20180830_jeffrey - silenceuncrio/diary GitHub Wiki
0905
這次的 release 延期到禮拜五早上才開始 build
先協助客戶 Telewell的疑問
I have in unit with fw 1.61
Reset defaults 1st
And then tried with chrome and ie
And try to upgrade to 1.70
Stops in 3/5% for ever
After power off/on same again
V1.61 是
- brand - nobrand
- date - 20171127
- file -
M300_GENERIC_v1.61_012C000016129C77.img或M300_GPS_v1.61_0136000016129C77.img - cfile - 然後套一個 cfile 可能是
- Telewell_SF-300_v1.61.cfile
- Telewell_SF-300-G_v1.61.cfile
- Telewell_SF-301_v1.61.cfile
- Telewell_SF-301-G_v1.61.cfile
V1.70 是
- brand - Telewell
- date - 20180627
- file -
SF-301-G_v1.70_013600001702C1DE.img
先確認問題的現象
V1.61 先使用 GPS 的 M300_GPS_v1.61_0136000016129C77.img
用 mfgtool 燒
先不套用 cfile
web 的 identification 如下
直接從 web 來 upgrade
使用 SF-301-G_v1.70_013600001702C1DE.img
upgrade 失敗
原因是
過程的紀錄 - /tmp/FirmwareUpgrade.log
firmware upgrade shell script start...
Upgrading the NAND flash image
Extract the tared firmware
Extract all files from /tmp/firmware.upload
tar -C /tmp -xf /tmp/firmware.upload succeeded
MD5 sums check...
firmware.md5 exist, read MD5 sums from it and check them
MD5 sums check succeeded
MCSV check...
mcsv.enc exist, decrypt it and check with hardware MCSV
decrypt mcsv.en
software MCSV: 013600001702C1DE
software MCSV-MMMM: 0136
software MCSV-CCCC: 0000
hardware MCSV: 012C000000000000
hardware MCSV-MMMM: 012C
hardware MCSV-CCCC: 0000
Error: Model ID not match, MCSV check failed
0950
不過從 web 的 identification
可以發現當時就算使用 mfgtool 燒錄 GPS(model id - 0136)
如果沒特別再用 fw_setenv 去作設定的話
model id 會使用 rc.local 預設的 012C
直接透過 shell 來修改一下
bash-4.3# fw_printenv hw_mcsv
hw_mcsv=012C000000000000
bash-4.3# fw_setenv hw_mcsv 0136000000000000
bash-4.3# fw_printenv hw_mcsv
hw_mcsv=0136000000000000
重開機
修正後 web identification 如下
使用 SF-301-G_v1.70_013600001702C1DE.img 透過 web 作 upgrade
發現一切正常
已回報 ariel
1035
日本客戶 HYTEC 表示透過 HTTPS 連線
正常的 browser 畫面如下
異常的 browser 畫面如下
先用 mfgtool 燒個 HYTEC 最新版本
依樣透過 HTTPS 從 ethernet wan 作連線
我這邊的畫面顯示
這就是 HYTEC 表示的正常畫面
雖然出現了 NET::ERR_CERT_AUTHORITY_INVALID
1100
科普一下什麼是 ERR_CONNECTION_REFUSED
chrome 有一篇 這個網頁無法使用
三個原因
- 檢查網址
- 刪除 Cookie
- 變更 Proxy 設定
如果 HYTEC 是 IP 打錯的話
我在這邊模擬一下
出現的錯誤字眼是 ERR_CONNECTION_TIMED_OUT
而且根據 HYTEC 另外的情報是 100 台裡面只有 1 台是這樣
而且那一台 forever 發生
1110
HTTPS 產生 key 用的 shell script - web_x509.sh
#!/bin/bash
openssl req -x509 -newkey rsa:2048 -keyout /etc/icos/web/iweb_key.pem -out /etc/icos/web/iweb_cert.pem -days 3650 -nodes -subj '/CN=localhost'
不太可能是日期過期的問題
回想過去曾經發現產出的 key 內容是空的
模擬一下
目前 web key 和 cert 資訊如下
bash-4.3# ls -al /etc/icos/web/
drwxr-xr-x 2 root root 304 Jul 1 21:14 .
drwxr-xr-x 50 root root 3296 Jul 1 21:13 ..
-rw-r--r-- 1 root root 1094 Jul 1 21:14 iweb_cert.pem
-rw-r--r-- 1 root root 1708 Jul 1 21:14 iweb_key.pem
不要刪掉 key 和 cert
而是讓檔案內容為空
bash-4.3# echo "" > iweb_cert.pem
bash-4.3# echo "" > iweb_key.pem
bash-4.3# ls -al /etc/icos/web/
drwxr-xr-x 2 root root 304 Aug 30 03:17 .
drwxr-xr-x 50 root root 3296 Jul 1 21:13 ..
-rw-r--r-- 1 root root 1 Aug 30 03:17 iweb_cert.pem
-rw-r--r-- 1 root root 1 Aug 30 03:17 iweb_key.pem
重開機
發現這樣的 key 會讓 HTTPS 無法啟動
bash-4.3# ls -al /etc/icos/web/
drwxr-xr-x 2 root root 304 Aug 30 03:17 .
drwxr-xr-x 50 root root 3296 Jul 1 21:13 ..
-rw-r--r-- 1 root root 1 Aug 30 03:17 iweb_cert.pem
-rw-r--r-- 1 root root 1 Aug 30 03:17 iweb_key.pem
bash-4.3# ps aux | grep iweb
root 1716 0.1 0.3 10460 1716 pts/3 Ss+ 03:18 0:00 iweb -p 80 -d /www
root 4559 0.0 0.0 1768 320 ttymxc0 S+ 03:19 0:00 grep iweb
複製出來了
若 ip 存在但 HTTPS 服務沒有開啟的話就會出現這個現象
那怎麼幫 HYTEC 解決這問題呢
reset to default 可解決
bash-4.3# ls -al /etc/icos/web/
drwxr-xr-x 2 root root 304 Aug 30 03:29 .
drwxr-xr-x 50 root root 3296 Aug 30 03:28 ..
-rw-r--r-- 1 root root 1094 Aug 30 03:29 iweb_cert.pem
-rw-r--r-- 1 root root 1704 Aug 30 03:29 iweb_key.pem
bash-4.3# ps aux | grep iweb
root 1837 0.0 0.4 10460 2088 pts/3 Ss+ 03:28 0:00 iweb -p 80 -d /www
root 3053 0.1 0.5 10460 2964 pts/6 Ss+ 03:29 0:00 iweb -p 443 -d /www -s
root 12223 0.0 0.0 1768 320 ttymxc0 S+ 03:32 0:00 grep iweb
因為 reset default 會去清空 /etc/icos
也就是異常的 key 和 cert 會被清掉
那下次開機 web module 便會再重先產生 key 和 cert
1135
ariel 希望在異常的 key 和 cert 發上讓 HTTPS 無法啟動地當下
重新產生 key 和 cert
讓 key 和 cert 檔案內容為空
bash-4.3# echo "" > iweb_cert.pem
bash-4.3# echo "" > iweb_key.pem
bash-4.3# ls -al /etc/icos/web/
drwxr-xr-x 2 root root 304 Aug 30 03:17 .
drwxr-xr-x 50 root root 3296 Jul 1 21:13 ..
-rw-r--r-- 1 root root 1 Aug 30 03:17 iweb_cert.pem
-rw-r--r-- 1 root root 1 Aug 30 03:17 iweb_key.pem
重新啟動然後觀察 /home/log/web.log
...
failed to load the session from binary
-->
1535600408[20180830 3:40:8] [msgcb_web:1205]IN(DID1,pid 4147)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600408[20180830 3:40:8] [termcb_web:1078]IN(4147)
1535600408[20180830 3:40:8] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600408[20180830 3:40:8] [gen_key_files:574]IN
1535600408[20180830 3:40:8] [gen_key_files:589]OUT
1535600408[20180830 3:40:8] [create_daemon_conf:601]IN
1535600408[20180830 3:40:8] [create_daemon_conf:612]cmd_buf=>dir=/
1535600408[20180830 3:40:8] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600408[20180830 3:40:8] [create_daemon_conf:622]cmd_buf=>chroot
1535600408[20180830 3:40:8] [create_daemon_conf:627]cmd_buf=>user=root
1535600408[20180830 3:40:8] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600408[20180830 3:40:8] [create_daemon_conf:637]cmd_buf=>debug
1535600408[20180830 3:40:8] [create_daemon_conf:644]cmd_buf=>ssl
1535600408[20180830 3:40:8] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600408[20180830 3:40:8] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600408[20180830 3:40:8] [web_dump:512]===Daemon killed restart===
1535600408[20180830 3:40:8] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600408[20180830 3:40:8] [web_dump:558][DMN1]active=1,pid=4156,status=1,flag=0x0,DID1
1535600408[20180830 3:40:8] [msgcb_web:1205]IN(DID1,pid 4156)
<--
failed to load the session from binary
Error starting server on port 443: Invalid SSL cert
-->
1535600408[20180830 3:40:8] [termcb_web:1078]IN(4156)
1535600408[20180830 3:40:8] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600408[20180830 3:40:8] [gen_key_files:574]IN
1535600408[20180830 3:40:8] [gen_key_files:589]OUT
1535600408[20180830 3:40:8] [create_daemon_conf:601]IN
1535600408[20180830 3:40:8] [create_daemon_conf:612]cmd_buf=>dir=/
1535600408[20180830 3:40:8] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600408[20180830 3:40:8] [create_daemon_conf:622]cmd_buf=>chroot
1535600408[20180830 3:40:8] [create_daemon_conf:627]cmd_buf=>user=root
1535600408[20180830 3:40:8] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600408[20180830 3:40:8] [create_daemon_conf:637]cmd_buf=>debug
1535600408[20180830 3:40:8] [create_daemon_conf:644]cmd_buf=>ssl
1535600408[20180830 3:40:8] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600408[20180830 3:40:8] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600408[20180830 3:40:8] [web_dump:512]===Daemon killed restart===
1535600408[20180830 3:40:8] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600408[20180830 3:40:8] [web_dump:558][DMN1]active=1,pid=4159,status=1,flag=0x0,DID1
1535600408[20180830 3:40:8] [msgcb_web:1205]IN(DID1,pid 4159)
<--
failed to load the session from binary
-->
1535600408[20180830 3:40:8] [msgcb_web:1205]IN(DID1,pid 4159)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600409[20180830 3:40:9] [termcb_web:1078]IN(4159)
1535600409[20180830 3:40:9] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600409[20180830 3:40:9] [gen_key_files:574]IN
1535600409[20180830 3:40:9] [gen_key_files:589]OUT
1535600409[20180830 3:40:9] [create_daemon_conf:601]IN
1535600409[20180830 3:40:9] [create_daemon_conf:612]cmd_buf=>dir=/
1535600409[20180830 3:40:9] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600409[20180830 3:40:9] [create_daemon_conf:622]cmd_buf=>chroot
1535600409[20180830 3:40:9] [create_daemon_conf:627]cmd_buf=>user=root
1535600409[20180830 3:40:9] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600409[20180830 3:40:9] [create_daemon_conf:637]cmd_buf=>debug
1535600409[20180830 3:40:9] [create_daemon_conf:644]cmd_buf=>ssl
1535600409[20180830 3:40:9] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600409[20180830 3:40:9] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600409[20180830 3:40:9] [web_dump:512]===Daemon killed restart===
1535600409[20180830 3:40:9] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600409[20180830 3:40:9] [web_dump:558][DMN1]active=1,pid=4165,status=1,flag=0x0,DID1
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4165)
<--
failed to load the session from binary-->
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4165)
<--
-->
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4165)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600409[20180830 3:40:9] [termcb_web:1078]IN(4165)
1535600409[20180830 3:40:9] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600409[20180830 3:40:9] [gen_key_files:574]IN
1535600409[20180830 3:40:9] [gen_key_files:589]OUT
1535600409[20180830 3:40:9] [create_daemon_conf:601]IN
1535600409[20180830 3:40:9] [create_daemon_conf:612]cmd_buf=>dir=/
1535600409[20180830 3:40:9] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600409[20180830 3:40:9] [create_daemon_conf:622]cmd_buf=>chroot
1535600409[20180830 3:40:9] [create_daemon_conf:627]cmd_buf=>user=root
1535600409[20180830 3:40:9] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600409[20180830 3:40:9] [create_daemon_conf:637]cmd_buf=>debug
1535600409[20180830 3:40:9] [create_daemon_conf:644]cmd_buf=>ssl
1535600409[20180830 3:40:9] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600409[20180830 3:40:9] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600409[20180830 3:40:9] [web_dump:512]===Daemon killed restart===
1535600409[20180830 3:40:9] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600409[20180830 3:40:9] [web_dump:558][DMN1]active=1,pid=4168,status=1,flag=0x0,DID1
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4168)
<--
failed to load the session from binary
-->
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4168)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600409[20180830 3:40:9] [termcb_web:1078]IN(4168)
1535600409[20180830 3:40:9] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600409[20180830 3:40:9] [gen_key_files:574]IN
1535600409[20180830 3:40:9] [gen_key_files:589]OUT
1535600409[20180830 3:40:9] [create_daemon_conf:601]IN
1535600409[20180830 3:40:9] [create_daemon_conf:612]cmd_buf=>dir=/
1535600409[20180830 3:40:9] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600409[20180830 3:40:9] [create_daemon_conf:622]cmd_buf=>chroot
1535600409[20180830 3:40:9] [create_daemon_conf:627]cmd_buf=>user=root
1535600409[20180830 3:40:9] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600409[20180830 3:40:9] [create_daemon_conf:637]cmd_buf=>debug
1535600409[20180830 3:40:9] [create_daemon_conf:644]cmd_buf=>ssl
1535600409[20180830 3:40:9] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600409[20180830 3:40:9] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600409[20180830 3:40:9] [web_dump:512]===Daemon killed restart===
1535600409[20180830 3:40:9] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600409[20180830 3:40:9] [web_dump:558][DMN1]active=1,pid=4173,status=1,flag=0x0,DID1
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4173)
<--
failed to load the session from binary
-->
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4173)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600409[20180830 3:40:9] [termcb_web:1078]IN(4173)
1535600409[20180830 3:40:9] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600409[20180830 3:40:9] [gen_key_files:574]IN
1535600409[20180830 3:40:9] [gen_key_files:589]OUT
1535600409[20180830 3:40:9] [create_daemon_conf:601]IN
1535600409[20180830 3:40:9] [create_daemon_conf:612]cmd_buf=>dir=/
1535600409[20180830 3:40:9] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600409[20180830 3:40:9] [create_daemon_conf:622]cmd_buf=>chroot
1535600409[20180830 3:40:9] [create_daemon_conf:627]cmd_buf=>user=root
1535600409[20180830 3:40:9] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600409[20180830 3:40:9] [create_daemon_conf:637]cmd_buf=>debug
1535600409[20180830 3:40:9] [create_daemon_conf:644]cmd_buf=>ssl
1535600409[20180830 3:40:9] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600409[20180830 3:40:9] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600409[20180830 3:40:9] [web_dump:512]===Daemon killed restart===
1535600409[20180830 3:40:9] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600409[20180830 3:40:9] [web_dump:558][DMN1]active=1,pid=4180,status=1,flag=0x0,DID1
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4180)
<--
failed to load the session from binary
-->
1535600409[20180830 3:40:9] [msgcb_web:1205]IN(DID1,pid 4180)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600409[20180830 3:40:9] [termcb_web:1078]IN(4180)
1535600409[20180830 3:40:9] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600409[20180830 3:40:9] [gen_key_files:574]IN
1535600409[20180830 3:40:9] [gen_key_files:589]OUT
1535600409[20180830 3:40:9] [create_daemon_conf:601]IN
1535600409[20180830 3:40:9] [create_daemon_conf:612]cmd_buf=>dir=/
1535600409[20180830 3:40:9] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600409[20180830 3:40:9] [create_daemon_conf:622]cmd_buf=>chroot
1535600409[20180830 3:40:9] [create_daemon_conf:627]cmd_buf=>user=root
1535600409[20180830 3:40:9] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600409[20180830 3:40:9] [create_daemon_conf:637]cmd_buf=>debug
1535600409[20180830 3:40:9] [create_daemon_conf:644]cmd_buf=>ssl
1535600409[20180830 3:40:9] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600409[20180830 3:40:9] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600409[20180830 3:40:9] [web_dump:512]===Daemon killed restart===
1535600409[20180830 3:40:9] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600409[20180830 3:40:9] [web_dump:558][DMN1]active=1,pid=4185,status=1,flag=0x0,DID1
1535600411[20180830 3:40:11] [msgcb_web:1205]IN(DID1,pid 4185)
<--
failed to load the session from binary
Error starting server on port 443: Invalid SSL cert
-->
1535600411[20180830 3:40:11] [termcb_web:1078]IN(4185)
1535600411[20180830 3:40:11] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600411[20180830 3:40:11] [gen_key_files:574]IN
1535600411[20180830 3:40:11] [gen_key_files:589]OUT
1535600411[20180830 3:40:11] [create_daemon_conf:601]IN
1535600411[20180830 3:40:11] [create_daemon_conf:612]cmd_buf=>dir=/
1535600411[20180830 3:40:11] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600411[20180830 3:40:11] [create_daemon_conf:622]cmd_buf=>chroot
1535600411[20180830 3:40:11] [create_daemon_conf:627]cmd_buf=>user=root
1535600411[20180830 3:40:11] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600411[20180830 3:40:11] [create_daemon_conf:637]cmd_buf=>debug
1535600411[20180830 3:40:11] [create_daemon_conf:644]cmd_buf=>ssl
1535600411[20180830 3:40:11] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600411[20180830 3:40:11] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600411[20180830 3:40:11] [web_dump:512]===Daemon killed restart===
1535600411[20180830 3:40:11] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600411[20180830 3:40:11] [web_dump:558][DMN1]active=1,pid=4388,status=1,flag=0x0,DID1
1535600411[20180830 3:40:11] [msgcb_web:1205]IN(DID1,pid 4388)
<--
failed to load the session from binary
-->
1535600411[20180830 3:40:11] [msgcb_web:1205]IN(DID1,pid 4388)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600454[20180830 3:40:54] [termcb_web:1078]IN(4388)
1535600454[20180830 3:40:54] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600454[20180830 3:40:54] [gen_key_files:574]IN
1535600454[20180830 3:40:54] [gen_key_files:589]OUT
1535600454[20180830 3:40:54] [create_daemon_conf:601]IN
1535600454[20180830 3:40:54] [create_daemon_conf:612]cmd_buf=>dir=/
1535600454[20180830 3:40:54] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600454[20180830 3:40:54] [create_daemon_conf:622]cmd_buf=>chroot
1535600454[20180830 3:40:54] [create_daemon_conf:627]cmd_buf=>user=root
1535600454[20180830 3:40:54] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600454[20180830 3:40:54] [create_daemon_conf:637]cmd_buf=>debug
1535600454[20180830 3:40:54] [create_daemon_conf:644]cmd_buf=>ssl
1535600454[20180830 3:40:54] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600454[20180830 3:40:54] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600454[20180830 3:40:54] [web_dump:512]===Daemon killed restart===
1535600454[20180830 3:40:54] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600454[20180830 3:40:54] [web_dump:558][DMN1]active=1,pid=4398,status=1,flag=0x0,DID1
1535600454[20180830 3:40:54] [msgcb_web:1205]IN(DID1,pid 4398)
<--
failed to load the session from binary
-->
1535600454[20180830 3:40:54] [msgcb_web:1205]IN(DID1,pid 4398)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600455[20180830 3:40:55] [termcb_web:1078]IN(4398)
1535600455[20180830 3:40:55] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600455[20180830 3:40:55] [gen_key_files:574]IN
1535600455[20180830 3:40:55] [gen_key_files:589]OUT
1535600455[20180830 3:40:55] [create_daemon_conf:601]IN
1535600455[20180830 3:40:55] [create_daemon_conf:612]cmd_buf=>dir=/
1535600455[20180830 3:40:55] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600455[20180830 3:40:55] [create_daemon_conf:622]cmd_buf=>chroot
1535600455[20180830 3:40:55] [create_daemon_conf:627]cmd_buf=>user=root
1535600455[20180830 3:40:55] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600455[20180830 3:40:55] [create_daemon_conf:637]cmd_buf=>debug
1535600455[20180830 3:40:55] [create_daemon_conf:644]cmd_buf=>ssl
1535600455[20180830 3:40:55] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600455[20180830 3:40:55] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600455[20180830 3:40:55] [web_dump:512]===Daemon killed restart===
1535600455[20180830 3:40:55] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600455[20180830 3:40:55] [web_dump:558][DMN1]active=1,pid=4404,status=1,flag=0x0,DID1
1535600455[20180830 3:40:55] [msgcb_web:1205]IN(DID1,pid 4404)
<--
failed to load the session from binary
-->
1535600455[20180830 3:40:55] [msgcb_web:1205]IN(DID1,pid 4404)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600455[20180830 3:40:55] [termcb_web:1078]IN(4404)
1535600455[20180830 3:40:55] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600455[20180830 3:40:55] [gen_key_files:574]IN
1535600455[20180830 3:40:55] [gen_key_files:589]OUT
1535600455[20180830 3:40:55] [create_daemon_conf:601]IN
1535600455[20180830 3:40:55] [create_daemon_conf:612]cmd_buf=>dir=/
1535600455[20180830 3:40:55] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600455[20180830 3:40:55] [create_daemon_conf:622]cmd_buf=>chroot
1535600455[20180830 3:40:55] [create_daemon_conf:627]cmd_buf=>user=root
1535600455[20180830 3:40:55] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600455[20180830 3:40:55] [create_daemon_conf:637]cmd_buf=>debug
1535600455[20180830 3:40:55] [create_daemon_conf:644]cmd_buf=>ssl
1535600455[20180830 3:40:55] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600455[20180830 3:40:55] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600455[20180830 3:40:55] [web_dump:512]===Daemon killed restart===
1535600455[20180830 3:40:55] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600455[20180830 3:40:55] [web_dump:558][DMN1]active=1,pid=4409,status=1,flag=0x0,DID1
1535600455[20180830 3:40:55] [msgcb_web:1205]IN(DID1,pid 4409)
<--
failed to load the session from binary
-->
1535600455[20180830 3:40:55] [msgcb_web:1205]IN(DID1,pid 4409)
<--
Error starting server on port 443: Invalid SSL cert
-->
1535600455[20180830 3:40:55] [termcb_web:1078]IN(4409)
1535600455[20180830 3:40:55] [daemon_restart:702][DID1] remain IP server retry for 6 times.
1535600455[20180830 3:40:55] [gen_key_files:574]IN
1535600455[20180830 3:40:55] [gen_key_files:589]OUT
1535600455[20180830 3:40:55] [create_daemon_conf:601]IN
1535600455[20180830 3:40:55] [create_daemon_conf:612]cmd_buf=>dir=/
1535600455[20180830 3:40:55] [create_daemon_conf:617]cmd_buf=>cgipat=cgi-bin/**
1535600455[20180830 3:40:55] [create_daemon_conf:622]cmd_buf=>chroot
1535600455[20180830 3:40:55] [create_daemon_conf:627]cmd_buf=>user=root
1535600455[20180830 3:40:55] [create_daemon_conf:632]cmd_buf=>max_age=0
1535600455[20180830 3:40:55] [create_daemon_conf:637]cmd_buf=>debug
1535600455[20180830 3:40:55] [create_daemon_conf:644]cmd_buf=>ssl
1535600455[20180830 3:40:55] [create_daemon_conf:649]cmd_buf=>certfile=/etc/icos/ca/cert.pem
1535600455[20180830 3:40:55] [daemon_restart:744][DMN]Lanch=>/usr/sbin/iweb -p 443 -d /www -s
1535600455[20180830 3:40:55] [web_dump:512]===Daemon killed restart===
1535600455[20180830 3:40:55] [web_dump:558][DMN0]active=1,pid=1704,status=1,flag=0x0,DID0
1535600455[20180830 3:40:55] [web_dump:558][DMN1]active=1,pid=4414,status=1,flag=0x0,DID1
1535600456[20180830 3:40:56] [notify_web:858]IN(E57|S56|D00)
1535600456[20180830 3:40:56] [notify_web:911]WAN IP UPDATE
可以發現 HTTPS 一直不斷的試著啟動但都因為
Error starting server on port 443: Invalid SSL cert
而無法啟動
我可以修改 gen_key_files()
static void gen_key_files(void)
{
int pid;
char cmd[256];
WEB_INFO("IN\n");
if (-1 == access(WEB_DAEMON_KEY_FILE, F_OK))
{
pid = ICOS_ProcLaunch(MODULE_WEB, "web_x509.sh", NULL, NULL);
WEB_INFO("iweb genkey pid = %d\n", pid);
}
WEB_INFO("OUT\n");
}
安插一個檢查 key 和 cert 的流程
1310
檢查 key 可以利用 openssl rsa -in iweb_key.pem
bash-4.3# ls -al
drwxr-xr-x 2 root root 304 Aug 30 05:04 .
