root
/
X1_Site
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22 Commits
7 Branches
0 Tags
445 MiB
 
 
 
Tree: fef3e6aa4c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fef3e6aa4c'
${ noResults }
X1_Site/site/check-ssl.sh

155 lines
4.9 KiB
Raw Blame History

#!/bin/bash
# SSL 证书诊断脚本
# 用于检查 SSL 证书配置是否正确
echo "=========================================="
echo "SSL 证书诊断工具"
echo "=========================================="
echo ""
# 检查证书文件路径
CERT_PATH="/home/owen/ssl_key/smartsensiguard.cn.pem"
KEY_PATH="/home/owen/ssl_key/smartsensiguard.cn.key"
echo "1. 检查证书文件是否存在..."
echo "----------------------------------------"
if [ -f "$CERT_PATH" ]; then
echo "✓ 证书文件存在: $CERT_PATH"
ls -lh "$CERT_PATH"
else
echo "✗ 证书文件不存在: $CERT_PATH"
echo " 请确保证书文件存在于该路径"
fi
echo ""
if [ -f "$KEY_PATH" ]; then
echo "✓ 私钥文件存在: $KEY_PATH"
ls -lh "$KEY_PATH"
else
echo "✗ 私钥文件不存在: $KEY_PATH"
echo " 请确保私钥文件存在于该路径"
fi
echo ""
echo "2. 检查证书文件内容..."
echo "----------------------------------------"
if [ -f "$CERT_PATH" ]; then
echo "证书文件内容预览(前 5 行):"
head -5 "$CERT_PATH"
echo ""
# 检查证书格式
if grep -q "BEGIN CERTIFICATE" "$CERT_PATH"; then
echo "✓ 证书文件格式正确(包含 BEGIN CERTIFICATE)"
else
echo "✗ 证书文件格式可能不正确(未找到 BEGIN CERTIFICATE)"
fi
# 检查是否包含证书链
CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$CERT_PATH" || echo "0")
if [ "$CERT_COUNT" -gt 1 ]; then
echo "✓ 证书文件包含证书链($CERT_COUNT 个证书)"
else
echo "⚠ 证书文件可能不包含完整的证书链(仅 $CERT_COUNT 个证书)"
echo " 如果遇到 PR_END_OF_FILE_ERROR,可能需要合并证书链"
fi
else
echo "跳过:证书文件不存在"
fi
echo ""
if [ -f "$KEY_PATH" ]; then
echo "私钥文件内容预览(前 5 行):"
head -5 "$KEY_PATH"
echo ""
# 检查私钥格式
if grep -q "BEGIN.*PRIVATE KEY" "$KEY_PATH"; then
echo "✓ 私钥文件格式正确(包含 BEGIN PRIVATE KEY)"
else
echo "✗ 私钥文件格式可能不正确(未找到 BEGIN PRIVATE KEY)"
fi
else
echo "跳过:私钥文件不存在"
fi
echo ""
echo "3. 使用 OpenSSL 验证证书..."
echo "----------------------------------------"
if command -v openssl >/dev/null 2>&1; then
if [ -f "$CERT_PATH" ]; then
echo "证书信息:"
openssl x509 -in "$CERT_PATH" -text -noout 2>/dev/null | head -20 || echo "✗ 无法解析证书文件"
echo ""
echo "证书有效期:"
openssl x509 -in "$CERT_PATH" -noout -dates 2>/dev/null || echo "✗ 无法读取证书有效期"
echo ""
echo "证书域名:"
openssl x509 -in "$CERT_PATH" -noout -subject -issuer 2>/dev/null || echo "✗ 无法读取证书信息"
else
echo "跳过:证书文件不存在"
fi
if [ -f "$KEY_PATH" ]; then
echo ""
echo "验证私钥:"
openssl rsa -in "$KEY_PATH" -check -noout 2>/dev/null && echo "✓ 私钥格式正确" || echo "✗ 私钥格式可能有问题"
echo ""
echo "验证证书和私钥是否匹配:"
CERT_MD5=$(openssl x509 -noout -modulus -in "$CERT_PATH" 2>/dev/null | openssl md5)
KEY_MD5=$(openssl rsa -noout -modulus -in "$KEY_PATH" 2>/dev/null | openssl md5)
if [ "$CERT_MD5" = "$KEY_MD5" ] && [ -n "$CERT_MD5" ]; then
echo "✓ 证书和私钥匹配"
else
echo "✗ 证书和私钥不匹配"
fi
else
echo "跳过:私钥文件不存在"
fi
else
echo "⚠ OpenSSL 未安装,跳过证书验证"
echo " 可以运行: yum install openssl -y (CentOS) 或 apt-get install openssl (Ubuntu)"
fi
echo ""
echo "4. 检查 Docker 容器状态..."
echo "----------------------------------------"
if command -v docker >/dev/null 2>&1; then
if docker ps -a | grep -q "nginx-https"; then
echo "Nginx 容器状态:"
docker ps -a | grep "nginx-https"
echo ""
echo "Nginx 容器日志(最后 20 行):"
docker logs --tail 20 nginx-https 2>&1 | grep -i "ssl\|cert\|error" || docker logs --tail 20 nginx-https
else
echo "⚠ Nginx 容器未运行"
fi
else
echo "⚠ Docker 未安装或不可用"
fi
echo ""
echo "=========================================="
echo "诊断完成"
echo "=========================================="
echo ""
echo "常见问题解决方案:"
echo "1. 如果证书文件不存在,请将证书文件放置到: $CERT_PATH"
echo "2. 如果证书链不完整,需要合并证书和证书链:"
echo " cat cert.pem chain.pem > fullchain.pem"
echo "3. 如果证书和私钥不匹配,请检查证书文件是否正确"
echo "4. 如果容器无法启动,检查证书文件权限:"
echo " chmod 644 $CERT_PATH"
echo " chmod 600 $KEY_PATH"
echo ""