/bin/bash -e
user=${1:?Usage: $0 username}
issuer=${2:-KGB}
secret=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 15 | head -n 1)
secret_base16=$(python -c "import base64; print base64.b16encode('${secret}')")
secret_base32=$(python -c "import base64; print base64.b32encode('${secret}')")
otpauth_uri="otpauth://totp/${issuer}:${user}?secret=${secret_base32}&issuer=${issuer}"
otpauth_uri=$(python -c "import urllib; print urllib.quote('${otpauth_uri}')")
qrcode_url="https://chart.googleapis.com/chart?chs=300x300&cht=qr&chl=${otpauth_uri}"

file="/raid_vol/www/otp/users"
if [ ! -f "${file}" ]; then
  [ -d $(dirname "$file") ] || mkdir -p $(dirname "$file")
  touch ${file}
  chown -R www-data:www-data $(dirname "$file")
fi
[ -w "${file}" ] || (echo "${file}: Permission denied" && exit 1)

count=$(awk "\$2 ~ /^$user}\$/" ${file} | wc -l)
if [ $count -le 0 ]; then
  echo "HOTP/T30 $(printf '%-12s' $user) - ${secret_base16}" >> ${file}
  echo "$qrcode_url"
else
  echo "User '$user' already exists"
fi

• munakata 用の QR コード
• 

• 参考 URL
  • Apacheへのアクセスに二要素認証を適用する

kgb.hmuna.com の証明書検証†

• サーバー証明書関連のエラー（ブラウザーで証明書が失効と言われる、 Kaspersky で中間証明書の一つに問題があると言われる 等）があり、証明書の状況を再確認した。
• 現在の証明書の場所は /etc/ssl/official2munakata@mythen:/etc/ssl/official2 (master *)

  $ ls -l
  合計 68
  -rw-r--r-- 1 root root 1521  9月 28  2014 AddTrustExternalCARoot.crt
  -rw-r--r-- 1 root root 1952  9月 28  2014 COMODORSAAddTrustCA.crt
  -rw-r--r-- 1 root root 2151  9月 28  2014 COMODORSADomainValidationSecureServerCA.crt
  -rw-r--r-- 1 root root 1391  7月  6  2014 GeoTrust_intermediate_Certificate.pem
  -rw-r--r-- 1 root root 1679  9月 28  2014 kgb.hmuna.com.privatekey
  -rw-r--r-- 1 root root 1751  9月 24  2014 kgb.hmuna.com.privatekey-orig
  -rw-r--r-- 1 root root 1895  9月 28  2014 kgb_hmuna_com.crt
  -rw-r--r-- 1 root root 1005  9月 24  2014 kgbhmunaCSR.csr
  -rw-r--r-- 1 root root 1743  7月  6  2014 mail.hmuna.com.privatekey
  -rw-r--r-- 1 root root 1675  7月  6  2014 mail.hmuna.com.privatekey_withoutpass
  -rw-r--r-- 1 root root 1009  7月  6  2014 mailhmunaCSR.csr
  -rw-r--r-- 1 root root 1842  7月  6  2014 mailhmunaSSLCertificateFile2.pem
  -rw-r--r-- 1 root root 3233  7月  6  2014 mailhmuna_combined.pem
  -rw-r--r-- 1 root root 1751  7月  6  2014 wiki.hmuna.com.privatekey
  -rw-r--r-- 1 root root 1679  7月  6  2014 wiki.hmuna.com.privatekey_passphraseless
  -rw-r--r-- 1 root root 1009  7月  6  2014 wikihmunaCSR.csr
  -rw-r--r-- 1 root root 1842  7月  6  2014 wikihmunaSSLCertificateFile2.pem

  • kgb の証明書は 2014年9月24日に CSR を作成したものに見えるが、何処で購入したのか不明（namecheap dashboard には出てこない）
• Apache での証明書、秘密鍵、CSR ファイルの内容を確認する