drwxr-xr-x 50 root root 3296 Aug 30 03:28 ..
-rw-r--r-- 1 root root 1094 Aug 30 05:04 iweb_cert.pem
-rw-r--r-- 1 root root 1708 Aug 30 05:04 iweb_key.pem
bash-4.3# openssl rsa -in iweb_key.pem
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA0IhVQYKQ8uKTahytz64zZGcoUamMogPklZqpVS/KFoz1Fy+W
I4ReUyie7myC2TWi8UCnHbJq7wpwpzokbKUwNwpReJysTvC04pZTTc81FErfWTa9
AnfgFU+MJRx1ow/M8Dcco3O5VwNWtJ3gPGECao2Q5PnEJCtxXRWOZ7Y97Q0wDb8v
waV7lU/vfFv+4A081MYyojfquIvX4F5sSWzpMYI3etDYOzrseBxVIXt2HyZuxXPz
UBwxLjrlCj1VCvunEGSj0XDsb8tUU3vmTpHO58IWkB+iY9BcflzZYqFxBRBTLgUE
fZseUG8sqCmDTNpUh2P1G0Oxp2UV7JeS+vuRDQIDAQABAoIBAQC1bQePuULWrh3H
AjCOMWbxAXbopXR/OJfVOPv961gNCpHpnDMpr25JN1we3zVwOOQMtU0v3xx94D1m
oIU0KPurx0RehSC8hVs6j8LmPVJW11U+TwtebGD+6XhqiTonpgWNMMWvx20GsRbs
iTagEV6Cyau4Kz1koo88hxagUMPLyk1d2i+WVYzYJH81KatAjLcJ2TU9NvAZ7Ie3
+i/HfUOMhMWhCbIpNea1O+nnbZHa4JEF50bwuCgRvmWXIEZaKCh8DD99lVaUY+sW
knatCVywjjpnm625f3gT48AUwYOSWAOiUgwNcEIrr5aFXb1qGN6L5JS7DvESOhgw
LNUZKPQBAoGBAOr2pRcPxxhMQjribvaxjK9GS5XfkV4g12GfgzozG0JbelYlq0ua
ORQDMFY0n54mgJMeBfp57sp/Qj/7MGqcw0v7XZ2kFtft89qGilErvvIFAmR+tUSN
ShdEkODZKF1s+cmGYIRVpoeRj76DTM9Jj5JLadW7/8oXIfBde9fHTJWBAoGBAOMz
5IIz+CUjh9lkbizMr/MBetdHVSk2Far9BkyGTt9Rn/VZWifR1EGhQqvElmhOxP/y
kdeBGXjHIiIzb70iqc93UKi6HNjrbkp1MmRQ6nizUsS6eXSPZD1Tmt7Tec+3wIWj
s7ORFBUGuETqDaytX62oludnXciBumBSCIk9Q7mNAoGBANuEtfbW0c7cqF/1X3Bx
rxuuVD3g0yKbEj7t1Z+RUd1sM966cNBAdSVCWW2g2qPaGvPX8AP02Wks/gtitfhV
H40kenEmdgUlFlfKrP1rHolkrriPPPGgA2G7uJOprzGh97kVJ6VblCtCjoaSizd6
5XzroiSC8VawyA+Wd3bAh8eBAoGAIyuoRuOGmTEr2WIrj/HLluF2w5Z+P1fo+MQc
UoJD+VvoWBGR3DImGla9PFu9ML5oznodS2/nooOo7ARsWqngAYalzMiqqIWhWBNW
TqMb+L1BpcR8Aqgjyz6C7dVsuNPoEIfrzHM72Zllsv1MSpu4AOjlG0MsCFrUoA5y
1dPPBQ0CgYEAgSYrYSdva6PYvgqah4vMb4Spqcpe5QOx5Gpc20Wgt9SiS2QRv5Ms
