HomeServer14
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
]
開始行:
#contents
*** md0 ドライブの一つが動いていなかった @2017-6-11 [#qa...
- Ubuntu の ディスクメニューで md0 が赤色表示 → md0 が De...
-- Superblock の persistency は確保されているが、1台のド...
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 1
Persistence : Superblock
Update Time : Sat Jun 10 18:28:18 2017
State : clean, degraded
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 280089
Number Major Minor RaidDevice State
0 0 0 0 removed
2 8 17 1 active sync /d...
- /dev/sda にエラーが発生しているかを smartctrl の簡易テ...
munakata@mythen:~ (master #)$ sudo smartctl -t short /de...
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sat Jun 10 18:27:37 2017
Use smartctl -X to abort test.
- テストの結果 /dev/sda 自体に障害が発生していないことを...
munakata@mythen:~ (master #)$ sudo smartctl -l selftest ...
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
=== START OF READ SMART DATA SECTION ===
SMART Self-test log structure revision number 1
Num Test_Description Status Remaini...
# 1 Short offline Completed without error 0...
- md0 に /dev/sda を再アッタチ → 自動的に rebuild がスタ...
munakata@mythen:~ (master #)$ sudo mdadm /dev/md0 --add ...
mdadm: added /dev/sda1
- rebuild 中(4時間程度経過時点)
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2munakata@mythen:~ (master #)$ sudo ...
mdadm: added /dev/sda1
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 2
Persistence : Superblock is persistent
Update Time : Sat Jun 10 19:49:34 2017
State : clean, degraded, recovering
Active Devices : 1
Working Devices : 2
Failed Devices : 0
Spare Devices : 1
Rebuild Status : 14% complete
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 282261
Number Major Minor RaidDevice State
3 8 1 0 spare rebuilding...
2 8 17 1 active sync /d...
- rebuild 完了時点
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 2
Persistence : Superblock is persistent
Update Time : Sun Jun 11 07:40:39 2017
State : clean
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 296999
Number Major Minor RaidDevice State
3 8 1 0 active sync /d...
2 8 17 1 active sync /d...
munakata@mythen:~ (master #)$ cat /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [ra...
md0 : active raid1 sda1[3] sdb1[2]
3906885632 blocks super 1.2 [2/2] [UU]
*** dtv_recipe が動作不安定 @2017-6-11 [#a0649bd9]
- HDD 録画したファイルの中で特定のファイルがリードエラー...
- SMART のログを確認
-- 重要なのは &color(red){Current_Pending_Sector = 4}; ...
munakata@mythen:~ (master #)$ sudo smartctl -a /dev/sdf
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
=== START OF INFORMATION SECTION ===
Device Model: WDC WD40EZRZ-00WN9B0
Serial Number: WD-WCC4E3JH7YV9
LU WWN Device Id: 5 0014ee 261da88a0
Firmware Version: 80.00A80
User Capacity: 4,000,787,030,016 bytes [4.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Device is: Not in smartctl database [for details ...
ATA Version is: ACS-2 (minor revision not indicated)
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Sun Jun 11 08:07:16 2017 JST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
General SMART Values:
Offline data collection status: (0x82) Offline data col...
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 121) The previous sel...
the read element of the test failed.
Total time to complete Offline
data collection: (53760) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data...
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging su...
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 537) minutes.
Conveyance self-test routine
recommended polling time: ( 5) minutes.
SCT capabilities: (0x7035) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH ...
1 Raw_Read_Error_Rate 0x002f 200 200 051 ...
3 Spin_Up_Time 0x0027 185 179 021 ...
4 Start_Stop_Count 0x0032 100 100 000 ...
5 Reallocated_Sector_Ct 0x0033 200 200 140 ...
7 Seek_Error_Rate 0x002e 200 200 000 ...
9 Power_On_Hours 0x0032 081 081 000 ...
10 Spin_Retry_Count 0x0032 100 253 000 ...
11 Calibration_Retry_Count 0x0032 100 253 000 ...
12 Power_Cycle_Count 0x0032 100 100 000 ...
192 Power-Off_Retract_Count 0x0032 200 200 000 ...
193 Load_Cycle_Count 0x0032 025 025 000 ...
194 Temperature_Celsius 0x0022 110 104 000 ...
196 Reallocated_Event_Count 0x0032 200 200 000 ...
197 Current_Pending_Sector 0x0032 200 200 000 ...
198 Offline_Uncorrectable 0x0030 200 200 000 ...
199 UDMA_CRC_Error_Count 0x0032 200 200 000 ...
200 Multi_Zone_Error_Rate 0x0008 200 200 000 ...
SMART Error Log Version: 1
No Errors Logged
-- dtv_recipe (/dev/sdf) をテストする
munakata@mythen:~ (master #)$ sudo smartctl -t short /de...
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
=== START OF OFFLINE IMMEDIATE AND SELF-TEST SECTION ===
Sending command: "Execute SMART Short self-test routine ...
Drive command "Execute SMART Short self-test routine imm...
Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sun Jun 11 08:06:42 2017
Use smartctl -X to abort test.
- テスト結果を見る
-- 上から最新のテスト結果
-- read_failure で終了していて、エラーが出た LBA の先頭の...
SMART Self-test log structure revision number 1
Num Test_Description Status Remaini...
# 1 Short offline Completed: read failure 9...
# 2 Extended offline Completed: read failure 9...
# 3 Conveyance offline Completed: read failure 9...
# 4 Short offline Completed: read failure 9...
- 今回はディスクを交換することにした。
- 暫定的に不良ブロックを使わない [[設定の紹介:http://nyac...
