#contents
*** md0 ドライブの一つが動いていなかった @2017-6-11 [#qab53402]
- Ubuntu の ディスクメニューで md0 が赤色表示 → md0 が Degrade 状態となっていた。 動作確認
-- Superblock の persistency は確保されているが、1台のドライブ(/dev/sda)が切り離されていた
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 1
Persistence : Superblock
Update Time : Sat Jun 10 18:28:18 2017
State : clean, degraded
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 280089
Number Major Minor RaidDevice State
0 0 0 0 removed
2 8 17 1 active sync /dev/sdb1
- /dev/sda にエラーが発生しているかを smartctrl の簡易テストで確認
munakata@mythen:~ (master #)$ sudo smartctl -t short /dev/sda
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org
Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sat Jun 10 18:27:37 2017
Use smartctl -X to abort test.
- テストの結果 /dev/sda 自体に障害が発生していないことを確認(completed without error)
munakata@mythen:~ (master #)$ sudo smartctl -l selftest /dev/sda
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF READ SMART DATA SECTION ===
SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Short offline Completed without error 00% 22649 -
- md0 に /dev/sda を再アッタチ → 自動的に rebuild がスタートする(rebuild には数時間がかかる)
munakata@mythen:~ (master #)$ sudo mdadm /dev/md0 --add /dev/sda1
mdadm: added /dev/sda1
- rebuild 中(4時間程度経過時点)
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2munakata@mythen:~ (master #)$ sudo mdadm /dev/md0 --add /dev/sda1
mdadm: added /dev/sda1
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 2
Persistence : Superblock is persistent
Update Time : Sat Jun 10 19:49:34 2017
State : clean, degraded, recovering
Active Devices : 1
Working Devices : 2
Failed Devices : 0
Spare Devices : 1
Rebuild Status : 14% complete
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 282261
Number Major Minor RaidDevice State
3 8 1 0 spare rebuilding /dev/sda1
2 8 17 1 active sync /dev/sdb1
- rebuild 完了時点
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 2
Persistence : Superblock is persistent
Update Time : Sun Jun 11 07:40:39 2017
State : clean
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 296999
Number Major Minor RaidDevice State
3 8 1 0 active sync /dev/sda1
2 8 17 1 active sync /dev/sdb1
munakata@mythen:~ (master #)$ cat /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
md0 : active raid1 sda1[3] sdb1[2]
3906885632 blocks super 1.2 [2/2] [UU]
*** dtv_recipe が動作不安定 @2017-6-11 [#a0649bd9]
- HDD 録画したファイルの中で特定のファイルがリードエラー(再生中に停止)する状況になった
- SMART のログを確認
-- 重要なのは &color(red){Current_Pending_Sector = 4}; となっている点、正常な状態ではない
munakata@mythen:~ (master #)$ sudo smartctl -a /dev/sdf
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION ===
Device Model: WDC WD40EZRZ-00WN9B0
Serial Number: WD-WCC4E3JH7YV9
LU WWN Device Id: 5 0014ee 261da88a0
Firmware Version: 80.00A80
User Capacity: 4,000,787,030,016 bytes [4.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Device is: Not in smartctl database [for details use: -P showall]
ATA Version is: ACS-2 (minor revision not indicated)
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Sun Jun 11 08:07:16 2017 JST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 121) The previous self-test completed having
the read element of the test failed.
Total time to complete Offline
data collection: (53760) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 537) minutes.
Conveyance self-test routine
recommended polling time: ( 5) minutes.
