2021年2月2日 星期二

Tomcat 7 匯入SSL憑證

 Step 1  確認Java 版本與安裝位置


/usr/lib/jvm/java-7-openjdk-amd64/jre/bin

---

keytool 建立憑證請求檔案 

keytool -genkeypair -alias a -keystore store.pfx -storetype pkcs12 -keyalg RSA -dname "CN=http://www.xxxxxxx.com,OU=Unit,O=Organization,L=Taipei,S=Taipei,C=TW" -keypass password -storepass password

備份設定檔

cp server.xml server.xml.20180324

防火牆開啟https port

vim iptables.save

iptables>iptables.save

iptables-save >iptables.save

確認有無監聽

netstat -atunlp

=== 

自簽自建

keytool -keysize 2048 -genkey -alias tomcat -keystore tomcat.keystore -keyalg RSA -dname "CN=vfm.xxxxxxxx.com,OU=Unit,O=Organization,L=Taipei,S=Taipei,C=TW" -keypass password-storepass password

==

產生CSR請求憑證

keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore -storepass password


==

安裝根憑證

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt -storepass password

===

刪除憑證

keytool -delete -alias root -keystore tomcat.keystore -storepass password

==

安裝中繼(不需要)

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt -storepass password

==

刪除中繼

keytool -delete -alias intermed -keystore tomcat.keystore -storepass password

==

安裝主機憑證

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file vfm.xxxxxxx.com.crt -storepass password

==

刪除憑證(指令)

keytool -delete -alias tomcat -keystore tomcat.keystore -storepass password

憑證檢視列表

keytool -list -alias tomcat -keystore tomcat.keystore -storepass password




==

編輯Tomact 設定檔 (以下依版本不同會有所變更)

cd /var/lib/tomcat7/conf/

cp  server.xml server.xml.20180324

vim server.xml

確認下列設定

#keystoreFile

#keystorePass

#sslProtocol

下列語法作參考

===

<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" keystoreFile="tomcat.keystore" keystorePass="password" />


=======

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"

    disableUploadTimeout="true" enableLookups="false" maxThreads="25"

    port="9443" keystoreFile="tomcat.keystore" keystorePass="password"

    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"

    secure="true" sslProtocol="TLS" />


=======


<Connector SSLEnabled="true" acceptCount="2000" clientAuth="false"

    disableUploadTimeout="true" enableLookups="false" maxThreads="500"

    port="9443" keystoreFile="tomcat.keystore" keystorePass="password"

    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"

    secure="true" sslProtocol="TLS" />

=======

<Connector port="9443" maxThreads="200"

          scheme="https" secure="true" SSLEnabled="true"

          keystoreFile="tomcat.keystore" keystorePass="password"

          clientAuth="false" sslProtocol="TLS"/>

=======


更改完後重啟tomact

service tomcat7 restart

檢視tomcat log確認運行


tail -f /var/lib/tomcat7/logs/catalina.out



============

pr 25, 2018 5:19:49 PM org.apache.catalina.startup.Catalina load

INFO: Initialization processed in 967 ms

Apr 25, 2018 5:19:49 PM org.apache.catalina.core.StandardService startInternal

INFO: Starting service Catalina

Apr 25, 2018 5:19:49 PM org.apache.catalina.core.StandardEngine startInternal

INFO: Starting Servlet Engine: Apache Tomcat/7.0.52 (Ubuntu)

Apr 25, 2018 5:19:49 PM org.apache.catalina.loader.WebappClassLoader validateJarFile

INFO: validateJarFile(/var/lib/tomcat7/webapps/vfm/WEB-INF/lib/servlet-api.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class

log4j:WARN No appenders could be found for logger (org.springframework.web.context.ContextLoader).

log4j:WARN Please initialize the log4j system properly.



Ubuntu 20.04 install librenms

 Ubuntu 20.04 install librenms


由於CentOS8 變成孤兒了,故著手把手頭的CentOS 上的版本做轉移


沒想到越做越越多問號,讓人不經懷疑網站上的編寫者有沒有實際自己跑過一遍XDDDD


由於花了不少時間解問題,就把筆記更新放著了




apt install software-properties-common

add-apt-repository universe

apt update

apt upgrade

官站上的教學


apt install acl curl composer fping git graphviz imagemagick mariadb-client mariadb-server mtr-tiny nginx-full nmap php7.4-cli php7.4-curl php7.4-fpm php7.4-gd php7.4-json php7.4-mbstring php7.4-mysql php7.4-snmp php7.4-xml php7.4-zip rrdtool snmp snmpd whois unzip python3-pymysql python3-dotenv python3-redis python3-setuptools