*** One Time Password (OTP) を利用してサーバーを外部公開 ...
- Apache への OTP 認証の追加
<Directory /raid_vol/www/pukiwiki>
Options +Indexes +FollowSymLinks +MultiViews
AllowOverride None
# ローカルネットからはパスワードなしでアクセスを許可
Satisfy any
Order allow,deny
Allow from 127.0.0.1
Allow from 192.168.1
# それ以外からのアクセスにはワンタイムパスワードを要求
AuthType Basic
AuthName "OTP Authentication (Enter OTP as password)"
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile /raid_vol/www/otp/users
OTPAuthMaxLinger 3600
OTPAuthLogoutOnIPChange On
#AuthType Basic
#AuthName "KGB 奈々子"
## nanamochahiko
#AuthUserFile "/raid_vol/home/munakata/.htpasswd"
#Require user munakata
</Directory>
- ユーザー登録用スクリプト ( munakata のホームディレクト...
#!/bin/bash -e
user=${1:?Usage: $0 username}
issuer=${2:-KGB}
secret=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 15...
secret_base16=$(python -c "import base64; print base64.b...
secret_base32=$(python -c "import base64; print base64.b...
otpauth_uri="otpauth://totp/${issuer}:${user}?secret=${s...
otpauth_uri=$(python -c "import urllib; print urllib.quo...
qrcode_url="https://chart.googleapis.com/chart?chs=300x3...
file="/raid_vol/www/otp/users"
if [ ! -f "${file}" ]; then
[ -d $(dirname "$file") ] || mkdir -p $(dirname "$file")
touch ${file}
chown -R www-data:www-data $(dirname "$file")
fi
[ -w "${file}" ] || (echo "${file}: Permission denied" &...
count=$(awk "\$2 ~ /^$user}\$/" ${file} | wc -l)
if [ $count -le 0 ]; then
echo "HOTP/T30 $(printf '%-12s' $user) - ${secret_base...
echo "$qrcode_url"
else
echo "User '$user' already exists"
fi
-- [[munakata 用の QR コード:https://chart.googleapis.com...
-- &ref(muna_otp.jpg);
- 参考 URL
-- [[Apacheへのアクセスに二要素認証を適用する:http://qiit...
*** kgb.hmuna.com の証明書検証 [#zfcf4aae]
- サーバー証明書関連のエラー(ブラウザーで証明書が失効と...
- 現在の証明書の場所は /etc/ssl/official2munakata@mythen:...
$ ls -l
合計 68
-rw-r--r-- 1 root root 1521 9月 28 2014 AddTrustExtern...
-rw-r--r-- 1 root root 1952 9月 28 2014 COMODORSAAddTr...
-rw-r--r-- 1 root root 2151 9月 28 2014 COMODORSADomai...
-rw-r--r-- 1 root root 1391 7月 6 2014 GeoTrust_inter...
-rw-r--r-- 1 root root 1679 9月 28 2014 kgb.hmuna.com....
-rw-r--r-- 1 root root 1751 9月 24 2014 kgb.hmuna.com....
-rw-r--r-- 1 root root 1895 9月 28 2014 kgb_hmuna_com....
-rw-r--r-- 1 root root 1005 9月 24 2014 kgbhmunaCSR.csr
-rw-r--r-- 1 root root 1743 7月 6 2014 mail.hmuna.com...
-rw-r--r-- 1 root root 1675 7月 6 2014 mail.hmuna.com...
-rw-r--r-- 1 root root 1009 7月 6 2014 mailhmunaCSR.csr
-rw-r--r-- 1 root root 1842 7月 6 2014 mailhmunaSSLCe...
-rw-r--r-- 1 root root 3233 7月 6 2014 mailhmuna_comb...
-rw-r--r-- 1 root root 1751 7月 6 2014 wiki.hmuna.com...
-rw-r--r-- 1 root root 1679 7月 6 2014 wiki.hmuna.com...
-rw-r--r-- 1 root root 1009 7月 6 2014 wikihmunaCSR.csr
-rw-r--r-- 1 root root 1842 7月 6 2014 wikihmunaSSLCe...
-- &color(red){kgb の証明書は 2014年9月24日に CSR を作成...
- Apache での証明書、秘密鍵、CSR ファイルの内容を確認する
-- 証明書ファイルの内容チェック
--- Comodo が 2014年9月に発行したもので、2019年まで有効な...
munakata@mythen:/etc/ssl/official2 (master *)$ openssl x...
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:82:44:f4:5b:6f:b9:65:dd:15:b8:e2:04:68:a7...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, ...
CA
Validity
Not Before: Sep 28 00:00:00 2014 GMT
Not After : Sep 27 23:59:59 2019 GMT
Subject: OU=Domain Control Validated, OU=Positiv...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:...
d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:...
65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:...
f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:...
44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:...
ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:...
d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:...
1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:...
5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:...
8e:14:3f:5e:43:7a:87:c4:03:68:52:73:...
c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:...
28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:...
36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:...
44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:...
89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:...
15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:...
09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:...
00:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:5...
X509v3 Subject Key Identifier:
68:03:77:22:D5:A3:CD:B6:A0:10:CF:A8:23:F...
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web C...
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSAD...
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com...
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:kgb.hmuna.com, DNS:www.kgb.hmuna.com
Signature Algorithm: sha256WithRSAEncryption
46:e6:63:54:c9:5b:e3:fb:d2:5d:8e:12:4d:68:64:ee...
94:e2:e7:36:12:54:4c:e0:8a:17:d6:77:85:40:b1:d1...