SCT capabilities: (0x7035) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x002f 200 200 051 Pre-fail Always - 912
3 Spin_Up_Time 0x0027 185 179 021 Pre-fail Always - 7741
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 16
5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0
7 Seek_Error_Rate 0x002e 200 200 000 Old_age Always - 0
9 Power_On_Hours 0x0032 081 081 000 Old_age Always - 14096
10 Spin_Retry_Count 0x0032 100 253 000 Old_age Always - 0
11 Calibration_Retry_Count 0x0032 100 253 000 Old_age Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 10
192 Power-Off_Retract_Count 0x0032 200 200 000 Old_age Always - 2
193 Load_Cycle_Count 0x0032 025 025 000 Old_age Always - 527334
194 Temperature_Celsius 0x0022 110 104 000 Old_age Always - 42
196 Reallocated_Event_Count 0x0032 200 200 000 Old_age Always - 0
197 Current_Pending_Sector 0x0032 200 200 000 Old_age Always - 4 <------- ここ
198 Offline_Uncorrectable 0x0030 200 200 000 Old_age Offline - 3
199 UDMA_CRC_Error_Count 0x0032 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x0008 200 200 000 Old_age Offline - 208
SMART Error Log Version: 1
No Errors Logged
-- dtv_recipe (/dev/sdf) をテストする
munakata@mythen:~ (master #)$ sudo smartctl -t short /dev/sdf
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-generic] (local build)
Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF OFFLINE IMMEDIATE AND SELF-TEST SECTION ===
Sending command: "Execute SMART Short self-test routine immediately in off-line mode".
Drive command "Execute SMART Short self-test routine immediately in off-line mode" successful.
Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sun Jun 11 08:06:42 2017
Use smartctl -X to abort test.
- テスト結果を見る
-- 上から最新のテスト結果
-- read_failure で終了していて、エラーが出た LBA の先頭の番地が記録されている
SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Short offline Completed: read failure 90% 14096 140218489
# 2 Extended offline Completed: read failure 90% 14082 140218489munakata@mythen:~ (master #)$ sudo
# 3 Conveyance offline Completed: read failure 90% 14082 140218488
# 4 Short offline Completed: read failure 90% 14082 140218488
- 今回はディスクを交換することにした。
- 暫定的に不良ブロックを使わない [[設定の紹介:http://nyacom.net/?p=78]] もあった(が、不良ブロックが1つとは限らないだろう)
*** One Time Password (OTP) を利用してサーバーを外部公開 [#i0937aa3]
- Apache への OTP 認証の追加
<Directory /raid_vol/www/pukiwiki>
Options +Indexes +FollowSymLinks +MultiViews
AllowOverride None
# ローカルネットからはパスワードなしでアクセスを許可
Satisfy any
Order allow,deny
Allow from 127.0.0.1
Allow from 192.168.1
# それ以外からのアクセスにはワンタイムパスワードを要求
AuthType Basic
AuthName "OTP Authentication (Enter OTP as password)"
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile /raid_vol/www/otp/users
OTPAuthMaxLinger 3600
OTPAuthLogoutOnIPChange On
#AuthType Basic
#AuthName "KGB 奈々子"
## nanamochahiko
#AuthUserFile "/raid_vol/home/munakata/.htpasswd"
#Require user munakata
</Directory>
- ユーザー登録用スクリプト ( munakata のホームディレクトリーに配置) ---- &ref(otp_user_entry.sh);
#!/bin/bash -e
user=${1:?Usage: $0 username}
issuer=${2:-KGB}
secret=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 15 | head -n 1)
secret_base16=$(python -c "import base64; print base64.b16encode('${secret}')")
secret_base32=$(python -c "import base64; print base64.b32encode('${secret}')")
otpauth_uri="otpauth://totp/${issuer}:${user}?secret=${secret_base32}&issuer=${issuer}"
otpauth_uri=$(python -c "import urllib; print urllib.quote('${otpauth_uri}')")
qrcode_url="https://chart.googleapis.com/chart?chs=300x300&cht=qr&chl=${otpauth_uri}"
file="/raid_vol/www/otp/users"
if [ ! -f "${file}" ]; then
[ -d $(dirname "$file") ] || mkdir -p $(dirname "$file")
touch ${file}
chown -R www-data:www-data $(dirname "$file")
