白翼的服務器運維博客

唔，經濟收入連續兩個月受到重度打擊…很很很認真的尋求外快工作中。

– 現負責在職公司新產品架構設計，較熟悉 AWS 運用，同理可運用騰訊雲，阿里雲等平台。
– 使用 Python 編寫自動化運維程序，或 Slack Bot 之類。
– 理所當然的熟悉 DNS，域名，SSL 等最基本的互聯網基礎設施。
– 其他的能做的但不敢寫，不然副業成了主業了就要丟主業了…

歡迎國內個體或公司聯繫，在日主體除非能以支付寶/微信支付款項，不接受日本銀行交易。

E-Mail: a#rsl.gd

Implemented with Nginx Mainline and OpenSSL 1.1.1.

Major browsers are not ready for RFC version yet, so TLS 1.2 will be chosen.

Update on 10-12:

--with-openssl-opt='no-comp no-zlib no-zlib-dynamic enable-ec_nistp_64_gcc_128 enable-tls1_3 shared'

Looks like this is the key configuration to make Nginx enbale TLSv1.3.

由於我寫的時候就是日文，暫時懶得翻譯。

For more details: https://github.com/phusion/passenger/issues/2089

 

大体の原因は掴めました：

Passenger の SecurityUpdateCheck は 5.1 から導入されたもので、もし重大 Fix があるバーションが出ると、Push します。

そこで、かつて一個バグがあって、リスポンスが 500B 超えると Passenger が Crash する、これは 5.1.5 で修正された。

今回 23 時間の前に発表されたバーション 5.3.2 がまさに重大 Fix が入るバーションなので、 Update Info は発送され、パケットが大きいと思い、全世界の Passenger < 5.1.5 が死んだ。

Never thought that I would have to criticize Namecheap again, after I left their services.

Let me explain, I bought myself a new domain this month, and found out that there is a 3-year SSL certificate valid for my domain through crt.sh. Naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller – Namecheap. After reaching out to Namecheap they insisted that as long as I issued a new certificate, the valid certificate that the former domain owner had will have no power whatsoever ( which is not true ), even after ticket escalation, they’re just re-assuring me that MITM somehow will not exist as long as I set up a new SSL cert and “there is no need to worry about the security of your website and the information transmitted via Internet”.

So, according to Namecheap’s statement, Wosign accident is just a fraud and people obtained github.com’s certificate will do absolutely no harm to Github. Good to know.

A public discussion is under way: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/4R1parm1XCc

（Author: 華若葉，https://www.pixiv.net/member_illust.php?mode=medium&illust_id=66732375）

隨手發一篇文章，跟大家安利一下 Certum 的好處。

今天在 The SSL Store 給騰訊企業郵的登錄介面買了個 Certum 的 SSL 證書，最終因為騰訊不支持非他們列表中的 CA 導致需要申請退款，但正是這個退款讓我見識到 Certum 的力量。

從點擊郵箱鏈接開始不到30秒的時間內， Certum 已經簽發好證書可供下載了，如此的速度最近很難見大型 CA 的自動化系統能夠做到，而且每次操作都以證書的序列號為准，能夠精確讓你知道你在操作的是哪一張證書。之後的申請退款，確定了我要退款的那一瞬間， Certum 提醒我證書已被註銷並加入他們 CRL 列表的郵件已經送到了我的郵箱…太快太爽了！

特別跟最近與 Comodo 扯皮吊銷證書的事情對比， Certum 滿分，牆裂推薦。

---

Update: The certificate has finally been revoked, after I have brought it up a month ago. Comodo’s Technical Support Team Lead gave me a reason why it all goes to hell is because my order is attached with an e-mail address, so I have to send the request via that e-mail. It is perfectly fine except that neither Comodo support staff nor GoGetSSL knows this should be done within this way, as Comodo’s support staff are redirecting me to go back to GoGetSSL to solve the problem at the first place.

---

This is not an article about Comodo being distrusted by main-stream browsers, but just me.

In short, Comodo failed to act as a trusted Certificate Authority. I recently bought a certificate from their reseller GoGetSSL and the transmit of the private key was initially not safe because I did it on a Chinese software which has zero encrypt on the messages and have files copied on their server. So we ( me and my client ) decided to re-issue the certificate and asked GoGetSSL to revoke the old one. Things start out smoothly as GoGetSSL ask for specific certification to revoke, and said that Comodo will do it in 12 hours.