61:94:80:15:7c:bd:90:43:51:57:68:34:5a:8c:8e:86...
d8:b1:b1:46:ff:1b:91:ca:77:83:c8:0a:1d:7e:aa:58...
a3:38:79:9f:75:b3:e4:04:1a:c7:06:1e:95:84:24:57...
8d:f3:3d:af:ca:be:25:68:90:c3:da:7b:63:e8:91:85...
1a:4a:d7:73:c6:16:60:a2:82:c7:9e:9c:7a:68:b2:9b...
f7:bc:31:cf:f1:33:b4:49:1b:93:c6:a1:67:47:0b:7f...
dd:da:d3:1d:d9:92:2e:53:d0:60:99:0c:50:a3:51:81...
14:80:0e:da:c1:c3:b7:e6:e0:50:8d:f0:30:2f:60:e2...
93:e1:e2:6e:54:1e:c1:fb:e0:66:f4:e3:3b:50:c4:aa...
39:cf:ce:04:64:18:b1:ac:28:14:32:6c:2c:48:af:34...
0e:dc:d0:51:80:d3:5a:a3:31:8e:f6:e7:4c:c8:ed:d4...
b8:34:ab:07:04:1e:39:af:b2:de:47:e3:eb:84:cf:7f...
79:65:6c:cf
-- CSR(証明書発行リクエスト)ファイルの内容チェック
--- kgb.hmuna.com 向けの証明書発行依頼であり、正常に見える
munakata@mythen:/etc/ssl/official2 (master *)$ openssl r...
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Admin,...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:...
d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:...
65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:...
f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:...
44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:...
ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:...
d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:...
1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:...
5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:...
8e:14:3f:5e:43:7a:87:c4:03:68:52:73:...
c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:...
28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:...
36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:...
44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:...
89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:...
15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:...
09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:...
00:e5
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
0f:54:51:bb:62:65:46:be:2a:1e:a0:f6:f9:36:97:da...
41:cc:43:32:ea:37:87:8d:d4:8d:dd:2e:ac:20:65:a8...
f5:d6:b7:b3:db:20:97:20:42:b9:4f:54:fa:45:c7:00...
40:d2:88:54:f8:eb:ae:29:ac:5a:7d:29:6c:00:ce:aa...
2e:72:91:be:c7:5a:9a:5e:02:8e:9d:43:22:d6:f0:b9...
46:0f:d8:1a:03:2f:e8:25:ab:56:8b:85:f2:7c:ad:ff...
1e:db:96:e7:e0:f5:23:7c:22:39:87:4e:bf:58:8a:84...
00:cd:81:4c:8e:13:f9:85:1f:2b:11:b9:89:cc:a4:3f...
c2:ca:df:0f:45:d7:89:e4:96:de:d9:a6:cc:4e:b9:84...
09:db:85:22:13:5b:02:4c:70:ab:30:a1:0c:4d:b1:3a...
f3:c6:22:f0:b8:ff:89:57:e0:62:c8:6e:23:3d:94:8c...
19:94:2e:0e:bd:10:95:ec:6c:0c:dc:45:bf:98:b1:5c...
c1:bd:ab:f9:32:65:37:5e:b2:40:5d:5c:01:a9:14:27...
2b:ef:86:8a:e9:95:43:a7:66:4c:4a:65:ee:a4:b4:f8...
9d:54:f4:41
- comodo による証明書発行時のガイダンス &ref{ORDER_151875...
-- Attached to this email you should find a .zip file con...
--- Root CA Certificate - AddTrustExternalCARoot.crt
--- Intermediate CA Certificate - COMODORSAAddTrustCA....
--- Intermediate CA Certificate - COMODORSADomainValid...
--- Your PositiveSSL Certificate - kgb_hmuna_com.crt
You can also find your PositiveSSL Certificate for kgb.hm...
- Apache 内での証明書関連の設定(経緯込み全体)
# 20101225 に公式の証明書(でも安い!)を導入しなおした。
# 20121211 に公式の証明書(でも安い!)を導入しなおした。
# 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴...
# 導入経緯の説明は wiki に(https://kgb.hmuna.com:443/in...
# Server Certificate:
#SSLCertificateFile /etc/ssl/official/wikihmunaSSLC...
#SSLCertificateFile /etc/ssl/official2/wikihmunaSSL...
SSLCertificateFile /etc/ssl/official2/kgb_hmuna_com...
# Server Private Key:
#SSLCertificateKeyFile /etc/ssl/official/wikihmunaPriv...
#SSLCertificateKeyFile /etc/ssl/official2/wiki.hmuna.c...
SSLCertificateKeyFile /etc/ssl/official2/kgb.hmuna.com...
# Server Certificate Chain:
#SSLCertificateChainFile /etc/ssl/official/RapidSSL_CA_b...
#SSLCertificateChainFile /etc/ssl/official2/GeoTrust_int...
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
- Apache 内での証明書関連の設定(kgb 関連部分)
# 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴...
# 導入経緯の説明は wiki に(https://kgb.hmuna.com:443/in...
# Server Certificate:
SSLCertificateFile /etc/ssl/official2/kgb_hmuna_com...
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/official2/kgb.hmuna.com...
# Server Certificate Chain:
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
-- &color(red){中間証明書(COMODORSAAddTrustCA.crt)が怪...
-- &color(red){良く読み直すと Comodo からは中間証明書が2...
-- 修正して relaod
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
SSLCertificateChainFile /etc/ssl/official2/COMODORSADoma...
- 証明書のインストール状況を確認
munakata@muna-E450:~$ openssl s_client -connect kgb.hmun...
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O ...
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O ...
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL,...
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=kgb....
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA L...
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQcYJE9FtvuWXdFbjiBGinZDANBgkqhkiG9w0B...
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl...
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx...
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNl...
QTAeFw0xNDA5MjgwMDAwMDBaFw0xOTA5MjcyMzU5NTlaMFExITAfBgNV...
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVT...
BgNVBAMTDWtnYi5obXVuYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB...
AoIBAQC32DdmQJafnPCW5v2aJdeJa2qeRGciJA0JrQM252Wdgu3FYL5M...
hPKfbRnU9J7tn3PQpd+DH0SZJqvn0P8FSB7zniu9KqxKvSXLSNfAbSCg...
6lwcfawZzGBqsp7gOx/NNr41PiekDs0HGxu81F1XY/UNur+pwT73fBNq...
eofEA2hSc27H2cCNjyQHznrLtV/7vUeACCgIZ07dky43FuYO8yitDDYR...
i6FYxq9keER9QszSQELAy5YRqfhQ7YmY3ig/pRpBrbGxiKlbkBUGMdwL...
CUjA8Qmc5d7N1c7gsoG0YfsPYQDlAgMBAAGjggHdMIIB2TAfBgNVHSME...
r2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUaAN3ItWjzbagEM+o...
IvswDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw...
BQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw...
BgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG...
MFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t...
T1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG...
BwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j...
T0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk...
BQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCsGA1UdEQQkMCKC...
bXVuYS5jb22CEXd3dy5rZ2IuaG11bmEuY29tMA0GCSqGSIb3DQEBCwUA...
5mNUyVvj+9JdjhJNaGTuDVSU4uc2ElRM4IoX1neFQLHRLuhhlIAVfL2Q...
jI6GGtfYsbFG/xuRyneDyAodfqpY/mujOHmfdbPkBBrHBh6VhCRXNDKN...
aJDD2ntj6JGFhjwaStdzxhZgooLHnpx6aLKbtSb3vDHP8TO0SRuTxqFn...
2tMd2ZIuU9BgmQxQo1GBVS4UgA7awcO35uBQjfAwL2Di2QWT4eJuVB7B...
UMSqmRw5z84EZBixrCgUMmwsSK80ssAO3NBRgNNaozGO9udMyO3UXhe4...
r7LeR+PrhM9/UU95ZWzP
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA L...
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA L...
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0B...
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl...
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx...
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcN...
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZ...
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG...
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9t...
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEB...
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwC...
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIv...
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/u...
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh...
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7I...
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8G...
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL...
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIB...
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRV...
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k...
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggr...
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t...
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz...
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF...
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDK...
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3Kd...
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5S...
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXC...
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4Ejx...
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7...
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7K...
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0P...
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje...
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6...
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=k...
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA...
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3601 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7A9F11F070145BD4C77E8B3ABF8034697BE71B29...
Session-ID-ctx:
Master-Key: 528FD41DC441663C3ED83D3E9442E260F9526C5C...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 00 4b 4e 02 87 e4 ec 03-40 34 cd e1 2e 6d 51 ...
0010 - 08 70 b8 07 5c 9f 9c e6-76 d3 57 ed b9 03 30 ...
0020 - 3b 43 29 5c cd f8 f0 f9-fa 4e 0e 39 8e 34 21 ...
0030 - 46 44 74 5a 51 98 76 81-ec 1c af b1 84 76 16 ...
0040 - e9 09 d4 39 e3 bc f3 85-b6 01 5f 8e b1 fa 2b ...
0050 - c0 de 25 b9 11 cc c9 53-f5 84 4e 14 47 79 60 ...
0060 - f9 75 e6 9f d4 a3 62 7f-a4 ad a9 aa 40 9f 67 ...
0070 - 7d 6c 06 ee 1b 2c 1d e3-73 71 e7 f8 de 45 89 ...
0080 - 86 a6 85 92 03 21 22 f9-7c 07 4e f6 00 31 af ...
0090 - d0 34 ba 93 bc 11 93 02-cd 75 87 a6 20 a0 b9 ...
00a0 - a4 64 6f ba e6 16 9b fb-11 3d ec ff c9 fc 60 ...
00b0 - 9d 28 5f 79 85 f7 ad 43-2d aa 60 c5 83 f0 f2 ...
Start Time: 1501092236
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
*** 証明書の更新 [#ga366933]
&color(red){いくつかの PC で kgb.hmuna.com の証明書が失効...
- CSR の作成
-- サーバ用秘密鍵 = kgb201707.key
-- pass phrase = nanamochahiko
- 注文記録 ---- &ref(Namecheap.com Order Summary.eml);
- 発行された証明書(以前より中間証明所がシンプルになって...
終了行:
#contents
*** md0 ドライブの一つが動いていなかった @2017-6-11 [#qa...
- Ubuntu の ディスクメニューで md0 が赤色表示 → md0 が De...
-- Superblock の persistency は確保されているが、1台のド...
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 1
Persistence : Superblock
Update Time : Sat Jun 10 18:28:18 2017
State : clean, degraded
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 280089
Number Major Minor RaidDevice State
0 0 0 0 removed
2 8 17 1 active sync /d...
- /dev/sda にエラーが発生しているかを smartctrl の簡易テ...
munakata@mythen:~ (master #)$ sudo smartctl -t short /de...
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sat Jun 10 18:27:37 2017
Use smartctl -X to abort test.
- テストの結果 /dev/sda 自体に障害が発生していないことを...
munakata@mythen:~ (master #)$ sudo smartctl -l selftest ...
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
=== START OF READ SMART DATA SECTION ===
SMART Self-test log structure revision number 1
Num Test_Description Status Remaini...
# 1 Short offline Completed without error 0...
- md0 に /dev/sda を再アッタチ → 自動的に rebuild がスタ...
munakata@mythen:~ (master #)$ sudo mdadm /dev/md0 --add ...
mdadm: added /dev/sda1
- rebuild 中(4時間程度経過時点)
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2munakata@mythen:~ (master #)$ sudo ...
mdadm: added /dev/sda1
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 2
Persistence : Superblock is persistent
Update Time : Sat Jun 10 19:49:34 2017
State : clean, degraded, recovering
Active Devices : 1
Working Devices : 2
Failed Devices : 0
Spare Devices : 1
Rebuild Status : 14% complete
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 282261
Number Major Minor RaidDevice State
3 8 1 0 spare rebuilding...
2 8 17 1 active sync /d...
- rebuild 完了時点
munakata@mythen:~ (master #)$ sudo mdadm -D /dev/md0
/dev/md0:
Version : 1.2
Creation Time : Sun Dec 11 23:04:19 2011
Raid Level : raid1
Array Size : 3906885632 (3725.90 GiB 4000.65 GB)
Used Dev Size : 3906885632 (3725.90 GiB 4000.65 GB)
Raid Devices : 2
Total Devices : 2
Persistence : Superblock is persistent
Update Time : Sun Jun 11 07:40:39 2017
State : clean
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0
Name : mythen:0
UUID : 4cd693e9:dd3ad1a9:3a5a23a9:62ce3a05
Events : 296999
Number Major Minor RaidDevice State
3 8 1 0 active sync /d...
2 8 17 1 active sync /d...
munakata@mythen:~ (master #)$ cat /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [ra...
md0 : active raid1 sda1[3] sdb1[2]
3906885632 blocks super 1.2 [2/2] [UU]
*** dtv_recipe が動作不安定 @2017-6-11 [#a0649bd9]
- HDD 録画したファイルの中で特定のファイルがリードエラー...
- SMART のログを確認
-- 重要なのは &color(red){Current_Pending_Sector = 4}; ...
munakata@mythen:~ (master #)$ sudo smartctl -a /dev/sdf
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
=== START OF INFORMATION SECTION ===
Device Model: WDC WD40EZRZ-00WN9B0
Serial Number: WD-WCC4E3JH7YV9
LU WWN Device Id: 5 0014ee 261da88a0
Firmware Version: 80.00A80
User Capacity: 4,000,787,030,016 bytes [4.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Device is: Not in smartctl database [for details ...
ATA Version is: ACS-2 (minor revision not indicated)
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Sun Jun 11 08:07:16 2017 JST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
General SMART Values:
Offline data collection status: (0x82) Offline data col...
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 121) The previous sel...
the read element of the test failed.
Total time to complete Offline
data collection: (53760) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data...
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging su...
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 537) minutes.
Conveyance self-test routine
recommended polling time: ( 5) minutes.
SCT capabilities: (0x7035) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH ...
1 Raw_Read_Error_Rate 0x002f 200 200 051 ...
3 Spin_Up_Time 0x0027 185 179 021 ...
4 Start_Stop_Count 0x0032 100 100 000 ...
5 Reallocated_Sector_Ct 0x0033 200 200 140 ...
7 Seek_Error_Rate 0x002e 200 200 000 ...
9 Power_On_Hours 0x0032 081 081 000 ...
10 Spin_Retry_Count 0x0032 100 253 000 ...
11 Calibration_Retry_Count 0x0032 100 253 000 ...
12 Power_Cycle_Count 0x0032 100 100 000 ...
192 Power-Off_Retract_Count 0x0032 200 200 000 ...
193 Load_Cycle_Count 0x0032 025 025 000 ...
194 Temperature_Celsius 0x0022 110 104 000 ...
196 Reallocated_Event_Count 0x0032 200 200 000 ...
197 Current_Pending_Sector 0x0032 200 200 000 ...
198 Offline_Uncorrectable 0x0030 200 200 000 ...
199 UDMA_CRC_Error_Count 0x0032 200 200 000 ...
200 Multi_Zone_Error_Rate 0x0008 200 200 000 ...
SMART Error Log Version: 1
No Errors Logged
-- dtv_recipe (/dev/sdf) をテストする
munakata@mythen:~ (master #)$ sudo smartctl -t short /de...
smartctl 6.2 2013-07-26 r3841 [x86_64-linux-3.13.0-48-ge...
Copyright (C) 2002-13, Bruce Allen, Christian Franke, ww...
=== START OF OFFLINE IMMEDIATE AND SELF-TEST SECTION ===
Sending command: "Execute SMART Short self-test routine ...
Drive command "Execute SMART Short self-test routine imm...
Testing has begun.
Please wait 2 minutes for test to complete.
Test will complete after Sun Jun 11 08:06:42 2017
Use smartctl -X to abort test.
- テスト結果を見る
-- 上から最新のテスト結果
-- read_failure で終了していて、エラーが出た LBA の先頭の...
SMART Self-test log structure revision number 1
Num Test_Description Status Remaini...
# 1 Short offline Completed: read failure 9...
# 2 Extended offline Completed: read failure 9...
# 3 Conveyance offline Completed: read failure 9...
# 4 Short offline Completed: read failure 9...
- 今回はディスクを交換することにした。
- 暫定的に不良ブロックを使わない [[設定の紹介:http://nyac...
