Description | Command | |
---|---|---|
1 | Create bash script file using nano to check if your node's SSL certificate is affected by this bug. | Create a file named le_check_nodes.sh using nano nano ~/le_check_nodes.sh Copy this entire block of text and paste it into your nano editor #!/bin/bash SERIALS='https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz' caa_file="./caa-rechecking-incident-affected-serials.txt" if [ ! -f "${caa_file}" ]; then (wget -O- $SERIALS || curl -L $SERIALS) | gzip -d > "${caa_file}" fi if ! command -v openssl > /dev/null 2>&1; then echo "Please install openssl." exit 1 fi while read -r node; do serial="$(timeout 5 openssl s_client -connect "${node}" -showcerts </dev/null 2>/dev/null | \ openssl x509 -text -noout 2>/dev/null | \ grep -A 1 Serial\ Number | tr -d : | tail -n 1 | tr -d ' ')" if [ -z "${serial}" ]; then echo "Error, could not get certificate info for node ${node}!" continue fi echo "$serial" if grep -q "$serial" "${caa_file}"; then echo "WARNING! Certificate for node ${node} has to be renewed!" else echo "Certificate for node ${node} is OK!" fi serial="" done < "${1:-/dev/stdin}" Save and exit from nano by hitting CTRL + X, then type y and hit <enter> |
2 | Make script executable | Use chmod to make the script executable chmod +x ~/le_check_nodes.sh |
3 | Execute script using your node's port number and check for output "Certificate for node FQDN:9033 is OK!" Note: If you're using a different port to 9033, modify as necessary. | Execute script. echo $FQDN:9033 | ~/le_check_nodes.sh Example Output zenops@node01:~$ echo $FQDN:9033 | ~/le_check_nodes.sh - 100%[=======================================================>] 315.50M 23.6MB/s in 13s 2020-03-03 22:08:41 (24.2 MB/s) - written to stdout [330820804/330820804] 08d488862a9b004707bb219ef5643033ea78 |
YOU ONLY NEED TO RUN THE FOLLOWING... If Certification check is NOT OK! | ||
4 | Execute the force renew command to renew your certs. Note: The systemd unit file for zend should automatically restart zend. | Force certbot to renew your SSL certificates sudo certbot renew --force-renewal Example Output WARNING! Certificate for node node01.zentest.win:903 has to be renewed! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: |
Manage space
Manage content
Integrations