Well, 12 hours past, but nothing happened on the old certificate. CRL and OCSP still validates it ( according to https://certificate.revocationcheck.com/ ). So I request it again, and GoGetSSL’s customer service try to revoke it again, some days had past, nothing happened.

Then, I tried to get in touch with Comodo by their Official website’s ticket system, I clarified the issue and want to know if they have anything to say about it, or even will it actually be GoGetSSL’s fault in this. But nope, all they replied was this:

Thank you for contacting Comodo, we will be happy to assist you.  Please contact the party in which the certificate was purchased from in regards to any revocation of your certificate.  If you have any further questions or concerns feel free to contact us again.

Which basically said nothing.

A few days ago, I published an article saying why am I deciding to move my own website’s certificate to GlobalSign because I felt Comodo is being to feel like it is “Too big to fail”. And now, if a trusted certificate authority, could not even complete the most basic part of a certification, which is validate and revoke, it’s out my friend.

幾年前， xoxo 在 V2EX 上賣非法渠道的 AlphaSSL 通配符，成為了本博客的第一張證書。

因為那次的事件， GlobalSign 的信用在我心目中直線下降，以至於我以為“野卡”這個詞就是針對 GlobalSign 才出現的。

近期 CA 界好不熱鬧，繼 WoSign 事件之後 Symantec 又開始跟 Google 幹架， Comodo 趁機坐上了證書市場份額的第一把椅子。發生了這麼多事情，對我來說也是時候要重新審視自己博客證書用的 Comodo 了。

經過很多個星期對當下 CA 以及 SSL 界的文檔研究，發現各大 CA 在歷史上都有過不輕的安全事故， Let’s Encrypt 以及 COMODO 包攬釣魚域名證書發行量前二， Let’s Encrypt 作為一個目標是全免費全自動化的證書發行工具，還可以說他們的願景並不是審核網站內容，但 COMODO 是不是有點說不過去…

然後看看 Symantec ，他們收購了 Verisign 之後穩坐份額第一很久了，這次 Google 幹架估計把他們的信用也嗆的厲害… RapidSSL ， Thawte ， GeoTrust 全都是他家的，於是這些品牌直接以同一理由出局，希望 Symantec 能夠在這場跟 Google 的戰役中打贏吧，確實覺得 Google 有點橫行霸道，但好像又無可厚非。（ Symantec 最近在國內大範圍推廣合作 DV 證書之餘，也準備正式推出一個免費發行 DV 證書的網站了）

於是，在深刮多家 CA 歷史及其 CPS 之後，最終決定回到 GlobalSign 的懷抱。其實因為 GlobalSign 是日本企業所以我一開始真的是很懷疑他們的技術實力，但目前看來無論是 Certificate Transparency 還是 OCSP 服務器的響應表現等，都是 CA 中做的最好的一家，市場份額也是全球第三，有一定用戶基數的同時又不會像 Comodo 那樣開始有點 “Too Big To Fail” 的感覺。最後，博客是因為想要 Wildcard 證書才買的 GlobalSign ，如果是 DV 證書的話 Let’s Encrypt 足矣。

我們都知道， Let’s Encrypt 的默認RSA密鑰長度是 2048Bits ，在創建網站證書的時候沒有修改這個配置的話，可能就是後悔終生（不）幸好，在90天的有效期過後，我們能夠輕鬆通過一行命令解決這個問題。

certbot renew --rsa-key-size 4096

Just run this bad boy, and you’re good to go.

 

最近買了好幾個新域名，分別是 .gd， .io 後綴的。一直以來都看見 Hexonet 支持 DNSSEC ，但怎麼就是沒在面板上看見任何選項呢？

今天查了一下，終於知道如何操作。得手動在 API 中輸入命令…

參考資料：

https://wiki.hexonet.net/wiki/DNSSEC

http://bp.la/hexonet-cloudflare-dnssec/

首先，打開 Hexonet 的 API 執行頁面，（https://cp.hexonet.net/cp2/index.php/tools/apiaccess）

然後按照以下格式輸入命令：

command = ModifyDomain
domain = example.com
secDNS-urgent = 1
secDNS-ds0 = [KEYTAG] [ALGORITHM] [DIGEST-TYPE] [DIGEST]

這裡面唯一一個坑就是 Digest Type 吧， CloudFlare 提供的是 SHA256 ，然而這不存在…查了一下官方資料， 2 代表 SHA256 ，嗯。