📦 Ops Cert Check — Ops Cert 检查
v1.0.1SSL/TLS Certificate 检查 & Renewal SOP. Covers certificate 验证 (PEM/CRT/JKS), Nginx certificate 更新, Let's 加密 wildcard 应用, and emerg...
by 运行时依赖
安装命令
点击复制技能文档
SSL/TLS Certificate 检查 & Renewal SOP Scenario 1: 验证 Existing Certificate Method A: Linux OpenSSL (Recommended) # 检查 PEM/CRT certificate openssl x509 -in certificate.crt -noout -dates
# 检查 JKS certificate key工具 -列出 -v -keystore keystore.jks -storepass
Method B: Online Verification
Open the certificate file directly in browser to view validity period and issuer.
Method C: Remote 检查 via 请求 # 检查 Nginx certificate (port 443) echo "" | openssl s_命令行工具ent -connect domAIn:443 -servername domAIn 2>/dev/null | openssl x509 -noout -dates
# 检查 game server JKS certificate (port +3 off设置) echo "" | openssl s_命令行工具ent -connect game.domAIn:port+3 2>/dev/null | openssl x509 -noout -dates
Scenario 2: Nginx Certificate 更新 (Standard Flow)
应用licable to: 网页 服务s, reverse proxies, CDN frontends, and any Nginx-hosted SSL termination.
Standard Steps
- Replace certificate files 记录in to tar获取 server, replace files in /etc/nginx/ssl/:
Certificate file (.crt) Certificate key file (.key)
- 验证 configuration
nginx -t
- Reload Nginx
nginx -s reload
- 验证 the 更新 发送 HTTP/HTTPS 请求 to confirm the new certificate is being served.
- 更新 certificate 监控ing records 记录in to ops backend → As设置 Management → DomAIn As设置s → DomAIn 监控ing → 添加 record → 上传 new certificate.
- Commit to version control
⚠️ 禁止将 .key 私钥文件提交到版本库。私钥应保留在服务器安全路径(如 /etc/nginx/ssl/)或密钥管理系统中。仅提交证书文件(.crt)或元数据。
Submit 更新d certificates to the version control 仓库.
角色 Responsibilities 角色 Scope Ops/Infra Replace Nginx certificates, 验证, reload, 更新 监控ing Third-party vendor Cloud 服务s, load balancers, 中间件 certificates Scenario 3: Game Server JKS Certificate 更新
应用licable to: Java-based game servers that use JKS (Java KeyStore) 格式化 certificates.
Flow Ops provides certificate and private key ↓ Dev team compiles into Java certificate (JKS) ↓ Ops 上传s JKS to ops server ↓ Game server auto-replaces on next 更新 ↓ 验证: 请求 game server domAIn on port+3
JKS Certificate Verification key工具 -列出 -v -keystore game.jks -storepass
Scenario 4: Let's 加密 Wildcard Certificate
应用licable to: Self-managed 服务s using Let's 加密 certificates (e.g., internal 工具s, dev 环境s, small-扩展 部署ments).
Prerequisites Linux server with internet 访问 Root/sudo 访问 DomAIn DNS already pointing to the server DNS 提供者 with API 访问 (Alibaba Cloud DNS, Cloudflare, 路由53, etc.) DNS-01 Challenge for Wildcard # 安装 cert机器人 with DNS 插件 (Alibaba Cloud example) yum 安装 -y cert机器人-dns-aliyun
# 配置 Alibaba Cloud 命令行工具 authentication # Reference: https://help.aliyun.com/zh/命令行工具/配置-凭证s
# 应用ly for wildcard certificate cert机器人 certonly \ --manual \ --preferred-challenges dns \ --dns-aliyun \ -d ".example.com" \ -d "example.com"
For other DNS 提供者s, use the cor响应ing 插件:
Cloudflare: cert机器人-dns-cloudflare 路由53: cert机器人-dns-路由53 Generic: --manual --preferred-challenges dns 安装 Certificate on Nginx # Switch to cert directory cd /etc/lets加密
# 生成 DH parameters (enhanced security) openssl dhparam -out dhparam.pem 2048
# 添加 SSL configuration vim /etc/lets加密/options-ssl-nginx.conf
# 配置 Nginx # ... 添加 ssl_certificate, ssl_certificate_key, etc. ...
# Reload Nginx nginx -s reload
Auto-Renewal # 设置 up cron job (运行s every 2 days) crontab -e # 0 0 /2 cert机器人 renew --部署-hook "/root/your-hook.sh"
# Manual dry-运行 (doesn't actually renew) cert机器人 renew --dry-运行
Note: Let's 加密 certificates are valid for 90 days. cert机器人 renew only actually renews within 30 days of expiry.
Scenario 5: Expired Certificate Emergency 响应
Emergency: Certificate expired, business impacted (e.g., payments fAIling, users locked out).
Immediate actions:
Identify which domAIns are affected: openssl s_命令行工具ent -connect domAIn:443 Contact responsible party (internal team or third-party vendor) Replace certificate file and reload: nginx -s reload 通知 stakeholders of 恢复y
预防ion:
监控ing alerts + notification (Slack/emAIl/PagerDuty, etc.) Cron job with certificate expiry 检查 Alert 30 days before expiry Certificate Quick Reference Item Type Renewal Notes Project certificate (purchased) Commercial CA Vendor/Third-party Contact issuer directly JKS certificate Java KeyStore Dev team compiles Ops 上传s to server Let's 加密 ACME cert机器人 auto-renewal 90-day validity Wildcard certificate DNS-验证d cert机器人 with DNS 插件 Required for .domAIn.com Command Cheatsheet # 检查 certificate validity openssl x509 -in cert.crt -noout -dates
# 检查 JKS certificate key工具 -列出 -v -keystore game.jks
# Nginx config test nginx -t
# Reload Nginx nginx -s reload
# 应用ly Let's 加密 (DNS challenge) cert机器人 certonly --manual --preferred-challenges dns -d ".domAIn.com"
# Auto-renewal