关于ghost:Ghost-博客-SSL-证书过期的解决办法

问题

明天拜访我的 Ghost 博客 的时候，发现进不去了：

网上找的图，不过就是这个样子，过后忘了截图

点击 高级 也没有进去的链接，而且页面地址后面写着”不平安“，证书显示也曾经过期一个月了。而且我本人部署的 flask 服务也拜访不了了。

起因

Ghost 自身其实会主动 renew 证书，可应用如下命令查看定时工作：

$ sudo crontab -l
14 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null

有这个输入就示意会主动 renew。然而依据网上的说法，Ghost 没有及时降级 /etc/letsencrypt/acme.sh 版本，造成 renew 失败之类的。

我看同目录下的 account.conf 中有一行是这样的：

#AUTO_UPGRADE="1"

主动降级默认是被正文掉的，不过我也不能百分比确定勾销正文就会主动降级。具体我也不是很懂，就不多说了，就提一嘴。

解决

所以总而言之，就是要 降级 acme.sh 而后重启 Ghost。

1. 进入 acme.sh 目录：

   $ cd /etc/letsencrypt

2. 备份原文件：

   $ sudo cp acme.sh acme.sh.bk

3. 降级：

   $ sudo ./acme.sh --upgrade
   ./acme.sh: line 6192: cd: /home/username/.acme.sh: No such file or directory
   [Fri Apr 30 09:47:22 CST 2021] Installing from online archive.
   [Fri Apr 30 09:47:22 CST 2021] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
   touch: cannot touch '/home/username/.acme.sh/http.header': No such file or directory
   [Fri Apr 30 09:48:36 CST 2021] Extracting master.tar.gz
   [Fri Apr 30 09:48:36 CST 2021] It is recommended to install socat first.
   [Fri Apr 30 09:48:36 CST 2021] We use socat for standalone server if you use standalone mode.
   [Fri Apr 30 09:48:36 CST 2021] If you don't use standalone mode, just ignore this warning.
   [Fri Apr 30 09:48:36 CST 2021] Installing to /home/username/.acme.sh
   [Fri Apr 30 09:48:36 CST 2021] Installed to /home/username/.acme.sh/acme.sh
   [Fri Apr 30 09:48:36 CST 2021] Good, bash is found, so change the shebang to use bash as preferred.
   [Fri Apr 30 09:48:37 CST 2021] OK
   [Fri Apr 30 09:48:37 CST 2021] Install success!
   [Fri Apr 30 09:48:37 CST 2021] Upgrade success!

4. 降级后的文件是放在 home 目录下的，所以要 cp 过去：

   $ sudo cp ~/.acme.sh/acme.sh .

5. 手动执行一次定时工作。留神加上 --force，起因：sudo · acmesh-official/acme.sh Wiki

   $ sudo "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt"
   [Fri Apr 30 09:53:20 CST 2021] ===Starting cron===
   [Fri Apr 30 09:53:21 CST 2021] Renew: 'northcloudgate.com'
   [Fri Apr 30 09:53:22 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
   [Fri Apr 30 09:53:22 CST 2021] Single domain='northcloudgate.com'
   [Fri Apr 30 09:53:22 CST 2021] Getting domain auth token for each domain
   [Fri Apr 30 09:53:25 CST 2021] Getting webroot for domain='northcloudgate.com'
   [Fri Apr 30 09:53:25 CST 2021] Verifying: northcloudgate.com
   [Fri Apr 30 09:53:30 CST 2021] Success
   [Fri Apr 30 09:53:30 CST 2021] Verify finished, start to sign.
   [Fri Apr 30 09:53:30 CST 2021] Lets finalize the order.
   [Fri Apr 30 09:53:30 CST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/64051473/9381845272'
   [Fri Apr 30 09:53:31 CST 2021] Downloading cert.
   [Fri Apr 30 09:53:31 CST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03175a17da415b526b37dedf518750770ddc'
   [Fri Apr 30 09:53:32 CST 2021] Cert success.
   -----BEGIN CERTIFICATE-----
   CERTIFICATE CONTENT==
   -----END CERTIFICATE-----
   [Fri Apr 30 09:53:32 CST 2021] Your cert is in  /etc/letsencrypt/northcloudgate.com/northcloudgate.com.cer
   [Fri Apr 30 09:53:32 CST 2021] Your cert key is in  /etc/letsencrypt/northcloudgate.com/northcloudgate.com.key
   [Fri Apr 30 09:53:32 CST 2021] The intermediate CA cert is in  /etc/letsencrypt/northcloudgate.com/ca.cer
   [Fri Apr 30 09:53:32 CST 2021] And the full chain certs is there:  /etc/letsencrypt/northcloudgate.com/fullchain.cer
   [Fri Apr 30 09:53:32 CST 2021] Run reload cmd: nginx -s reload
   [Fri Apr 30 09:53:32 CST 2021] Reload success
   [Fri Apr 30 09:53:32 CST 2021] ===End cron===

6. 重启 Ghost：

   $ cd /var/www/ghost
   $ ghost restart
   + sudo systemctl is-active ghost_northcloudgate-com
   + sudo systemctl restart ghost_northcloudgate-com
   ✔ Restarting Ghost

而后，就又能够看到平安的小白锁了，证书也无效了：

彩蛋

在 Google”您的连贯不是私密连贯“这个问题的时候，意外发现了一个神奇操作：

即，当你遇到“您的连贯不是私密连贯”谬误的时候，间接在以后页面“凭空”输出 thisisunsafe，就能够进去页面了。留神是凭空，不是地址栏，你是看不到你所输出的货色的。

而且依据 reddit 上的说法，

• 这个 bypass word 之前是 badidea，再之前是 danger。
• Chrome 65 的时候把 badidea 改成了 thisisnotsafe 又改成了 thisisunsafe。而且还用 base64 加密了。

此外前文提到的 flask 服务也恢复正常了。

Reference

• Ghost 博客网站证书过期，怎么办？
• 事变记录 –SSL 证书过期
• Chrome 65 replaces the “badidea” bypass keyword with “thisisunsafe” : sysadmin
• Diff – d8fc089b62cd4f8d907acff6fb3f5ff58f168697^! – chromium/src – Git at Google
• THIS IS UNSAFE (and a Bad Idea) – DEV Community

END