fi
[ -w "${file}" ] || (echo "${file}: Permission denied" && exit 1)
count=$(awk "\$2 ~ /^$user}\$/" ${file} | wc -l)
if [ $count -le 0 ]; then
echo "HOTP/T30 $(printf '%-12s' $user) - ${secret_base16}" >> ${file}
echo "$qrcode_url"
else
echo "User '$user' already exists"
fi
-- [[munakata 用の QR コード:https://chart.googleapis.com/chart?chs=300x300&cht=qr&chl=otpauth%3A//totp/KGB%3Amunakata%3Fsecret%3DOQ2HQ5DIPFXG65TPPJ3W243Z%26issuer%3DKGB]]
-- &ref(muna_otp.jpg);
- 参考 URL
-- [[Apacheへのアクセスに二要素認証を適用する:http://qiita.com/kz-takahashi/items/af8ea7d9894f26a65068]]
*** kgb.hmuna.com の証明書検証 [#zfcf4aae]
- サーバー証明書関連のエラー(ブラウザーで証明書が失効と言われる、 Kaspersky で中間証明書の一つに問題があると言われる 等)があり、証明書の状況を再確認した。
- 現在の証明書の場所は /etc/ssl/official2munakata@mythen:/etc/ssl/official2 (master *)
$ ls -l
合計 68
-rw-r--r-- 1 root root 1521 9月 28 2014 AddTrustExternalCARoot.crt
-rw-r--r-- 1 root root 1952 9月 28 2014 COMODORSAAddTrustCA.crt
-rw-r--r-- 1 root root 2151 9月 28 2014 COMODORSADomainValidationSecureServerCA.crt
-rw-r--r-- 1 root root 1391 7月 6 2014 GeoTrust_intermediate_Certificate.pem
-rw-r--r-- 1 root root 1679 9月 28 2014 kgb.hmuna.com.privatekey
-rw-r--r-- 1 root root 1751 9月 24 2014 kgb.hmuna.com.privatekey-orig
-rw-r--r-- 1 root root 1895 9月 28 2014 kgb_hmuna_com.crt
-rw-r--r-- 1 root root 1005 9月 24 2014 kgbhmunaCSR.csr
-rw-r--r-- 1 root root 1743 7月 6 2014 mail.hmuna.com.privatekey
-rw-r--r-- 1 root root 1675 7月 6 2014 mail.hmuna.com.privatekey_withoutpass
-rw-r--r-- 1 root root 1009 7月 6 2014 mailhmunaCSR.csr
-rw-r--r-- 1 root root 1842 7月 6 2014 mailhmunaSSLCertificateFile2.pem
-rw-r--r-- 1 root root 3233 7月 6 2014 mailhmuna_combined.pem
-rw-r--r-- 1 root root 1751 7月 6 2014 wiki.hmuna.com.privatekey
-rw-r--r-- 1 root root 1679 7月 6 2014 wiki.hmuna.com.privatekey_passphraseless
-rw-r--r-- 1 root root 1009 7月 6 2014 wikihmunaCSR.csr
-rw-r--r-- 1 root root 1842 7月 6 2014 wikihmunaSSLCertificateFile2.pem
-- &color(red){kgb の証明書は 2014年9月24日に CSR を作成したものに見えるが、何処で購入したのか不明(namecheap dashboard には出てこない)};
- Apache での証明書、秘密鍵、CSR ファイルの内容を確認する
-- 証明書ファイルの内容チェック
--- Comodo が 2014年9月に発行したもので、2019年まで有効な証明書に見える(正常、上のファイルとも整合する)
munakata@mythen:/etc/ssl/official2 (master *)$ openssl x509 -text -noout -in kgb_hmuna_com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:82:44:f4:5b:6f:b9:65:dd:15:b8:e2:04:68:a7:64
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server
CA
Validity
Not Before: Sep 28 00:00:00 2014 GMT
Not After : Sep 27 23:59:59 2019 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=kgb.hmuna.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:fd:9a:25:
d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:03:36:e7:
65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:54:c8:84:
f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:df:83:1f:
44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:2b:bd:2a:
ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:62:f8:82:
d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:9e:e0:3b:
1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:1b:bc:d4:
5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:13:6a:b7:
8e:14:3f:5e:43:7a:87:c4:03:68:52:73:6e:c7:d9:
c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:47:80:08:
28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:28:ad:0c:
36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:af:64:78:
44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:f8:50:ed:
89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:a9:5b:90:
15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:48:c0:f1:
09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:fb:0f:61:
00:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
68:03:77:22:D5:A3:CD:B6:A0:10:CF:A8:23:F4:46:63:B2:33:22:FB
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:kgb.hmuna.com, DNS:www.kgb.hmuna.com
Signature Algorithm: sha256WithRSAEncryption
46:e6:63:54:c9:5b:e3:fb:d2:5d:8e:12:4d:68:64:ee:0d:54:
94:e2:e7:36:12:54:4c:e0:8a:17:d6:77:85:40:b1:d1:2e:e8:
61:94:80:15:7c:bd:90:43:51:57:68:34:5a:8c:8e:86:1a:d7:
d8:b1:b1:46:ff:1b:91:ca:77:83:c8:0a:1d:7e:aa:58:fe:6b:
a3:38:79:9f:75:b3:e4:04:1a:c7:06:1e:95:84:24:57:34:32:
8d:f3:3d:af:ca:be:25:68:90:c3:da:7b:63:e8:91:85:86:3c:
1a:4a:d7:73:c6:16:60:a2:82:c7:9e:9c:7a:68:b2:9b:b5:26:
f7:bc:31:cf:f1:33:b4:49:1b:93:c6:a1:67:47:0b:7f:87:41:
dd:da:d3:1d:d9:92:2e:53:d0:60:99:0c:50:a3:51:81:55:2e:
14:80:0e:da:c1:c3:b7:e6:e0:50:8d:f0:30:2f:60:e2:d9:05:
93:e1:e2:6e:54:1e:c1:fb:e0:66:f4:e3:3b:50:c4:aa:99:1c:
39:cf:ce:04:64:18:b1:ac:28:14:32:6c:2c:48:af:34:b2:c0:
0e:dc:d0:51:80:d3:5a:a3:31:8e:f6:e7:4c:c8:ed:d4:5e:17:
b8:34:ab:07:04:1e:39:af:b2:de:47:e3:eb:84:cf:7f:51:4f:
79:65:6c:cf
-- CSR(証明書発行リクエスト)ファイルの内容チェック
--- kgb.hmuna.com 向けの証明書発行依頼であり、正常に見える
munakata@mythen:/etc/ssl/official2 (master *)$ openssl req -text -noout -in kgbhmunaCSR.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Admin, OU=IT, CN=kgb.hmuna.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:fd:9a:25:
d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:03:36:e7:
65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:54:c8:84:
f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:df:83:1f:
44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:2b:bd:2a:
ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:62:f8:82:
d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:9e:e0:3b:
1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:1b:bc:d4:
5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:13:6a:b7:
8e:14:3f:5e:43:7a:87:c4:03:68:52:73:6e:c7:d9:
c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:47:80:08:
28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:28:ad:0c:
36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:af:64:78:
44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:f8:50:ed:
89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:a9:5b:90:
15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:48:c0:f1:
09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:fb:0f:61:
00:e5
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
0f:54:51:bb:62:65:46:be:2a:1e:a0:f6:f9:36:97:da:b2:1a:
41:cc:43:32:ea:37:87:8d:d4:8d:dd:2e:ac:20:65:a8:6a:63:
f5:d6:b7:b3:db:20:97:20:42:b9:4f:54:fa:45:c7:00:d6:48:
40:d2:88:54:f8:eb:ae:29:ac:5a:7d:29:6c:00:ce:aa:85:1a:
2e:72:91:be:c7:5a:9a:5e:02:8e:9d:43:22:d6:f0:b9:7f:9c:
46:0f:d8:1a:03:2f:e8:25:ab:56:8b:85:f2:7c:ad:ff:3e:d5:
1e:db:96:e7:e0:f5:23:7c:22:39:87:4e:bf:58:8a:84:02:b9:
00:cd:81:4c:8e:13:f9:85:1f:2b:11:b9:89:cc:a4:3f:08:4c:
c2:ca:df:0f:45:d7:89:e4:96:de:d9:a6:cc:4e:b9:84:50:a5:
09:db:85:22:13:5b:02:4c:70:ab:30:a1:0c:4d:b1:3a:00:57:
f3:c6:22:f0:b8:ff:89:57:e0:62:c8:6e:23:3d:94:8c:c4:2d:
19:94:2e:0e:bd:10:95:ec:6c:0c:dc:45:bf:98:b1:5c:e4:67:
c1:bd:ab:f9:32:65:37:5e:b2:40:5d:5c:01:a9:14:27:87:01:
2b:ef:86:8a:e9:95:43:a7:66:4c:4a:65:ee:a4:b4:f8:c3:65:
9d:54:f4:41
- comodo による証明書発行時のガイダンス &ref{ORDER_15187565.eml}; を再確認
-- Attached to this email you should find a .zip file containing:
--- Root CA Certificate - AddTrustExternalCARoot.crt
--- Intermediate CA Certificate - COMODORSAAddTrustCA.crt
--- Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
--- Your PositiveSSL Certificate - kgb_hmuna_com.crt
You can also find your PositiveSSL Certificate for kgb.hmuna.com in text format at the bottom of this email.
- Apache 内での証明書関連の設定(経緯込み全体)
# 20101225 に公式の証明書(でも安い!)を導入しなおした。
# 20121211 に公式の証明書(でも安い!)を導入しなおした。
# 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴い公式の証明書を導入しなおした。
# 導入経緯の説明は wiki に(https://kgb.hmuna.com:443/index.php?HomeServer6)
# Server Certificate:
#SSLCertificateFile /etc/ssl/official/wikihmunaSSLCertificateFile.pem
#SSLCertificateFile /etc/ssl/official2/wikihmunaSSLCertificateFile2.pem
SSLCertificateFile /etc/ssl/official2/kgb_hmuna_com.crt
# Server Private Key:
#SSLCertificateKeyFile /etc/ssl/official/wikihmunaPrivateKey.key
#SSLCertificateKeyFile /etc/ssl/official2/wiki.hmuna.com.privatekey
SSLCertificateKeyFile /etc/ssl/official2/kgb.hmuna.com.privatekey
# Server Certificate Chain:
#SSLCertificateChainFile /etc/ssl/official/RapidSSL_CA_bundle.pem
#SSLCertificateChainFile /etc/ssl/official2/GeoTrust_intermediate_Certificate.pem
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
- Apache 内での証明書関連の設定(kgb 関連部分)
# 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴い公式の証明書を導入しなおした。
# 導入経緯の説明は wiki に(https://kgb.hmuna.com:443/index.php?HomeServer6)
# Server Certificate:
SSLCertificateFile /etc/ssl/official2/kgb_hmuna_com.crt
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/official2/kgb.hmuna.com.privatekey
# Server Certificate Chain:
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
-- &color(red){中間証明書(COMODORSAAddTrustCA.crt)が怪しい、2つ書いてあるのは害は無いだろうが中味が問題};
-- &color(red){良く読み直すと Comodo からは中間証明書が2つ発行されているが、上記設定では2つ目の設定をしようとして正しい2つ目を記載ミスしている?};
-- 修正して relaod
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddTrustCA.crt
SSLCertificateChainFile /etc/ssl/official2/COMODORSADomainValidationSecureServerCA.crt
- 証明書のインストール状況を確認
munakata@muna-E450:~$ openssl s_client -connect kgb.hmuna.com:443 -showcerts
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = kgb.hmuna.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=kgb.hmuna.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQcYJE9FtvuWXdFbjiBGinZDANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNDA5MjgwMDAwMDBaFw0xOTA5MjcyMzU5NTlaMFExITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFjAU
BgNVBAMTDWtnYi5obXVuYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC32DdmQJafnPCW5v2aJdeJa2qeRGciJA0JrQM252Wdgu3FYL5MoHx+UlTI
hPKfbRnU9J7tn3PQpd+DH0SZJqvn0P8FSB7zniu9KqxKvSXLSNfAbSCgq2L4gtfE
6lwcfawZzGBqsp7gOx/NNr41PiekDs0HGxu81F1XY/UNur+pwT73fBNqt44UP15D
eofEA2hSc27H2cCNjyQHznrLtV/7vUeACCgIZ07dky43FuYO8yitDDYRUbDT3cyd
i6FYxq9keER9QszSQELAy5YRqfhQ7YmY3ig/pRpBrbGxiKlbkBUGMdwL4STrmS8f
CUjA8Qmc5d7N1c7gsoG0YfsPYQDlAgMBAAGjggHdMIIB2TAfBgNVHSMEGDAWgBSQ
