CN113810501B - HTTPS certificate management method - Google Patents

Abstract

The invention discloses a method for HTTPS certificate management, which comprises the following steps: new certificate issuing operation: the API interface is used for connecting a server to analyze and verify the domain name, and then issuing a certificate; certificate renewing operation: setting a system timing task to renew the expired certificate; certificate distribution operation: setting system timing task synchronous domain name certificate information and validating the certificate. The visa and renewing process of the invention realizes automation, does not need a great amount of manual intervention, and greatly improves the efficiency. The automatic certificate distribution also avoids a great deal of manual login business server operation, and increases the security. And the certificates are automatically managed, and visa is automatically signed when the expiration time is close, so that the loss caused by the inaccessible site due to the expiration of the certificates is avoided.

Description

HTTPS certificate management method

Technical Field

The invention is applied to the field of WEB application, in particular to a method for managing HTTPS certificates.

Background

Let's encrypter is a non-profit Certificate Authority (CA) that is served by the internet security research group (ISRG abbreviation) and is supported by the mainstream browser. The Let's encrypter uses ACME protocol to make the application certificate complete automatic verification of domain name ownership, but also needs to manually configure DNS analysis and trigger each step operation according to the requirement of the Let's encrypter, and the text content of the domain name certificate can be obtained after visa is completed; because of the policy requirements of the Let's encryptions, the longest validity period of each domain name certificate is 3 months.

In the new certificate issuing operation, the conventional certificate issuing tool needs to manually analyze and verify to a DNS analysis server in the step of verifying the DNS ownership, and needs to be repeated for a plurality of times when issuing a plurality of domain names, thereby not only being time-consuming and labor-consuming, but also being easy to make mistakes. In the operation of certificate renewing, the renewing of the domain name certificate and the new certificate issuing are the same flow, but the existing certificate issuing tool does not have the function of judging whether the domain name certificate needs to be renewed or not. In the certificate distribution link, after the existing certificate issuing tool completes visa, certificate information is stored in a local disk of a certificate server, and is distributed to other servers, manual copying is needed, and the workload of copying the certificate files in a large number of server environments is huge and is easy to make mistakes.

Disclosure of Invention

The invention aims to solve the technical problem of providing a method for managing HTTPS certificates, aiming at the defects of the prior art.

To solve the above technical problems, a method for HTTPS certificate management according to the present invention includes:

new certificate issuing operation: the API interface is used for connecting a server to analyze and verify the domain name, and then issuing a certificate;

certificate renewing operation: setting a system timing task to renew the expired certificate;

certificate distribution operation: setting system timing task synchronous domain name certificate information and validating the certificate.

As a possible option, further, the new certificate issuing operation specifically includes the following steps:

S101, acquiring data information of a user;

s102, analyzing the data information of the user, and inquiring and judging whether visa information of the data information exists in a database; if not, continuing to execute the step S103; if yes, judging whether the visa information period of the data information exceeds a threshold value, if not, exiting the certificate issuing process, and if yes, transferring to a subsequent certificate renewing operation;

s103, generating and storing corresponding private key information, and creating a CSR file added with user data information;

s104, acquiring an API interface, reading an account KEY file and logging in a server;

S105, applying for creating a new visa order, judging whether the order is created successfully, if so, exiting the visa, and if so, continuing to execute the step S106;

s106, calling a domain name authentication interface to acquire a random character string;

s107, calling a related DNS interface to analyze the domain name according to the requirement;

S108, the loop verifies whether DNS domain name resolution is effective;

s109, the server verifies whether the DNS of the domain name is valid or not so as to verify ownership of the domain name;

s110, calling an interface to obtain final visa text information, and storing the final visa text information in a database to complete visa.

As a possible option, further, the API interface obtained in step S104 specifically includes: new sign-up order interface newOrder, create new account interface newAccount, and certificate revocation interface revokeCert.

