標籤: ubuntu 2404

使用ubuntu2404來自簽安全憑證

佈署環境(ubuntu 2404)

安裝必要套件

apt update && apt upgrade -y
apt install openssl ca-certificates

建立工作目錄

mkdir -p ~/certwork
chmod 700 ~/certwork
cd ~/certwork

將CSR放到工作資料夾中

certwork#vi prod.abc.com.csr
再將CSR金鑰內容貼入存檔

-----BEGIN CERTIFICATE REQUEST-----
MIIC9TCCAd0CAQAwczELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBD
b21tdW5pdHkxEzARBgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMjQw
AQUAA4IBDwAwggEKAoIBAQCmnIOUc+3Ht9r736NZH6J/PCUiGCUBtqwo3ggoz+Dd
QdaqnoJrEwxAvzKhWMfgEQ5m2X1MxhrMj1fGoCK9TZejLbGZycOscR5qyxUOmfBS
XeeL7pWZKn+NG1W5XE9vDlS6IdcDMRZSd7PT+sM1UG+3VvV2dI7iLgqyp+ROt5YD
jtbumGbbwtoxlQ7LEmBaHoirfCKJnETH8kjxSUCOp14JkZo/PO2MqVn2rO8WEOm1
Yn+SZEfrvFjXPJiTPqfXymRhsyWA1EpqRjWQ/DtRP+bC5l3kV32V2pd0K6xWunAA
BVXpi5tr0iWNZiDVh93+YTIMeERr/H267C0WIipZmJixAgMBAAGgPTA7BgkqhkiG
9w0BCQ4xLjAsMCoGA1UdEQQjMCGCEnBzE2Rldi5wcm9tYXRlLmNvbYILcHJvbWF0
ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAAyDOGsH3zl/ld87iJyfHr9/yms5FjLf
HW8Fqvy2kel8liLkxCq07UMotkXSrt+vhUVLyJKa93yYjlnz3i9j/HJ5lIQUd+AE
7UNF7mNObFL154gxV2udiWc0y7DnILBvoErNosJYK0oh1w2MmVWlFbKcifV8uXAI
g6fenm0i47JLMj+YSJkJsqstXX3XyOcM/FXFekkJifrtcGf2dO6Z+YR8Fd0IaXVc
tKh+aCQ3co3dQrXCvENVS851G8GrcgyVOBo7L2pinWLQrVggivCQ7GdjbFbszSFZ
UPf7jkaAfsC4bVyJMtzbfiDm/2roV8FLDQR/G+fHmIblK3hCYzLiyWk=
-----END CERTIFICATE REQUEST-----


certwork#ll
prod.abc.com.csr

檢視CSR

certwork#openssl req -in ~/ca/prod.abc.com.csr -noout -text

產 Root CA 私鑰

openssl genrsa -out rootCA.key 4096
openssl genrsa -out rootCA.key 2048
openssl genrsa -out rootCA.key 1024 (此次成功)
三個擇一執行(看是要用什麼等級)

建 Root CA 憑證(自簽的 CA)

openssl req -x509 -new -nodes -key rootCA.key -sha-1 -days 7300 \
-subj "/C=TW/O=PSC/CN=PSC Root CA" \
-addext "basicConstraints=critical,CA:true,pathlen:1" \
-addext "keyUsage=critical,keyCertSign,cRLSign" \
-out rootCA.crt

export DOMAIN=”prod.abc.com”
export BASE=”abc.com”
export DAYS=3650 # 10年,可改短一點以符合內規

建立 ext.cnf:

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = prod.abc.com
DNS.2 = abc.com

由CSR產出crt 憑證 ( sha-1演算法, 十年)

openssl x509 -req -in pscdev.csr \
-CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
-out prod.abc.com.crt -days 3650 -sha-1 \
-extfile ./ext.cnf -extensions v3_req

由CSR產出crt 憑證(2年 ,sha256演算法)

openssl x509 -req -in server1.csr \
-CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
-out prod.abc.com.crt -days 730 -sha256 \
-extfile ./ext.cnf -extensions v3_req

將crt憑證轉為p7b憑證
#!/bin/bash

建立鏈檔:leaf + root(若你有中繼 CA,順序應為 leaf → intermediate → root)

cat prod.abc.com.crt rootCA.crt > chain.pem

產 DER 格式的 .p7b

openssl crl2pkcs7 -nocrl -certfile chain.pem -out prod.abc.com.p7b -outform DER

檢視 p7b 內容

openssl pkcs7 -in prod.abc.com.p7b -inform DER -print_certs -text -noout | less

docker-compose來快速建置wordpress

以docker-compose.yml來建置wordpress服務於8031 port,並且加上 phpMyAdmin,讓你用瀏覽器管理同一個 MySQL。WordPress 仍然以 8031 對外,phpMyAdmin 另外用 8032

version: '3.9'

services:
  wordpress:
    image: wordpress:latest
    container_name: wordpress_site
    ports:
      - "8031:80"
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: wpuser
      WORDPRESS_DB_PASSWORD: wppassword
      WORDPRESS_DB_NAME: wordpress
    volumes:
      - wordpress_data:/var/www/html
    depends_on:
      - db
    restart: always

  db:
    image: mysql:5.7
    container_name: wordpress_db
    environment:
      MYSQL_ROOT_PASSWORD: rootpassword
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wpuser
      MYSQL_PASSWORD: wppassword
    volumes:
      - db_data:/var/lib/mysql
    restart: always

  phpmyadmin:
    image: phpmyadmin:latest
    container_name: wp_phpmyadmin
    depends_on:
      - db
    environment:
      PMA_HOST: db
      PMA_PORT: 3306
      PMA_USER: root
      PMA_PASSWORD: rootpassword
      UPLOAD_LIMIT: 512M
    ports:
      - "8032:80"
    restart: always

volumes:
  wordpress_data:
  db_data:

使用方式

  1. 將上面內容存成 docker-compose.yml
  2. 啟動: docker-compose up -d
  3. 開啟:
    • WordPress:http://localhost:8031
    • phpMyAdmin:http://localhost:8032(使用 root / rootpasswordwpuser / wppassword 登入)

建議:上線前把 rootpassword / wppassword 換成強密碼;若要改用 MariaDB 也可以把 db 的 image 換成 mariadb:10.11,其餘設定相同。

Ubuntu 24.04 上自動安裝 Docker CE 與 docker-compose

可以用以下 Bash 腳本,在 Ubuntu 24.04 上自動安裝 Docker CEdocker-compose(最新版 Compose Plugin)。
這個腳本會自動處理官方 Docker GPG Key、套件庫設定,以及安裝與啟動服務。

#!/bin/bash
set -e

echo "=== 更新套件列表 ==="
sudo apt-get update -y
sudo apt-get upgrade -y

echo "=== 安裝必要套件 ==="
sudo apt-get install -y ca-certificates curl gnupg lsb-release

echo "=== 新增 Docker 官方 GPG Key ==="
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
    sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

echo "=== 新增 Docker 套件來源 ==="
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

echo "=== 更新套件列表 (Docker) ==="
sudo apt-get update -y

echo "=== 安裝 Docker CE 與 Compose Plugin ==="
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

echo "=== 啟動並設定 Docker 開機自動啟動 ==="
sudo systemctl enable docker
sudo systemctl start docker

echo "=== 將目前使用者加入 docker 群組 (免 sudo) ==="
sudo usermod -aG docker $USER

echo "=== 安裝完成 ==="
docker --version
docker compose version

echo "⚠️ 請重新登入帳號以套用群組變更"

使用方式

  1. 將上述內容儲存為檔案,例如 install_docker.sh
  2. 執行: chmod +x install_docker.sh ./install_docker.sh
  3. 安裝完成後,登出並重新登入,就可以直接使用 dockerdocker compose 指令。