*** One Time Password (OTP) を利用してサーバーを外部公開 ...
- Apache への OTP 認証の追加
<Directory /raid_vol/www/pukiwiki>
Options +Indexes +FollowSymLinks +MultiViews
AllowOverride None
# ローカルネットからはパスワードなしでアクセスを許可
Satisfy any
Order allow,deny
Allow from 127.0.0.1
Allow from 192.168.1
# それ以外からのアクセスにはワンタイムパスワードを要求
AuthType Basic
AuthName "OTP Authentication (Enter OTP as password)"
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile /raid_vol/www/otp/users
OTPAuthMaxLinger 3600
OTPAuthLogoutOnIPChange On
#AuthType Basic
#AuthName "KGB 奈々子"
## nanamochahiko
#AuthUserFile "/raid_vol/home/munakata/.htpasswd"
#Require user munakata
</Directory>
- ユーザー登録用スクリプト ( munakata のホームディレクト...
#!/bin/bash -e
user=${1:?Usage: $0 username}
issuer=${2:-KGB}
secret=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 15...
secret_base16=$(python -c "import base64; print base64.b...
secret_base32=$(python -c "import base64; print base64.b...
otpauth_uri="otpauth://totp/${issuer}:${user}?secret=${s...
otpauth_uri=$(python -c "import urllib; print urllib.quo...
qrcode_url="https://chart.googleapis.com/chart?chs=300x3...
file="/raid_vol/www/otp/users"
if [ ! -f "${file}" ]; then
[ -d $(dirname "$file") ] || mkdir -p $(dirname "$file")
touch ${file}
chown -R www-data:www-data $(dirname "$file")
fi
[ -w "${file}" ] || (echo "${file}: Permission denied" &...
count=$(awk "\$2 ~ /^$user}\$/" ${file} | wc -l)
if [ $count -le 0 ]; then
echo "HOTP/T30 $(printf '%-12s' $user) - ${secret_base...
echo "$qrcode_url"
else
echo "User '$user' already exists"
fi
-- [[munakata 用の QR コード:https://chart.googleapis.com...
-- &ref(muna_otp.jpg);
- 参考 URL
-- [[Apacheへのアクセスに二要素認証を適用する:http://qiit...
*** kgb.hmuna.com の証明書検証 [#zfcf4aae]
- サーバー証明書関連のエラー(ブラウザーで証明書が失効と...
- 現在の証明書の場所は /etc/ssl/official2munakata@mythen:...
$ ls -l
合計 68
-rw-r--r-- 1 root root 1521 9月 28 2014 AddTrustExtern...
-rw-r--r-- 1 root root 1952 9月 28 2014 COMODORSAAddTr...
-rw-r--r-- 1 root root 2151 9月 28 2014 COMODORSADomai...
-rw-r--r-- 1 root root 1391 7月 6 2014 GeoTrust_inter...
-rw-r--r-- 1 root root 1679 9月 28 2014 kgb.hmuna.com....
-rw-r--r-- 1 root root 1751 9月 24 2014 kgb.hmuna.com....
-rw-r--r-- 1 root root 1895 9月 28 2014 kgb_hmuna_com....
-rw-r--r-- 1 root root 1005 9月 24 2014 kgbhmunaCSR.csr
-rw-r--r-- 1 root root 1743 7月 6 2014 mail.hmuna.com...
-rw-r--r-- 1 root root 1675 7月 6 2014 mail.hmuna.com...
-rw-r--r-- 1 root root 1009 7月 6 2014 mailhmunaCSR.csr
-rw-r--r-- 1 root root 1842 7月 6 2014 mailhmunaSSLCe...
-rw-r--r-- 1 root root 3233 7月 6 2014 mailhmuna_comb...
-rw-r--r-- 1 root root 1751 7月 6 2014 wiki.hmuna.com...
-rw-r--r-- 1 root root 1679 7月 6 2014 wiki.hmuna.com...
-rw-r--r-- 1 root root 1009 7月 6 2014 wikihmunaCSR.csr
-rw-r--r-- 1 root root 1842 7月 6 2014 wikihmunaSSLCe...
-- &color(red){kgb の証明書は 2014年9月24日に CSR を作成...
- Apache での証明書、秘密鍵、CSR ファイルの内容を確認する
-- 証明書ファイルの内容チェック
--- Comodo が 2014年9月に発行したもので、2019年まで有効な...
munakata@mythen:/etc/ssl/official2 (master *)$ openssl x...
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:82:44:f4:5b:6f:b9:65:dd:15:b8:e2:04:68:a7...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, ...
CA
Validity
Not Before: Sep 28 00:00:00 2014 GMT
Not After : Sep 27 23:59:59 2019 GMT
Subject: OU=Domain Control Validated, OU=Positiv...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:...
d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:...
65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:...
f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:...
44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:...
ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:...
d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:...
1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:...
5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:...
8e:14:3f:5e:43:7a:87:c4:03:68:52:73:...
c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:...
28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:...
36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:...
44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:...
89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:...
15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:...
09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:...
00:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:5...
X509v3 Subject Key Identifier:
68:03:77:22:D5:A3:CD:B6:A0:10:CF:A8:23:F...
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web C...
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSAD...
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com...
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:kgb.hmuna.com, DNS:www.kgb.hmuna.com
Signature Algorithm: sha256WithRSAEncryption
46:e6:63:54:c9:5b:e3:fb:d2:5d:8e:12:4d:68:64:ee...
94:e2:e7:36:12:54:4c:e0:8a:17:d6:77:85:40:b1:d1...
61:94:80:15:7c:bd:90:43:51:57:68:34:5a:8c:8e:86...
d8:b1:b1:46:ff:1b:91:ca:77:83:c8:0a:1d:7e:aa:58...
a3:38:79:9f:75:b3:e4:04:1a:c7:06:1e:95:84:24:57...
8d:f3:3d:af:ca:be:25:68:90:c3:da:7b:63:e8:91:85...
1a:4a:d7:73:c6:16:60:a2:82:c7:9e:9c:7a:68:b2:9b...
f7:bc:31:cf:f1:33:b4:49:1b:93:c6:a1:67:47:0b:7f...
dd:da:d3:1d:d9:92:2e:53:d0:60:99:0c:50:a3:51:81...
14:80:0e:da:c1:c3:b7:e6:e0:50:8d:f0:30:2f:60:e2...
93:e1:e2:6e:54:1e:c1:fb:e0:66:f4:e3:3b:50:c4:aa...
39:cf:ce:04:64:18:b1:ac:28:14:32:6c:2c:48:af:34...
0e:dc:d0:51:80:d3:5a:a3:31:8e:f6:e7:4c:c8:ed:d4...
b8:34:ab:07:04:1e:39:af:b2:de:47:e3:eb:84:cf:7f...
79:65:6c:cf
-- CSR(証明書発行リクエスト)ファイルの内容チェック
--- kgb.hmuna.com 向けの証明書発行依頼であり、正常に見える
munakata@mythen:/etc/ssl/official2 (master *)$ openssl r...
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Admin,...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:d8:37:66:40:96:9f:9c:f0:96:e6:...
d7:89:6b:6a:9e:44:67:22:24:0d:09:ad:...
65:9d:82:ed:c5:60:be:4c:a0:7c:7e:52:...
f2:9f:6d:19:d4:f4:9e:ed:9f:73:d0:a5:...
44:99:26:ab:e7:d0:ff:05:48:1e:f3:9e:...
ac:4a:bd:25:cb:48:d7:c0:6d:20:a0:ab:...
d7:c4:ea:5c:1c:7d:ac:19:cc:60:6a:b2:...
1f:cd:36:be:35:3e:27:a4:0e:cd:07:1b:...
5d:57:63:f5:0d:ba:bf:a9:c1:3e:f7:7c:...
8e:14:3f:5e:43:7a:87:c4:03:68:52:73:...
c0:8d:8f:24:07:ce:7a:cb:b5:5f:fb:bd:...
28:08:67:4e:dd:93:2e:37:16:e6:0e:f3:...
36:11:51:b0:d3:dd:cc:9d:8b:a1:58:c6:...
44:7d:42:cc:d2:40:42:c0:cb:96:11:a9:...
89:98:de:28:3f:a5:1a:41:ad:b1:b1:88:...
15:06:31:dc:0b:e1:24:eb:99:2f:1f:09:...
09:9c:e5:de:cd:d5:ce:e0:b2:81:b4:61:...
00:e5
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
0f:54:51:bb:62:65:46:be:2a:1e:a0:f6:f9:36:97:da...
41:cc:43:32:ea:37:87:8d:d4:8d:dd:2e:ac:20:65:a8...
f5:d6:b7:b3:db:20:97:20:42:b9:4f:54:fa:45:c7:00...
40:d2:88:54:f8:eb:ae:29:ac:5a:7d:29:6c:00:ce:aa...
2e:72:91:be:c7:5a:9a:5e:02:8e:9d:43:22:d6:f0:b9...
46:0f:d8:1a:03:2f:e8:25:ab:56:8b:85:f2:7c:ad:ff...
1e:db:96:e7:e0:f5:23:7c:22:39:87:4e:bf:58:8a:84...
00:cd:81:4c:8e:13:f9:85:1f:2b:11:b9:89:cc:a4:3f...
c2:ca:df:0f:45:d7:89:e4:96:de:d9:a6:cc:4e:b9:84...
09:db:85:22:13:5b:02:4c:70:ab:30:a1:0c:4d:b1:3a...
f3:c6:22:f0:b8:ff:89:57:e0:62:c8:6e:23:3d:94:8c...
19:94:2e:0e:bd:10:95:ec:6c:0c:dc:45:bf:98:b1:5c...
c1:bd:ab:f9:32:65:37:5e:b2:40:5d:5c:01:a9:14:27...
2b:ef:86:8a:e9:95:43:a7:66:4c:4a:65:ee:a4:b4:f8...
9d:54:f4:41
- comodo による証明書発行時のガイダンス &ref{ORDER_151875...
-- Attached to this email you should find a .zip file con...
--- Root CA Certificate - AddTrustExternalCARoot.crt
--- Intermediate CA Certificate - COMODORSAAddTrustCA....
--- Intermediate CA Certificate - COMODORSADomainValid...
--- Your PositiveSSL Certificate - kgb_hmuna_com.crt
You can also find your PositiveSSL Certificate for kgb.hm...
- Apache 内での証明書関連の設定(経緯込み全体)
# 20101225 に公式の証明書(でも安い!)を導入しなおした。
# 20121211 に公式の証明書(でも安い!)を導入しなおした。
# 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴...
# 導入経緯の説明は wiki に(https://kgb.hmuna.com:443/in...
# Server Certificate:
#SSLCertificateFile /etc/ssl/official/wikihmunaSSLC...
#SSLCertificateFile /etc/ssl/official2/wikihmunaSSL...
SSLCertificateFile /etc/ssl/official2/kgb_hmuna_com...
# Server Private Key:
#SSLCertificateKeyFile /etc/ssl/official/wikihmunaPriv...
#SSLCertificateKeyFile /etc/ssl/official2/wiki.hmuna.c...
SSLCertificateKeyFile /etc/ssl/official2/kgb.hmuna.com...
# Server Certificate Chain:
#SSLCertificateChainFile /etc/ssl/official/RapidSSL_CA_b...
#SSLCertificateChainFile /etc/ssl/official2/GeoTrust_int...
