#!/bin/bash # SSL 证书诊断脚本 # 用于检查 SSL 证书配置是否正确 echo "==========================================" echo "SSL 证书诊断工具" echo "==========================================" echo "" # 检查证书文件路径 CERT_PATH="/home/owen/ssl_key/smartsensiguard.cn.pem" KEY_PATH="/home/owen/ssl_key/smartsensiguard.cn.key" echo "1. 检查证书文件是否存在..." echo "----------------------------------------" if [ -f "$CERT_PATH" ]; then echo "✓ 证书文件存在: $CERT_PATH" ls -lh "$CERT_PATH" else echo "✗ 证书文件不存在: $CERT_PATH" echo " 请确保证书文件存在于该路径" fi echo "" if [ -f "$KEY_PATH" ]; then echo "✓ 私钥文件存在: $KEY_PATH" ls -lh "$KEY_PATH" else echo "✗ 私钥文件不存在: $KEY_PATH" echo " 请确保私钥文件存在于该路径" fi echo "" echo "2. 检查证书文件内容..." echo "----------------------------------------" if [ -f "$CERT_PATH" ]; then echo "证书文件内容预览(前 5 行):" head -5 "$CERT_PATH" echo "" # 检查证书格式 if grep -q "BEGIN CERTIFICATE" "$CERT_PATH"; then echo "✓ 证书文件格式正确(包含 BEGIN CERTIFICATE)" else echo "✗ 证书文件格式可能不正确(未找到 BEGIN CERTIFICATE)" fi # 检查是否包含证书链 CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$CERT_PATH" || echo "0") if [ "$CERT_COUNT" -gt 1 ]; then echo "✓ 证书文件包含证书链($CERT_COUNT 个证书)" else echo "⚠ 证书文件可能不包含完整的证书链(仅 $CERT_COUNT 个证书)" echo " 如果遇到 PR_END_OF_FILE_ERROR,可能需要合并证书链" fi else echo "跳过:证书文件不存在" fi echo "" if [ -f "$KEY_PATH" ]; then echo "私钥文件内容预览(前 5 行):" head -5 "$KEY_PATH" echo "" # 检查私钥格式 if grep -q "BEGIN.*PRIVATE KEY" "$KEY_PATH"; then echo "✓ 私钥文件格式正确(包含 BEGIN PRIVATE KEY)" else echo "✗ 私钥文件格式可能不正确(未找到 BEGIN PRIVATE KEY)" fi else echo "跳过:私钥文件不存在" fi echo "" echo "3. 使用 OpenSSL 验证证书..." echo "----------------------------------------" if command -v openssl >/dev/null 2>&1; then if [ -f "$CERT_PATH" ]; then echo "证书信息:" openssl x509 -in "$CERT_PATH" -text -noout 2>/dev/null | head -20 || echo "✗ 无法解析证书文件" echo "" echo "证书有效期:" openssl x509 -in "$CERT_PATH" -noout -dates 2>/dev/null || echo "✗ 无法读取证书有效期" echo "" echo "证书域名:" openssl x509 -in "$CERT_PATH" -noout -subject -issuer 2>/dev/null || echo "✗ 无法读取证书信息" else echo "跳过:证书文件不存在" fi if [ -f "$KEY_PATH" ]; then echo "" echo "验证私钥:" openssl rsa -in "$KEY_PATH" -check -noout 2>/dev/null && echo "✓ 私钥格式正确" || echo "✗ 私钥格式可能有问题" echo "" echo "验证证书和私钥是否匹配:" CERT_MD5=$(openssl x509 -noout -modulus -in "$CERT_PATH" 2>/dev/null | openssl md5) KEY_MD5=$(openssl rsa -noout -modulus -in "$KEY_PATH" 2>/dev/null | openssl md5) if [ "$CERT_MD5" = "$KEY_MD5" ] && [ -n "$CERT_MD5" ]; then echo "✓ 证书和私钥匹配" else echo "✗ 证书和私钥不匹配" fi else echo "跳过:私钥文件不存在" fi else echo "⚠ OpenSSL 未安装,跳过证书验证" echo " 可以运行: yum install openssl -y (CentOS) 或 apt-get install openssl (Ubuntu)" fi echo "" echo "4. 检查 Docker 容器状态..." echo "----------------------------------------" if command -v docker >/dev/null 2>&1; then if docker ps -a | grep -q "nginx-https"; then echo "Nginx 容器状态:" docker ps -a | grep "nginx-https" echo "" echo "Nginx 容器日志(最后 20 行):" docker logs --tail 20 nginx-https 2>&1 | grep -i "ssl\|cert\|error" || docker logs --tail 20 nginx-https else echo "⚠ Nginx 容器未运行" fi else echo "⚠ Docker 未安装或不可用" fi echo "" echo "==========================================" echo "诊断完成" echo "==========================================" echo "" echo "常见问题解决方案:" echo "1. 如果证书文件不存在,请将证书文件放置到: $CERT_PATH" echo "2. 如果证书链不完整,需要合并证书和证书链:" echo " cat cert.pem chain.pem > fullchain.pem" echo "3. 如果证书和私钥不匹配,请检查证书文件是否正确" echo "4. 如果容器无法启动,检查证书文件权限:" echo " chmod 644 $CERT_PATH" echo " chmod 600 $KEY_PATH" echo ""