As a possible option, further, the step S105 specifically includes: placing the domain name needing visa into a domains list, organizing POST data, calling a newOrder interface through a POST method, judging whether the order is successfully created or not through a state code and a state text returned by the newOrder interface, and judging that the order is failed to be created if the state code is 201 and the status state is not pending or ready; if the status is 403, it is determined that the creation of the order fails to exit the visa, and the creation is successful and the step S106 is continued.

As a possible option, further, the step S106 specifically includes: after creating an order successfully through the newOrder interface, a authorizations list is obtained, and a certificate text interface finalize is obtained; circulating authorizations the list to acquire one domain name authentication interface authz; and requesting authz an interface, judging the state of interface call through the returned state code and state text, wherein if the state code is not 200, the interface call fails, if the state code is 200 and status is valid, the domain name is already verified, the interface call fails or the domain name is already verified, and jumping to a circulation authorizations list to continue the next circulation, otherwise, continuing to execute step S107.

As a possible option, further, the step S107 specifically includes: analyzing challengeUrl through information returned by authz interfaces; domain name domain; the DNS analyzes the TXT value and splices the domain name needing authentication; and calling a domain name resolution deletion function, inputting dnsrrDomain values, judging that the SDK corresponding to the resolution service business call where the domain name is located executes deletion, calling a domain name resolution addition function, inputting dnsrrDomain values and TXT values, judging that the SDK corresponding to the resolution service business call where the domain name is located adds domain name resolution, wherein the resolution value is the TXT value, and the resolution type is the TXT type.

As a possible option, further, the step S108 specifically includes: python initializes dns, resolver, and is configured nameserver to 8.8.8.8, and the loop verifies that dns resolution is valid, initiates a test every 5 seconds, and checks 60 total times.

As a possible option, further, the step S110 specifically includes: after the domain name is verified, text information of the CSR file is transmitted, a finalize interface is called, final visa text information is obtained, and the final visa text information is stored in domainPubFile; encrypting domainKeyFile the text information, domainPubFile the text information using AES; MD5 fingerprint information and expiration time information of domainPubFile are calculated, and the information is stored in a database; all information in the database is acquired, encrypted by AES in JSON format and stored in KEYFILE files, and visa is completed.

As a possible option, further, the certificate renewing operation specifically includes the following steps:

s201, setting a system timing task in a renewal service;

s202, acquiring domain name information which exists in the database in the step S102 and has a visa information term exceeding a threshold value, and storing the domain name information in a list RENEWALLIST;

s203, circulating RENEWALLIST the list, and calling a certificate visa function until all domain name renewing is completed.

As a possible option, further, the certificate distribution operation specifically includes the following steps:

S301, setting a timing task in a server;

S302, accessing the content of the KEYFILE file acquired by the NGINX by the certificate updating program, and decrypting KEYFILE text content;

s303, reading local cache matching KEYFILE, if the domain name certificate does not exist, storing the domain name certificate into a designated certificate directory, and updating the local cache;

S304, reading local cache matching KEYFILE, and if MD5 changes, updating a local certificate file and a local cache;

S305, judging whether the local cache is changed, restarting the WEB container if the local cache is changed, and completing certificate distribution if the local cache is not changed.

The invention adopts the technical scheme and has the following beneficial effects: the visa and renewing process of the invention realizes automation, does not need a great amount of manual intervention, and greatly improves the efficiency. The automatic certificate distribution also avoids a great deal of manual login business server operation, and increases the security. And the certificates are automatically managed, and visa is automatically signed when the expiration time is close, so that the loss caused by the inaccessible site due to the expiration of the certificates is avoided.

Drawings

The invention is described in further detail below with reference to the attached drawings and detailed description:

FIG. 1 is a schematic diagram of the principles of the present invention;

FIG. 2 is a schematic diagram of a visa flow according to an embodiment of the present invention;

FIG. 3 is a diagram illustrating a continuous signing process according to an embodiment of the present invention;

fig. 4 is a schematic diagram of a certificate distribution flow according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.

Example 1

As shown in fig. 1, the present invention provides a method for HTTPS certificate management, which includes:

new certificate issuing operation: the API interface is used for connecting a server to analyze and verify the domain name, and then issuing a certificate; the method specifically comprises the following steps:

S101, acquiring data information of a user;

s102, analyzing the data information of the user, and inquiring and judging whether visa information of the data information exists in a database; if not, continuing to execute the step S103; if yes, judging whether the visa information period of the data information exceeds a threshold value, if not, exiting the certificate issuing process, and if yes, transferring to a subsequent certificate renewing operation;

s103, generating and storing corresponding private key information, and creating a CSR file added with user data information;

s104, acquiring an API interface, reading an account KEY file and logging in a server; the API interface obtained in step S104 specifically includes: new sign-up order interface newOrder, create new account interface newAccount, and certificate revocation interface revokeCert.

S105, applying for creating a new visa order, judging whether the order is created successfully, if so, exiting the visa, and if so, continuing to execute the step S106; the step S105 specifically includes: placing the domain name needing visa into a domains list, organizing POST data, calling a newOrder interface through a POST method, judging whether the order is successfully created or not through a state code and a state text returned by the newOrder interface, and judging that the order is failed to be created if the state code is 201 and the status state is not pending or ready; if the status is 403, it is determined that the creation of the order fails to exit the visa, and the creation is successful and the step S106 is continued.

S106, calling a domain name authentication interface to acquire a random character string; the step S106 specifically includes: after creating an order successfully through the newOrder interface, a authorizations list is obtained, and an interface finalize is obtained; circulating authorizations the list to acquire one domain name authentication interface authz; and requesting authz an interface, judging the state of interface call through the returned state code and state text, wherein if the state code is not 200, the interface call fails, if the state code is 200 and status is valid, the domain name is already verified, the interface call fails or the domain name is already verified, and jumping to a circulation authorizations list to continue the next circulation, otherwise, continuing to execute step S107.

S107, calling a related DNS interface to analyze the domain name according to the requirement; the step S107 specifically includes: analyzing challengeUrl through information returned by authz interfaces; domain name domain; the DNS analyzes the TXT value and splices the domain name needing authentication; and calling a domain name resolution deletion function, inputting dnsrrDomain values, judging that the SDK corresponding to the resolution service business call where the domain name is located executes deletion, calling a domain name resolution addition function, inputting dnsrrDomain values and TXT values, judging that the SDK corresponding to the resolution service business call where the domain name is located adds domain name resolution, wherein the resolution value is the TXT value, and the resolution type is the TXT type.

S108, the loop verifies whether DNS domain name resolution is effective; the step S108 specifically includes: python initializes dns, resolver, and is configured nameserver to 8.8.8.8, and the loop verifies that dns resolution is valid, initiates a test every 5 seconds, and checks 60 total times.

S109, the server verifies whether the DNS of the domain name is valid or not so as to verify ownership of the domain name;

s110, calling an interface to obtain final visa text information, and storing the final visa text information in a database to complete visa. The step S110 specifically includes: after the domain name is verified, text information of the CSR file is transmitted, a finalize interface is called, final visa text information is obtained, and the final visa text information is stored in domainPubFile; encrypting domainKeyFile the text information, domainPubFile the text information using AES; MD5 fingerprint information and expiration time information of domainPubFile are calculated, and the information is stored in a database; all information in the database is acquired, encrypted by AES in JSON format and stored in KEYFILE files, and visa is completed.

Certificate renewing operation: setting a system timing task to renew the expired certificate;

The method specifically comprises the following steps:

s201, setting a system timing task in a renewal service;

s202, acquiring domain name information which exists in the database in the step S102 and has a visa information term exceeding a threshold value, and storing the domain name information in a list RENEWALLIST;

s203, circulating RENEWALLIST the list, and calling a certificate visa function until all domain name renewing is completed.

Certificate distribution operation: the system timing task is set to synchronize domain name certificate information and validate the certificate,

The method specifically comprises the following steps:

S301, setting a timing task in a server;

S302, accessing the content of the KEYFILE file acquired by the NGINX by the certificate updating program, and decrypting KEYFILE text content;

s303, reading local cache matching KEYFILE, if the domain name certificate does not exist, storing the domain name certificate into a designated certificate directory, and updating the local cache;

S304, reading local cache matching KEYFILE, and if MD5 changes, updating a local certificate file and a local cache;

S305, judging whether the local cache is changed, restarting the WEB container if the local cache is changed, and completing certificate distribution if the local cache is not changed.

Example 2

As shown in fig. 2, visa is performed:

s1, acquiring a domain name INPUTDOMAIN input by a user through a command line.

S2, python adds tldextract an expansion library, analyzes domain name information input by a user, and obtains subdomain, domain and unification information.

S3, inquiring whether the database already has INPUTDOMAIN visa information. If the certificate exists and the expiration time of the certificate is less than 20 days, the certificate is valid, and the process is exited. If not, the following steps are continued.

S4, python adds paramiko expansion libraries, generates 1024-bit or 2048-bit private key information (paramiko. RSAKey. Generation (2048)), and stores the generated private key information in domainKeyFile.

S5, creating a CSR file, and adding user input INPUTDOMAIN into the CSR file ('openssl req-new-sha256-key％s-subj"/"-addext"subjectAltName＝DNS:*.％s,DNS:％s"-out％s'％(domainKeyFile,singDomain,singDomain,domainCsrFile)).

S6, acquiring the latest API interface of the Let' S encrypter through the interface, obtaining a new visa order interface newOrder, creating a new account interface newAccount and a certificate revocation interface revokeCert.

S7, reading the Let 'S encrypter account KEY file, and logging in the Let' S encrypter service. If the account KEY file does not exist, a new KEY is created and a new Let's encryption account is registered and logged in through newAccount interface.

S8, placing the domain name needing visa into a domain list, and organizing POST data ({ "identifiers" [ { "type": "dns", "value": domain } for domain in domains ] }) to call a newOrder interface through a POST method.

S9, judging whether the order is successfully created or not through a status code and a status text returned by a newOrder interface, and judging that the order is failed to be created if the status code is 201 and the status state is not pending or ready; if the status is 403, it is determined that the order creation has failed. The creation continues successfully to the following steps.

S10, after creating an order through a newOrder interface, a authorizations list is obtained; the final result obtains interface finalize. authorizations list is an authentication interface for each domain name, e.g ['https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/481907568','https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/481907578'].

S11, circulating authorizations the list, and acquiring one domain name authentication interface authz (for authz in authorizations).

S12, requesting authz an interface, and judging the state of interface call through the returned state code and state text. If the status code is not 200 then the interface call fails, if the status code is 200 and status is valid then the domain name has been validated. If the interface call fails or the domain name passes verification, the step is skipped to S11 to continue the next cycle, otherwise, the following steps are continued to be executed.

S13, analyzing challengeUrl (challengeUrl = challenges [0 ]) through information returned by the authz interfaces; domain name domain (authorization [ "identifier" ] value "]; the DNS resolves the TXT value and concatenates the domain names that need to be authenticated (dnsrrDomain = "_acme-change {0 }". Format (domain);).

S14, calling a domain name resolution deletion function, inputting dnsrrDomain values, judging that the resolution service business where the domain name is located calls the corresponding SDK to execute deletion, for example, if the domain name resolution service is an ali cloud, calling the ali cloud SDK to delete domain name resolution, and if the domain name resolution service is a Ten cloud, calling the Ten-news SDK to delete.

S15, calling a domain name resolution adding function, transmitting dnsrrDomain values and TXT values, judging that a resolution service business where the domain name is located calls a corresponding SDK to add domain name resolution, wherein the resolution value is the TXT value, and the resolution type is the TXT type.

S16, python initializes dns and resolvers, and is configured nameserver to 8.8.8.8, and the steps of circularly verifying whether dns analysis is effective, initiating detection once every 5 seconds, and performing detection 60 times in total.

S17, after detecting that DNS analysis is effective, invoking challengeUrl to request the Let' S Encrypt server to verify whether the DNS of the domain name is effective or not so as to verify the ownership of the domain name.

And S18, if the authorizations list is not sequentially executed, jumping to S11 to analyze the next loop until all domain names in authorizations are verified.

And S19, after verification of all domain names is completed, text information of the CSR file is transmitted, a finalize interface is called, final visa text information is obtained, and the final visa text information is stored in domainPubFile.

S20, encrypting domainKeyFile the text information and domainPubFile the text information by using AES; MD5 fingerprint information, expiration time, etc. of domainPubFile are calculated and the information is saved in a database. The visa process is completed.

S21, acquiring all information in a database, storing the information in KEYFILE files after being encrypted by AES in a JSON format, and providing the capability of accessing KEYFILE files by NGINX.

As shown in fig. 3, certificate renewal is performed

S22, setting a system timing task in the renewal service, for example, executing certificate renewal at 1 am every day.

S23, obtaining domain name information with the expiration time of the certificate smaller than 20 days in the database, and storing the domain name information in the list RENEWALLIST.

S24, circulating RENEWALLIST the list, calling a certificate visa function, and executing from S1 until all domain name renewing is completed.

As shown in fig. 4, certificate distribution is performed

S25, setting a timing task in the server, for example, executing certificate updating at 2 a.m. every day.

S26, the certificate updating program accesses the content of the NGINX acquisition KEYFILE file, and decrypts KEYFILE text content.

S27, reading the local cache match KEYFILE, if the domain name certificate does not exist, saving the domain name certificate to a specified certificate directory, and updating the local cache.

S28, reading the local cache match KEYFILE, if the MD5 has a change, updating the local certificate file and updating the local cache.

S29, judging whether the local cache is changed, and restarting the WEB container, such as NGINX, TOMCAT and the like, if the local cache is changed. Certificate distribution is completed.

Solves the following problems in the prior art:

1. The prior art calls the Let's Encrypt interface according to ACME protocol, and the following steps are determined according to the interface call condition, which is complicated.

2. In the process of interacting with the Let's Encrypt interface, DNS analysis is required to be configured, in the process, a third party DNS analysis service provider needs to be logged in to operate, if the number of visa domain names is too large, the workload is greatly increased, and the visa domain names are easy to make mistakes, for example, 100 domain names of the visa need to be frequently analyzed, and 100 DNS configuration needs to be deleted and analyzed.

3. Because of the delayed nature of the global validation of DNS, it is necessary to continuously determine whether DNS resolution is validated, and call the Let's encryption interface to complete subsequent operations according to the validation of DNS. In the secondary process, the condition that the global DNS is effective needs to be queried continuously by manpower, and the time and the labor are extremely consumed.

4. The operations of checking the domain name contained in the certificate, the expiration time of the certificate and the like in the subsequent certificate management certificate and the like are all needed to analyze the certificate content, so that the operations are extremely troublesome and time-consuming.

5. The certificate is difficult to distribute after the certification is completed, and the certificates need to be manually copied to different service servers.

6. The validity period of the domain name certificate is 3 months, frequent renewal operation is required, otherwise, the certificate is expired, so that the site cannot be accessed.

While the foregoing is directed to embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.

Claims (7)

1. A method of HTTPS certificate management, comprising:

new certificate issuing operation: the API interface is used for connecting a server to analyze and verify the domain name, and then issuing a certificate; the method specifically comprises the following steps:

S101, acquiring data information of a user; the method comprises the following steps: acquiring a domain name INPUTDOMAIN input by a user through a command line;

s102, analyzing the data information of the user, and inquiring and judging whether visa information of the data information exists in a database; if not, continuing to execute the step S103; if yes, judging whether the visa information period of the data information exceeds a threshold value, if not, exiting the certificate issuing process, and if yes, transferring to a subsequent certificate renewing operation;

s103, generating and storing corresponding private key information, and creating a CSR file added with user data information;

s104, acquiring a latest API interface of the Let' S encrypter through an interface to obtain a new signing order interface newOrder, creating a new account interface newAccount and a certificate revocation interface revokeCert; reading an account KEY file of the Let's encryptions and logging in the server, if the account KEY file does not exist, creating a new KEY and registering a new Let's encryptions account number through a newAccount interface and logging in;

S105, applying for creating a new visa order, judging whether the order is created successfully, if so, exiting the visa, and if so, continuing to execute the step S106; the method comprises the following steps: placing the domain name needing visa into a domains list, organizing POST data, calling a newOrder interface through a POST method, judging whether the order is successfully created or not through a state code and a state text returned by the newOrder interface, and judging that the order is failed to be created if the state code is 201 and the status state is not pending or ready; if the state is 403, judging that the creation of the order fails to exit the visa, and continuing to execute the step S106 if the creation is successful;

s106, calling a domain name authentication interface to acquire a random character string;

s107, calling a related DNS interface to analyze the domain name according to the requirement;

S108, the loop verifies whether DNS domain name resolution is effective;

s109, the server verifies whether the DNS of the domain name is valid or not so as to verify ownership of the domain name;

s110, calling an interface to obtain final visa text information, and storing the final visa text information in a database to complete visa;

certificate renewing operation: setting a system timing task to renew the expired certificate;

certificate distribution operation: setting system timing task synchronous domain name certificate information and validating the certificate.

2. The method of HTTPS certificate management according to claim 1, wherein: the step S106 specifically includes: after creating an order successfully through the newOrder interface, a authorizations list is obtained, and an interface finalize is obtained; circulating authorizations the list to acquire one domain name authentication interface authz; and requesting authz an interface, judging the state of interface call through the returned state code and state text, wherein if the state code is not 200, the interface call fails, if the state code is 200 and status is valid, the domain name is already verified, the interface call fails or the domain name is already verified, and jumping to a circulation authorizations list to continue the next circulation, otherwise, continuing to execute step S107.

3. The method of HTTPS certificate management according to claim 2, wherein: the step S107 specifically includes: analyzing challengeUrl, domain name domain and TXT value analyzed by DNS through the information returned by authz interface, and splicing the domain name to be authenticated; and calling a domain name resolution deletion function, inputting dnsrrDomain values, judging that the SDK corresponding to the resolution service business call where the domain name is located executes deletion, calling a domain name resolution addition function, inputting dnsrrDomain values and TXT values, judging that the SDK corresponding to the resolution service business call where the domain name is located adds domain name resolution, wherein the resolution value is the TXT value, and the resolution type is the TXT type.

4. A method of HTTPS certificate management according to claim 3, wherein: the step S108 specifically includes: python initializes dns, resolver, and is configured nameserver to 8.8.8.8, and the loop verifies that dns resolution is valid, initiates a test every 5 seconds, and checks 60 total times.

5. The method of HTTPS certificate management of claim 4, wherein: the step S110 specifically includes: after the domain name is verified, text information of the CSR file is transmitted, a finalize interface is called, final visa text information is obtained, and the final visa text information is stored in domainPubFile; encrypting domainKeyFile the text information, domainPubFile the text information using AES; MD5 fingerprint information and expiration time information of domainPubFile are calculated, and the information is stored in a database; all information in the database is acquired, encrypted by AES in JSON format and stored in KEYFILE files, and visa is completed.

6. The method of HTTPS certificate management according to claim 5, wherein: the certificate renewing operation specifically comprises the following steps:

s201, setting a system timing task in a renewal service;

s202, acquiring domain name information which exists in the database in the step S102 and has a visa information term exceeding a threshold value, and storing the domain name information in a list RENEWALLIST;

s203, circulating RENEWALLIST the list, and calling a certificate visa function until all domain name renewing is completed.

7. The method of HTTPS certificate management according to claim 6, wherein: the certificate distribution operation specifically comprises the following steps:

S301, setting a timing task in a server;

S302, accessing the content of the KEYFILE file acquired by the NGINX by the certificate updating program, and decrypting KEYFILE text content;

s303, reading local cache matching KEYFILE, if the domain name certificate does not exist, storing the domain name certificate into a designated certificate directory, and updating the local cache;

S304, reading local cache matching KEYFILE, and if MD5 changes, updating a local certificate file and a local cache;

S305, judging whether the local cache is changed, restarting the WEB container if the local cache is changed, and completing certificate distribution if the local cache is not changed.