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
- Apache 内での証明書関連の設定(kgb 関連部分)
# 20140928 に wiki.hmuna.com --> kgb.hmuna.com 変更に伴...
# 導入経緯の説明は wiki に(https://kgb.hmuna.com:443/in...
# Server Certificate:
SSLCertificateFile /etc/ssl/official2/kgb_hmuna_com...
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/official2/kgb.hmuna.com...
# Server Certificate Chain:
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
-- &color(red){中間証明書(COMODORSAAddTrustCA.crt)が怪...
-- &color(red){良く読み直すと Comodo からは中間証明書が2...
-- 修正して relaod
SSLCertificateChainFile /etc/ssl/official2/COMODORSAAddT...
SSLCertificateChainFile /etc/ssl/official2/COMODORSADoma...
- 証明書のインストール状況を確認
munakata@muna-E450:~$ openssl s_client -connect kgb.hmun...
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O ...
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O ...
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL,...
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=kgb....
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA L...
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQcYJE9FtvuWXdFbjiBGinZDANBgkqhkiG9w0B...
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl...
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx...
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNl...
QTAeFw0xNDA5MjgwMDAwMDBaFw0xOTA5MjcyMzU5NTlaMFExITAfBgNV...
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVT...
BgNVBAMTDWtnYi5obXVuYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB...
AoIBAQC32DdmQJafnPCW5v2aJdeJa2qeRGciJA0JrQM252Wdgu3FYL5M...
hPKfbRnU9J7tn3PQpd+DH0SZJqvn0P8FSB7zniu9KqxKvSXLSNfAbSCg...
6lwcfawZzGBqsp7gOx/NNr41PiekDs0HGxu81F1XY/UNur+pwT73fBNq...
eofEA2hSc27H2cCNjyQHznrLtV/7vUeACCgIZ07dky43FuYO8yitDDYR...
i6FYxq9keER9QszSQELAy5YRqfhQ7YmY3ig/pRpBrbGxiKlbkBUGMdwL...
CUjA8Qmc5d7N1c7gsoG0YfsPYQDlAgMBAAGjggHdMIIB2TAfBgNVHSME...
r2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUaAN3ItWjzbagEM+o...
IvswDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw...
BQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw...
BgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG...
MFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t...
T1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG...
BwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j...
T0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk...
BQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCsGA1UdEQQkMCKC...
bXVuYS5jb22CEXd3dy5rZ2IuaG11bmEuY29tMA0GCSqGSIb3DQEBCwUA...
5mNUyVvj+9JdjhJNaGTuDVSU4uc2ElRM4IoX1neFQLHRLuhhlIAVfL2Q...
jI6GGtfYsbFG/xuRyneDyAodfqpY/mujOHmfdbPkBBrHBh6VhCRXNDKN...
aJDD2ntj6JGFhjwaStdzxhZgooLHnpx6aLKbtSb3vDHP8TO0SRuTxqFn...
2tMd2ZIuU9BgmQxQo1GBVS4UgA7awcO35uBQjfAwL2Di2QWT4eJuVB7B...
UMSqmRw5z84EZBixrCgUMmwsSK80ssAO3NBRgNNaozGO9udMyO3UXhe4...
r7LeR+PrhM9/UU95ZWzP
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA L...
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA L...
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0B...
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl...
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx...
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcN...
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZ...
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG...
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9t...
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEB...
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwC...
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIv...
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/u...
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh...
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7I...
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8G...
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL...
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIB...
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRV...
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k...
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggr...
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t...
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz...
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF...
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDK...
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3Kd...
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5S...
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXC...
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4Ejx...
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7...
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7K...
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0P...
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje...
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6...
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=k...
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA...
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3601 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7A9F11F070145BD4C77E8B3ABF8034697BE71B29...
Session-ID-ctx:
Master-Key: 528FD41DC441663C3ED83D3E9442E260F9526C5C...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 00 4b 4e 02 87 e4 ec 03-40 34 cd e1 2e 6d 51 ...
0010 - 08 70 b8 07 5c 9f 9c e6-76 d3 57 ed b9 03 30 ...
0020 - 3b 43 29 5c cd f8 f0 f9-fa 4e 0e 39 8e 34 21 ...
0030 - 46 44 74 5a 51 98 76 81-ec 1c af b1 84 76 16 ...
0040 - e9 09 d4 39 e3 bc f3 85-b6 01 5f 8e b1 fa 2b ...
0050 - c0 de 25 b9 11 cc c9 53-f5 84 4e 14 47 79 60 ...
0060 - f9 75 e6 9f d4 a3 62 7f-a4 ad a9 aa 40 9f 67 ...
0070 - 7d 6c 06 ee 1b 2c 1d e3-73 71 e7 f8 de 45 89 ...
0080 - 86 a6 85 92 03 21 22 f9-7c 07 4e f6 00 31 af ...
0090 - d0 34 ba 93 bc 11 93 02-cd 75 87 a6 20 a0 b9 ...
00a0 - a4 64 6f ba e6 16 9b fb-11 3d ec ff c9 fc 60 ...
00b0 - 9d 28 5f 79 85 f7 ad 43-2d aa 60 c5 83 f0 f2 ...
Start Time: 1501092236
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
*** 証明書の更新 [#ga366933]
&color(red){いくつかの PC で kgb.hmuna.com の証明書が失効...
- CSR の作成
-- サーバ用秘密鍵 = kgb201707.key
-- pass phrase = nanamochahiko
- 注文記録 ---- &ref(Namecheap.com Order Summary.eml);
- 発行された証明書(以前より中間証明所がシンプルになって...
ページ名:
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