問題來了

在套件中 php預設會抓取認識php-curl而非 php7.4-curl

所以要裝 php-curl


建立帳戶

useradd librenms -d /opt/librenms -M -r -s "$(which bash)"

cd /opt

#恩 會出現錯誤 git gnutls_handshake() failed 

git clone https://github.com/librenms/librenms.git


#查詢原因大致上是說明套件錯誤,但不管是停用改設定為Tls v1.2或是重包套件都沒過

#沒關係,山不轉路轉,改啟用ssl

1. 建立主機ssh-keygen


#ssh-keygen

2. cat ~/.ssh/id_rsa.pub

將公鑰複製下來大概長這樣


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9Kds9mB4tiT0wjP0DIwcs8ypdd7MhFv/V3uFsQ8Qxykw4jvxtcoRJX53DoaMWTlvCiywkE2x5XANivFVs/2cmRrP544aGadJ/oXMqClSegpdhthA9c2vt28ZtB28mB4fg9ci2gPIkBet74iruEjhbHGUcJ1Wzs8aCmvivHVaYiE6jtiZt48N8Xz6BfiVcIFmsvivnElh7bsZD13iXzM7Tq4PVKVPPMLLPqwjRj7lnR1jJD9P9IkUtikNLnXCDLBJ47X8vy8xA3QDMzBUFeNGCXeDnyfbpbN/YaGxydlsOTgBtu2HgkMVY4pPVUFxv/+dwiCM7hABDWUteuJrRO6FEAU1JhsDEJtGE6l5fwmx/zwOk5I0Wksg4vXu0ObcYUaBiK0vn5qHVTrm2iyq/4qGgeXF9b5ReHHJjv1X20yTQKPYSbfD3Pfqjno61xmQ/OSNPBm2K5py97SKA1888e/K8SJl5Sfpo9aMLq/S/01XtsVCSi2Kcv0= root@librenms



3. 登入git 帳號(沒有自己去建一個吧,很方便的)


Account settings到SSH and GPG keys選項>New SSH key>貼上


然後回到主機上

cd /opt

git clone git@github.com:librenms/librenms.git


會詢問是否接受,輸入yes點enter吧!


再來就回歸正途


設定資料夾權限

chown -R librenms:librenms /opt/librenms

chmod 771 /opt/librenms

setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/

setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/


#PHP pre-install

su - librenms

./scripts/composer_wrapper.php install --no-dev

exit


設定PHP Timezone

先確認自己的 timedatectl

Asia/Taipei


===

vi /etc/php/7.4/fpm/php.ini

vi /etc/php/7.4/cli/php.ini

===

 變更主機時區(台北)

sudo timedatectl set-timezone Asia/Taipei



Configure MariaDB

#編輯設定

vi /etc/mysql/mariadb.conf.d/50-server.cnf

在[mysqld] 底下加入

innodb_file_per_table=1

lower_case_table_names=0


開啟並重啟服務

systemctl enable mariadb

systemctl restart mariadb


建立資料庫與設定 librenma帳密

CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;

CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password';

GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';

FLUSH PRIVILEGES;

exit


設定Configure PHP-FPM

cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/librenms.conf

vi /etc/php/7.4/fpm/pool.d/librenms.conf

更改設定

將[www] 替換 [librenms]:

以下替換

user = librenms

group = librenms

listen = /run/php-fpm-librenms.sock


設定nginx

vi /etc/nginx/conf.d/librenms.conf

直接貼上

server {

 listen      80;

 server_name librenms.example.com;

 root        /opt/librenms/html;

 index       index.php;


 charset utf-8;

 gzip on;

 gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;

 location / {

  try_files $uri $uri/ /index.php?$query_string;

 }

 location ~ [^/]\.php(/|$) {

  fastcgi_pass unix:/run/php-fpm-librenms.sock;

  fastcgi_split_path_info ^(.+\.php)(/.+)$;

  include fastcgi.conf;

 }

 location ~ /\.(?!well-known).* {

  deny all;

 }

}

移除預設設定與啟動

rm /etc/nginx/sites-enabled/default

systemctl restart nginx

systemctl restart php7.4-fpm


SELinux

Ubuntu 預設未啟用(Cen


Configure snmpd

cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf


cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms


cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms