johnpoint

johnpoint

(。・∀・)ノ゙嗨
github
HomeArchives关于我小伙伴们

Improve SSL certificate-related policies

#SSL#折腾#建站80
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author discusses the improvement of SSL certificate-related strategies. They have implemented a panel for centralized management and distribution of certificates. They also describe a certificate detection system using files and shell scripts. The author provides code examples and discusses the distribution of certificates using cookies for authentication. They mention using acme.sh for automatic renewal of wildcard certificates.

Since using Docker as the underlying environment, I have been thinking about writing a panel that can centrally manage services. On the one hand, I don't want to use widely used panels on the market because I can do better than them, and on the other hand, it can also be considered as a practice.

Introduction#

Looking at the website certificate, yes! It has been changed to a wildcard certificate~
Let me briefly explain the buggy features that have been implemented so far. As mentioned earlier, I centralized the management in a panel. The panel integrates a file called getcerfile.php that can be accessed directly (of course, it requires authentication. If the certificate is not authenticated, it will be exposed to the public network and become vulnerable), and the certificate uses Let's Encrypt to issue a wildcard certificate. This way, there is no need to consider which server the certificate is issued to No need to reinvent the wheel, yay

Certificate Detection#

This part is mainly inspired by Axton's article. For details, please refer to this article. Since I am not very experienced and currently do not want to use a database to store data, I am currently using files and shell scripts to perform certificate checks, and then using PHP to output a more user-friendly page and embed it in the panel.

Screenshot:

image

Hmmmmmmmm, I found that my self-built image hosting seems to have some problems when uploading... Should I consider building my own? I'll think about it later

Here is the code:

#!/bin/sh

cat urlfile.list | while read line
do
  touch "data/$line"
  touch "data/$line.ca"
  curl https://$line -v -s -o /dev/null 2>"data/$line.ca"
  datee=$(date +'%F %H:%M')
  echo "Last check: " $datee > "data/$line"

  data=$(cat "data/$line.ca" | grep 'subject:')
  echo "Certificate domain: " ${data##* subject: } >> "data/$line"

  data=$(cat "data/$line.ca" | grep 'start date:')
  data=$(date -d "${data##* start date: }" +'%F %H:%M:%S')
  echo "Issuance date: "${data} >> "data/$line"
  startdate=$data

  data=$(cat "data/$line.ca" | grep 'expire date: ')
  data=$(date -d "${data##* expire date: }" +'%F %H:%M:%S')
  echo "Expiration date: " $data >> "data/$line"
  enddate=$data

  data=$(cat "data/$line.ca" | grep 'issuer: ')
  echo "Issuer: "${data##* issuer: } >> "data/$line"

  data=$(cat "data/$line.ca" | grep 'SSL certificate verify ok.')
  echo "Certificate status: "${data##* } >> "data/$line"

  startdate=$(date -d "${startdate}" +%s)
  enddate=$(date -d "${enddate}" +%s)
  datee=$(date -d "${datee}" +%s)

  long=$(($enddate-$startdate))
  datee=$(($datee-$startdate))
  datee=$(($datee*100))
  hundred=100
  persent=$(($datee/$long))

  echo "<div class=\"mdui-progress\"><div class=\"mdui-progress-determinate\" style=\"width: ${persent}%;\"></div></div>" >> "data/$line"

  rm "data/$line.ca"
done

The displayed code is as follows:

<?php
include_once 'config.php';
if ($_COOKIE["user"] == md5($username.$userpasswd)) {
    echo '<div class="mdui-panel" mdui-panel>';
    function listDir($dir)
    {
        if (is_dir($dir)) {
            if ($dh = opendir($dir)) {
                while (($file = readdir($dh)) !== false) {
                    if ($file != "." && $file != "..") {
                        echo '<div class="mdui-panel-item">';
                        echo '<div class="mdui-panel-item-header">'.'<div class="mdui-panel-item-title">'.$file.'</div>'.'<i class="mdui-panel-item-arrow mdui-icon material-icons">keyboard_arrow_down</i>'.'</div>';
                        echo '<div class="mdui-panel-item-body">';
                        $myfile = fopen("$dir/$file", "r") or die("Unable to open file!");
                        while (!feof($myfile)) {
                            echo '<p>'.fgets($myfile) . '</p>';
                        }
                        echo '</div></div>';
                        fclose($myfile);
                    }
                }
                closedir($dh);
            }
        } else {
            echo $dir . '<br>';
        }
    }
    listDir("./data");
    echo '</div>';
} else {
    echo 'error';
}
?>

Certificate Distribution#

Emmmm, as you can see from above, I use the user and password to md5 and write them into cookies for authentication. The domain names that need to be authenticated are directly stored in the urlfile.list file (I'm really not good at this).

Similarly, certificate distribution also uses cookies for authentication.

<?php
include_once 'config.php';
if ($_COOKIE["user"] == md5($username.$userpasswd)) {
    $myfile = fopen($_GET['file'], "r") or die("Unable to open file!");
    echo fread($myfile, filesize($_GET['file']));
    fclose($myfile);
} else {
    header("Location: /index.php");
}
?>

Then directly read the certificate file for direct output. At the same time, Nginx controls the file directory permissions, and the certificate is obtained using the following command:

curl https://****/getcerfile.php?file=ssl/lvcshu.com/lvcshu.com.key -H 'cookie: user=???' > lvcshu.com.key

This way, the script can update the certificate on the certificate server regularly. In addition, the wildcard certificate is automatically renewed using acme.sh. This is almost it. If any experts find any issues, please contact me in a timely manner. QAQ
Telegram:@johnpoint

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.