• 証明書ファイルの内容チェック
  • Comodo が 2014年9月に発行したもので、2019年まで有効な証明書に見える（正常、上のファイルとも整合する）

    munakata@mythen:/etc/ssl/official2 (master *)$ openssl x509 -text -noout -in kgb_hmuna_com.crt
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                71:82:44:f4:5b:6f:b9:65:dd:15:b8:e2:04:68:a7:64
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server 
    CA
            Validity
                Not Before: Sep 28 00:00:00 2014 GMT
                Not After : Sep 27 23:59:59 2019 GMT
            Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=kgb.hmuna.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:fd:9a:25:
                        d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:03:36:e7:
                        65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:54:c8:84:
                        f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:df:83:1f:
                        44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:2b:bd:2a:
                        ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:62:f8:82:
                        d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:9e:e0:3b:
                        1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:1b:bc:d4:
                        5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:13:6a:b7:
                        8e:14:3f:5e:43:7a:87:c4:03:68:52:73:6e:c7:d9:
                        c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:47:80:08:
                        28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:28:ad:0c:
                        36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:af:64:78:
                        44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:f8:50:ed:
                        89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:a9:5b:90:
                        15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:48:c0:f1:
                        09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:fb:0f:61:
                        00:e5
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Authority Key Identifier:
                    keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 
    
                X509v3 Subject Key Identifier:
                    68:03:77:22:D5:A3:CD:B6:A0:10:CF:A8:23:F4:46:63:B2:33:22:FB
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Certificate Policies:
                    Policy: 1.3.6.1.4.1.6449.1.2.2.7
                      CPS: https://secure.comodo.com/CPS
                    Policy: 2.23.140.1.2.1
    
                X509v3 CRL Distribution Points:
    
                    Full Name:
                      URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    
                Authority Information Access:
                    CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
                    OCSP - URI:http://ocsp.comodoca.com
    
                X509v3 Subject Alternative Name:
                    DNS:kgb.hmuna.com, DNS:www.kgb.hmuna.com
        Signature Algorithm: sha256WithRSAEncryption
             46:e6:63:54:c9:5b:e3:fb:d2:5d:8e:12:4d:68:64:ee:0d:54:
             94:e2:e7:36:12:54:4c:e0:8a:17:d6:77:85:40:b1:d1:2e:e8:
             61:94:80:15:7c:bd:90:43:51:57:68:34:5a:8c:8e:86:1a:d7:
             d8:b1:b1:46:ff:1b:91:ca:77:83:c8:0a:1d:7e:aa:58:fe:6b:
             a3:38:79:9f:75:b3:e4:04:1a:c7:06:1e:95:84:24:57:34:32:
             8d:f3:3d:af:ca:be:25:68:90:c3:da:7b:63:e8:91:85:86:3c:
             1a:4a:d7:73:c6:16:60:a2:82:c7:9e:9c:7a:68:b2:9b:b5:26:
             f7:bc:31:cf:f1:33:b4:49:1b:93:c6:a1:67:47:0b:7f:87:41:
             dd:da:d3:1d:d9:92:2e:53:d0:60:99:0c:50:a3:51:81:55:2e:
             14:80:0e:da:c1:c3:b7:e6:e0:50:8d:f0:30:2f:60:e2:d9:05:
             93:e1:e2:6e:54:1e:c1:fb:e0:66:f4:e3:3b:50:c4:aa:99:1c:
             39:cf:ce:04:64:18:b1:ac:28:14:32:6c:2c:48:af:34:b2:c0:
             0e:dc:d0:51:80:d3:5a:a3:31:8e:f6:e7:4c:c8:ed:d4:5e:17:
             b8:34:ab:07:04:1e:39:af:b2:de:47:e3:eb:84:cf:7f:51:4f:
             79:65:6c:cf

• CSR（証明書発行リクエスト）ファイルの内容チェック
  • kgb.hmuna.com　向けの証明書発行依頼であり、正常に見える

    munakata@mythen:/etc/ssl/official2 (master *)$ openssl req -text -noout -in kgbhmunaCSR.csr
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Admin, OU=IT, CN=kgb.hmuna.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:fd:9a:25:
                        d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:03:36:e7:
                        65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:54:c8:84:
                        f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:df:83:1f:
                        44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:2b:bd:2a:
                        ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:62:f8:82:
                        d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:9e:e0:3b:
                        1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:1b:bc:d4:
                        5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:13:6a:b7:
                        8e:14:3f:5e:43:7a:87:c4:03:68:52:73:6e:c7:d9:
                        c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:47:80:08:
                        28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:28:ad:0c:
                        36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:af:64:78:
                        44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:f8:50:ed:
                        89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:a9:5b:90:
                        15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:48:c0:f1:
                        09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:fb:0f:61:
                        00:e5
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha256WithRSAEncryption
             0f:54:51:bb:62:65:46:be:2a:1e:a0:f6:f9:36:97:da:b2:1a:
             41:cc:43:32:ea:37:87:8d:d4:8d:dd:2e:ac:20:65:a8:6a:63:
             f5:d6:b7:b3:db:20:97:20:42:b9:4f:54:fa:45:c7:00:d6:48:
             40:d2:88:54:f8:eb:ae:29:ac:5a:7d:29:6c:00:ce:aa:85:1a:
             2e:72:91:be:c7:5a:9a:5e:02:8e:9d:43:22:d6:f0:b9:7f:9c:
             46:0f:d8:1a:03:2f:e8:25:ab:56:8b:85:f2:7c:ad:ff:3e:d5:
             1e:db:96:e7:e0:f5:23:7c:22:39:87:4e:bf:58:8a:84:02:b9:
             00:cd:81:4c:8e:13:f9:85:1f:2b:11:b9:89:cc:a4:3f:08:4c:
             c2:ca:df:0f:45:d7:89:e4:96:de:d9:a6:cc:4e:b9:84:50:a5:
             09:db:85:22:13:5b:02:4c:70:ab:30:a1:0c:4d:b1:3a:00:57:
             f3:c6:22:f0:b8:ff:89:57:e0:62:c8:6e:23:3d:94:8c:c4:2d:
             19:94:2e:0e:bd:10:95:ec:6c:0c:dc:45:bf:98:b1:5c:e4:67:
             c1:bd:ab:f9:32:65:37:5e:b2:40:5d:5c:01:a9:14:27:87:01:
             2b:ef:86:8a:e9:95:43:a7:66:4c:4a:65:ee:a4:b4:f8:c3:65:
             9d:54:f4:41

• comodo による証明書発行時のガイダンス ORDER_15187565.eml を再確認
  • Attached to this email you should find a .zip file containing:
    • Root CA Certificate - AddTrustExternalCARoot.crt
    • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
    • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
    • Your PositiveSSL Certificate - kgb_hmuna_com.crt

You can also find your PositiveSSL Certificate for kgb.hmuna.com in text format at the bottom of this email.

• Apache 内での証明書関連の設定（経緯込み全体）

  # 20101225 に公式の証明書（でも安い！）を導入しなおした。
  # 20121211 に公式の証明書（でも安い！）を導入しなおした。
  # 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴い公式の証明書を導入しなおした。
  # 導入経緯の説明は wiki に（https://kgb.hmuna.com:443/index.php?HomeServer6）
  #   Server Certificate:
  #SSLCertificateFile      /etc/ssl/official/wikihmunaSSLCertificateFile.pem
  #SSLCertificateFile      /etc/ssl/official2/wikihmunaSSLCertificateFile2.pem
  SSLCertificateFile      /etc/ssl/official2/kgb_hmuna_com.crt
  #   Server Private Key:
  #SSLCertificateKeyFile   /etc/ssl/official/wikihmunaPrivateKey.key
  #SSLCertificateKeyFile   /etc/ssl/official2/wiki.hmuna.com.privatekey
  SSLCertificateKeyFile   /etc/ssl/official2/kgb.hmuna.com.privatekey
  #   Server Certificate Chain:
  #SSLCertificateChainFile /etc/ssl/official/RapidSSL_CA_bundle.pem
  #SSLCertificateChainFile /etc/ssl/official2/GeoTrust_intermediate_Certificate.pem
  SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
  SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt

• Apache 内での証明書関連の設定（kgb 関連部分）

  # 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴い公式の証明書を導入しなおした。
  # 導入経緯の説明は wiki に（https://kgb.hmuna.com:443/index.php?HomeServer6）
  #   Server Certificate:
  SSLCertificateFile      /etc/ssl/official2/kgb_hmuna_com.crt
  #   Server Private Key:
  SSLCertificateKeyFile   /etc/ssl/official2/kgb.hmuna.com.privatekey
  #   Server Certificate Chain:
  SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
  SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt

  • 中間証明書（COMODORSAAddTrustCA.crt）が怪しい、2つ書いてあるのは害は無いだろうが中味が問題
  • 良く読み直すと Comodo からは中間証明書が2つ発行されているが、上記設定では2つ目の設定をしようとして正しい2つ目を記載ミスしている？
  • 修正して relaod

    SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
    SSLCertificateChainFile /etc/ssl/official2/COMODORSADomainValidationSecureServerCA.crt

     

Site admin: munakata

PukiWiki 1.5.4 © 2001-2022 PukiWiki Development Team. Powered by PHP 8.3.6. HTML convert time: 0.005 sec.