Table of Contents

Linux SSL

SSl certificates

# Example get and install https://discuss.elastic.co/t/error-response-from-daemon-get-https-docker-elastic-co-v2-x509-certificate-signed-by-unknown-authority/281754
curl --trace - https://docker.elastic.co:443
cd ~
openssl s_client -showcerts -connect www.domain.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >domain.com.crt
sudo cp domain.com.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
openssl s_client -connect bot.ip2u.ru:4443 -showcerts
openssl s_client -showcerts -connect www.domain.com:443
openssl s_client -showcerts -connect bot.ip2u.ru:4443 </dev/null 2>/dev/null|openssl x509 -outform PEM >ip2u_ru.crt
cat ./ip2u_ru.crt
sudo cp ./ip2u_ru.crt /usr/local/share/ca-certificates/ip2u.ru.crt
sudo update-ca-certificates
openssl s_client -showcerts -connect bot.ip2u.ru:4443
openssl s_client -CAfile ./ip2u_ru.crt -connect bot.ip2u.ru:4443
curl --verbose  bot.ip2u.ru:4443

Linux SSL key managment

Linux MTLS

https://get.localhost.direct/

OpenSSL key manipulating

 ssh-keygen -l -f ./id_rsa_1.pub
4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXX8 m@domain.ru (RSA)
 
 openssl pkey -in ./id_rsa_1.pub -noout -text

SSL.https test TLS/sll

# проверить установление соединение - можно указать версию -tls1 -tls1_2
openssl s_client -servername ip2u.ru -tlsextdebug  -connect ip2u.ru:443
 
wget -v --debug https://127.0.0.1:443 --header "Host: wiki.ip2u.net"
 
# -k insecure
curl -v -H 'Host: wiki.ip2u.ru' https://127.0.0.1:443/something 
 
# CURL проверить корректность установки сертификата
date; curl -vIs4 https://wiki.ip2u.ru 2>&1 | egrep -i "(connected|* ssl|issuer|subject)"
Sat Jun 11 19:31:48 +05 2022
* Connected to wiki.ip2u.ru (172.67.198.111) port 443 (#0)
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
*  subject: CN=*.ip2u.ru
*  subjectAltName: host "wiki.ip2u.ru" matched cert's "*.ip2u.ru"
*  issuer: C=US; O=Let's Encrypt; CN=E1
*  SSL certificate verify ok.
 
# проверить сертификат на origin server cloudflare 
curl -svo /dev/null --resolve wiki.ip2u.ru:443:212.237.56.234 https://wiki.ip2u.ru/
* Added wiki.ip2u.ru:443:212.237.56.234 to DNS cache
* Hostname wiki.ip2u.ru was found in DNS cache
*   Trying 212.237.56.234:443...
* TCP_NODELAY set
* Connected to wiki.ip2u.ru (212.237.56.234) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1321 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

SSL.https install certificate CA

# Install certificate and chains - check GOST ciper
STR=$(openssl ciphers|  sed 's/:/\n/g' | grep -i gost)
echo $STR
 
openssl s_client -showcerts -verify 5 -connect esia.gosuslugi.ru:443 
openssl x509 -in server_cert_esia.pem -noout -text  
# выгружаем сертификаты, переходим по iisue uri и загружаем CRT друг за другом до CA
 
# download CA
wget http://reestr-pki.ru/cdp/guc_gost12.crt
# der->pem конвертация
openssl x509 -inform der -in guc_gost12.crt -out GUC_gost12.pem
# проверить информацию
openssl x509 -in GUC_gost12.pem -noout -text
# установить CA debian
cp GUC_gost12.pem /usr/local/share/ca-certificates/GUC_gost12.crt
 
update-ca-certificates
 
#проверить
 
#info:
#cert guc_gost12.crt
#/usr/share/ca-certificates
#/usr/local/share/ca-certificates
 
curl -vvv  https://esia.gosuslugi.ru/