吊销***用户
[root@iZ23i25ncZ ~]# cd /usr/share/doc/open***-2.2.2/easy-rsa/2.0/
执行环境变量:
[root@iZ23i25ncZ 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/open***-2.2.2/easy-rsa/2.0/keys
吊销***用户:
[root@iZ23i25ncZ 2.0]# ./revoke-full zhangju Using configuration from /usr/share/doc/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf ERROR:Already revoked, serial number 04 Using configuration from /usr/share/doc/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf zhangju.crt: C = CN, ST = BJ, L = Beijing, O = yunqd, OU = yunqd, CN = zhangju, name = yunqd, emailAddress = mail@yingu.com error 8 at 0 depth lookup:CRL signature failure 140262060050336:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:191: [root@iZ23i25ncZ 2.0]# cd keys/ [root@iZ23i25ncZ keys]# ll -tr total 240 -rw------- 1 root root 916 Oct 18 2016 ca.key -rw-r--r-- 1 root root 1289 Oct 18 2016 ca.crt -rw------- 1 root root 916 Oct 18 2016 op***ser.key -rw-r--r-- 1 root root 704 Oct 18 2016 op***ser.csr -rw-r--r-- 1 root root 3967 Oct 18 2016 op***ser.crt -rw-r--r-- 1 root root 3967 Oct 18 2016 01.pem -rw-r--r-- 1 root root 3851 Oct 18 2016 02.pem -rw-r--r-- 1 root root 245 Oct 18 2016 dh1024.pem -rw-r--r-- 1 root root 3851 Nov 1 2016 03.pem -rw------- 1 root root 916 Nov 1 2016 zhangju.key -rw-r--r-- 1 root root 704 Nov 1 2016 zhangju.csr -rw-r--r-- 1 root root 3844 Nov 1 2016 zhangju.crt -rw-r--r-- 1 root root 3844 Nov 1 2016 04.pem -rw------- 1 root root 1041 Dec 20 2016 dba-group.key -rw-r--r-- 1 root root 737 Dec 20 2016 dba-group.csr -rw-r--r-- 1 root root 3850 Dec 20 2016 dba-group.crt -rw-r--r-- 1 root root 3850 Dec 20 2016 05.pem -rw-r--r-- 1 root root 3856 Mar 14 2017 06.pem -rw-r--r-- 1 root root 3858 Mar 14 2017 07.pem -rw-r--r-- 1 root root 3858 Mar 14 2017 08.pem -rw-r--r-- 1 root root 3858 Mar 14 2017 09.pem -rw------- 1 root root 1041 May 5 2017 lijianan.key -rw-r--r-- 1 root root 773 May 5 2017 lijianan.csr -rw-r--r-- 1 root root 3850 May 5 2017 lijianan.crt -rw-r--r-- 1 root root 3850 May 5 2017 0A.pem -rw-r--r-- 1 root root 3844 May 19 2017 0B.pem -rw-r--r-- 1 root root 3857 Jul 13 2017 0C.pem -rw-r--r-- 1 root root 3851 Jul 13 2017 0D.pem -rw------- 1 root root 1041 Jul 13 2017 linqing.key -rw-r--r-- 1 root root 773 Jul 13 2017 linqing.csr -rw-r--r-- 1 root root 3845 Jul 13 2017 linqing.crt -rw-r--r-- 1 root root 3845 Jul 13 2017 0E.pem -rw-r--r-- 1 root root 3 Jul 13 2017 serial.old -rw-r--r-- 1 root root 3852 Jul 13 2017 0F.pem -rw------- 1 root root 1041 Aug 28 2017 fenglei.key -rw-r--r-- 1 root root 777 Aug 28 2017 fenglei.csr -rw-r--r-- 1 root root 3 Aug 28 2017 serial -rw-r--r-- 1 root root 1422 Aug 28 2017 index.txt.old -rw-r--r-- 1 root root 21 Aug 28 2017 index.txt.attr.old -rw-r--r-- 1 root root 3846 Aug 28 2017 fenglei.crt -rw-r--r-- 1 root root 3846 Aug 28 2017 10.pem -rw-r--r-- 1 root root 21 Mar 19 10:03 index.txt.attr -rw-r--r-- 1 root root 1435 Mar 19 10:03 index.txt -rw-r--r-- 1 root root 540 Mar 19 10:41 crl.pem -rw-r--r-- 1 root root 1829 Mar 19 10:41 revoke-test.pem
吊销完成会生成crl.pem:
[root@iZ23i25ncZ keys]# cat crl.pem -----BEGIN X509 CRL----- MIIBZzCB0TANBgkqhkiG9w0BAQQFADCBizELMAkGA1UEBhMCQ04xCzAJBgNVBAgT AkJKMRAwDgYDVQQHEwdCZWlqaW5nMQ4wDAYDVQQKEwV5dW5xZDEOMAwGA1UECxMF eXVucWQxDjAMBgNVBAMTBXl1bnFkMQ4wDAYDVQQpEwV5dW5xZDEdMBsGCSqGSIb3 DQEJARYObWFpbEB5aW5ndS5jb20XDTE4MDMxOTAyMDM0NVoXDTE4MDQxODAyMDM0 NVowFDASAgEEFw0xODAzMTkwMjAzNDVaMA0GCSqGSIb3DQEBBAUAA4GBAImoQQ+6 yycgdl9YrzLZy1sZOXV+N8n33BTIb4Pq1bXGtMzrYRnIrfIPzNqdyuWx1NpSzkcD R2pyMSiRgiuCWcIg4+YvEFMcbUE/tOeNOW3RvWzgbxelrpbKnIHU7tPZCWi+TGCe Y8/kQ3mXNpilcHVYUrt2QNIvgKMMAWPcHXBv -----END X509 CRL-----
第4行就是吊销的用户:
[root@iZ23i25ncZ keys]# cat index.txt V 261016054048Z 01 unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=op***ser/name=yunqd/emailAddress=mail@yingu.com V 261016054114Z 02 unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=rhr/name=yunqd/emailAddress=mail@yingu.com V 261030004846Z 03 unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=hyq/name=yunqd/emailAddress=mail@yingu.com R 261030005044Z 180319020345Z 04 unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=zhangju/name=yunqd/emailAddress=mail@yingu.com V 261218070258Z 05 unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=dba-group/name=yunqd/emailAddress=mail@yingu.com V 270503004720Z 0A unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=lijianan/name=yunqd/emailAddress=mail@yingu.com V 270517062532Z 0B unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=wp/name=yunqd/emailAddress=mail@yingu.com V 270711013541Z 0C unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=gxk/name=yunqd/emailAddress=mail@yingu.com V 270711014122Z 0D unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=wq/name=yunqd/emailAddress=mail@yingu.com V 270711014300Z 0E unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=linqing/name=yunqd/emailAddress=mail@yingu.com V 270711014423Z 0F unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=wjh/name=yunqd/emailAddress=mail@yingu.com V 270826015608Z 10 unknown /C=CN/ST=BJ/L=Beijing/O=yunqd/OU=yunqd/CN=fl/name=yunqd/emailAddress=mail@yingu.com [root@iZ23i25ncZ keys]# cd /etc/open***/ [root@iZ23i25ncZ open***]# ll -tr total 268 -rw------- 1 root root 232 Sep 19 2016 open***-status.log -rw------- 1 root root 916 Oct 18 2016 ca.key -rw-r--r-- 1 root root 1289 Oct 18 2016 ca.crt -rw------- 1 root root 916 Oct 18 2016 op***ser.key -rw-r--r-- 1 root root 704 Oct 18 2016 op***ser.csr -rw-r--r-- 1 root root 3967 Oct 18 2016 op***ser.crt -rw-r--r-- 1 root root 3967 Oct 18 2016 01.pem -rw-r--r-- 1 root root 3851 Oct 18 2016 02.pem -rw-r--r-- 1 root root 245 Oct 18 2016 dh1024.pem -rw-r--r-- 1 root root 3851 Nov 1 2016 03.pem -rw-r--r-- 1 root root 3844 Nov 1 2016 04.pem -rw-r--r-- 1 root root 3850 Dec 20 2016 05.pem -rw-r--r-- 1 root root 3856 Mar 14 2017 06.pem -rw-r--r-- 1 root root 3858 Mar 14 2017 07.pem -rw-r--r-- 1 root root 3858 Mar 14 2017 08.pem -rw-r--r-- 1 root root 3858 Mar 14 2017 09.pem -rw------- 1 root root 1041 May 5 2017 lijianan.key -rw-r--r-- 1 root root 773 May 5 2017 lijianan.csr -rw-r--r-- 1 root root 3850 May 5 2017 lijianan.crt -rw-r--r-- 1 root root 3850 May 5 2017 0A.pem -rw-r--r-- 1 root root 3844 May 19 2017 0B.pem -rw-r--r-- 1 root root 3857 Jul 13 2017 0C.pem -rw-r--r-- 1 root root 3851 Jul 13 2017 0D.pem -rw-r--r-- 1 root root 3845 Jul 13 2017 0E.pem -rw-r--r-- 1 root root 3 Jul 13 2017 serial.old -rw-r--r-- 1 root root 1305 Jul 13 2017 index.txt.old -rw-r--r-- 1 root root 21 Jul 13 2017 index.txt.attr.old -rw-r--r-- 1 root root 3852 Jul 13 2017 0F.pem -rw-r--r-- 1 root root 3 Aug 28 2017 serial -rw-r--r-- 1 root root 21 Aug 28 2017 index.txt.attr -rw-r--r-- 1 root root 1422 Aug 28 2017 index.txt -rw-r--r-- 1 root root 3846 Aug 28 2017 10.pem -rw-r--r-- 1 root root 10474 Mar 19 10:35 server.conf -rw------- 1 root root 0 Mar 19 10:35 ipp.txt -rw------- 1 root root 74326 Mar 19 10:43 open***.log
在配置文件server.conf底部增加1行配置:
[root@iZ23i25ncZ open***]# tail server.conf # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 crl-verify /usr/share/doc/open***-2.2.2/easy-rsa/2.0/keys/crl.pem
重启***服务:
[root@iZ23i25ncZ open***]# /etc/init.d/open*** restart Restarting open*** (via systemctl): [ OK ]
连接***的状态图标已经不再是绿色了。
也已经无法ping通阿里云上的服务器:
参考文档:
https://www.linuxea.com/1161.html——Open×××吊销用户和增加用户(3)【在需要吊销多个用户时,文章最后也有说明,可以参考,但我没有尝试】
http://openskill.cn/article/506——企业Open×××部署认证实战【此文中提到的open***安装路径,让我在执行“source vars”命令失败后得到转机】
转载于:https://blog.51cto.com/gagarin/2088442