r2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUaAN3ItWjzbagEM+oI/RGY7Iz
IvswDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcwKzApBggr
BgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIB
MFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9E
T1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUF
BwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09N
T0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCsGA1UdEQQkMCKCDWtnYi5o
bXVuYS5jb22CEXd3dy5rZ2IuaG11bmEuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBG
5mNUyVvj+9JdjhJNaGTuDVSU4uc2ElRM4IoX1neFQLHRLuhhlIAVfL2QQ1FXaDRa
jI6GGtfYsbFG/xuRyneDyAodfqpY/mujOHmfdbPkBBrHBh6VhCRXNDKN8z2vyr4l
aJDD2ntj6JGFhjwaStdzxhZgooLHnpx6aLKbtSb3vDHP8TO0SRuTxqFnRwt/h0Hd
2tMd2ZIuU9BgmQxQo1GBVS4UgA7awcO35uBQjfAwL2Di2QWT4eJuVB7B++Bm9OM7
UMSqmRw5z84EZBixrCgUMmwsSK80ssAO3NBRgNNaozGO9udMyO3UXhe4NKsHBB45
r7LeR+PrhM9/UU95ZWzP
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=kgb.hmuna.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3601 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7A9F11F070145BD4C77E8B3ABF8034697BE71B290ACB287C4ED3E8053F9223BD
Session-ID-ctx:
Master-Key: 528FD41DC441663C3ED83D3E9442E260F9526C5C13A699BBBE889CBF3813084E0CFC86BB688492B97915B047C76F6BC7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 00 4b 4e 02 87 e4 ec 03-40 34 cd e1 2e 6d 51 33 .KN.....@4...mQ3
0010 - 08 70 b8 07 5c 9f 9c e6-76 d3 57 ed b9 03 30 c3 .p..\...v.W...0.
0020 - 3b 43 29 5c cd f8 f0 f9-fa 4e 0e 39 8e 34 21 e8 ;C)\.....N.9.4!.
0030 - 46 44 74 5a 51 98 76 81-ec 1c af b1 84 76 16 a4 FDtZQ.v......v..
0040 - e9 09 d4 39 e3 bc f3 85-b6 01 5f 8e b1 fa 2b 2f ...9......_...+/
0050 - c0 de 25 b9 11 cc c9 53-f5 84 4e 14 47 79 60 a5 ..%....S..N.Gy`.
0060 - f9 75 e6 9f d4 a3 62 7f-a4 ad a9 aa 40 9f 67 78 .u....b.....@.gx
0070 - 7d 6c 06 ee 1b 2c 1d e3-73 71 e7 f8 de 45 89 33 }l...,..sq...E.3
0080 - 86 a6 85 92 03 21 22 f9-7c 07 4e f6 00 31 af a7 .....!".|.N..1..
0090 - d0 34 ba 93 bc 11 93 02-cd 75 87 a6 20 a0 b9 1a .4.......u.. ...
00a0 - a4 64 6f ba e6 16 9b fb-11 3d ec ff c9 fc 60 02 .do......=....`.
00b0 - 9d 28 5f 79 85 f7 ad 43-2d aa 60 c5 83 f0 f2 23 .(_y...C-.`....#
Start Time: 1501092236
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
*** 証明書の更新 [#ga366933]
&color(red){いくつかの PC で kgb.hmuna.com の証明書が失効しているとエラーになる(ならないPCもあるには不思議だが)ので、証明書を新規に1年購入して更新してみる};
- CSR の作成
-- サーバ用秘密鍵 = kgb201707.key
-- pass phrase = nanamochahiko
- 注文記録 ---- &ref(Namecheap.com Order Summary.eml);
- 発行された証明書(以前より中間証明所がシンプルになっている) ---- &ref(kgb_hmuna_com.zip);
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
