环境:node1:192.168.44.128
node2:192.168.44.129
密钥认证脚本
[root@node2 ~]# cat 2.sh #!/bin/bash IP="192.168.44.128" USERNAME="root" PWD="123" yum -y install expect expect << EOF set timeout 60 spawn ssh-keygen -t rsa expect "(/root/.ssh/id_rsa):" {send "\r"} # expect "(y/n)? " {send "y \r"} expect "passphrase):" {send "\r"} expect "again: " {send "\r"} expect "#" {send "exit \r"} EOF expect << EOF set timeout 60 spawn ssh-copy-id ${USERNAME}@${IP} expect "connecting" {send "yes\r"} expect "password:" {send "${PWD}\r"} expect "#" {send "\r"} EOF
https证书脚本
[root@node1 ~]# cat https.sh #!/bin/bash hostname=192.168.44.128 rm -rf /etc/pki/CA &>/dev/null mkdir -p /etc/pki/CA/private && cd /etc/pki/CA yum -y install expect &>/dev/null #CA生成一对密钥 (umask 077;openssl genrsa -out private/cakey.pem 2048) #提取公钥 openssl rsa -in private/cakey.pem -pubout #生成自签署证书 expect << EOF set timeout 60 spawn openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 expect "letter code" {send "cn\r"} expect "full name" {send "HB\r"} expect "city" {send "WH\r"} expect "company" {send "runtime\r"} expect "section" {send "teach\r"} expect "hostname" {send "${hostname}\r"} expect "Email" {send "1@2.com\r"} expect "#" EOF #读出cacert.pem证书的内容 openssl x509 -text -in cacert.pem mkdir certs newcerts crl touch index.txt && echo 01 > serial #安装httpd yum -y remove httpd &>/dev/null yum -y install httpd &>/dev/null systemctl enable --now httpd &>/dev/null #httpd服务器生成密钥 cd /etc/httpd && mkdir ssl && cd ssl (umask 077;openssl genrsa -out httpd.key 2048) #生成证书签署请求 expect << EOF set timeout 60 spawn openssl req -new -key httpd.key -days 365 -out httpd.csr expect "letter code" {send "cn\r"} expect "full name" {send "HB\r"} expect "city" {send "WH\r"} expect "company" {send "runtime\r"} expect "section" {send "teach\r"} expect "hostname" {send "${hostname}\r"} expect "Email" {send "1@2.com\r"} expect "password" {send "\r"} expect "company name" {send "\r"} expect "#" EOF #CA签署客户端提交上来的证书 expect << EOF set timeout 60 spawn openssl ca -in ./httpd.csr -out httpd.crt -days 365 expect "certificate" {send "y\r"} expect "commit" {send "y\r"} expect "#" EOF #修改配置文件 yum -y remove mod_ssl &>/dev/null yum -y install mod_ssl &>/dev/null sed -i "s/#DocumentRoot/DocumentRoot/g" /etc/httpd/conf.d/ssl.conf sed -i "s/#ServerName www.example.com:443/ServerName ${hostname}:443/g" sed -i "s#/etc/pki/tls/certs/localhost.crt#/etc/httpd/ssl/httpd.crt#g" /etc/httpd/conf.d/ssl.conf sed -i "s#/etc/pki/tls/private/localhost.key#/etc/httpd/ssl/httpd.key#g" /etc/httpd/conf.d/ssl.conf #重启httpd systemctl restart httpd &>/dev/null ss -antl [root@node1 ~]# bash https.sh ······ State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:443 *:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:*