1IJQECWzgSDgCzdEHRB3p2mBD5j5fZsVwFOlhdHTsF6ZDtWyNzMms1iyXyjtvmS6
Dbb+WgsUoG2tCm1h2INpjbtDVZKwnPvFj5ozqD8zEQUimXKsNiOrBS4=
-----END RSA PRIVATE KEY-----
bash-4.3# echo $?
0
刻意造一個損毀的 key
bash-4.3# cp iweb_key.pem iweb_key.pem.broken
bash-4.3# echo "" > iweb_key.pem.broken
bash-4.3# openssl rsa -in iweb_key.pem.broken
unable to load Private Key
1996006608:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
bash-4.3# echo $?
1
檢查 cert 可以利用 openssl x509 -in iweb_cert.pem
bash-4.3# ls -al
drwxr-xr-x 2 root root 304 Aug 30 05:04 .
drwxr-xr-x 50 root root 3296 Aug 30 03:28 ..
-rw-r--r-- 1 root root 1094 Aug 30 05:04 iweb_cert.pem
-rw-r--r-- 1 root root 1708 Aug 30 05:04 iweb_key.pem
bash-4.3# openssl x509 -in iweb_cert.pem
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIJAMwzXFQiSVLDMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCWxvY2FsaG9zdDAeFw0xODA4MzAwNTA0NDdaFw0yODA4MjcwNTA0NDdaMBQx
EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANCIVUGCkPLik2ocrc+uM2RnKFGpjKID5JWaqVUvyhaM9RcvliOEXlMonu5s
gtk1ovFApx2yau8KcKc6JGylMDcKUXicrE7wtOKWU03PNRRK31k2vQJ34BVPjCUc
daMPzPA3HKNzuVcDVrSd4DxhAmqNkOT5xCQrcV0Vjme2Pe0NMA2/L8Gle5VP73xb
/uANPNTGMqI36riL1+BebEls6TGCN3rQ2Ds67HgcVSF7dh8mbsVz81AcMS465Qo9
VQr7pxBko9Fw7G/LVFN75k6RzufCFpAfomPQXH5c2WKhcQUQUy4FBH2bHlBvLKgp
g0zaVIdj9RtDsadlFeyXkvr7kQ0CAwEAAaNQME4wHQYDVR0OBBYEFBSPEbf2n5VC
2AbxqsbusgjIsxqqMB8GA1UdIwQYMBaAFBSPEbf2n5VC2AbxqsbusgjIsxqqMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGo5yNug7n2bQOfd9FRkk2cw
FfhfYZN3G4i41UX2e6kqcej0SVUhSFia1a+xvGXXVGVf1w7825xtDCrr/6d/iyhX
PXfqkkDEG2jR+KFJnjZqWwkblQvqungY+1XglLue3EQRRvxRujDlsiykCdufaCq4
Jhu2cfEYmofZuNGInTDk86My46cEQ6tr8OXvkQ/ylcNp9MRRC2553M6BTkKDyAKd
nFCPkDketotnmgoK1NpQoM+0C/OfxqsTUDwF9GM77DrleyqgHGVHbtOr0LLwF6YI
yB99PR5m96ur3w9xHXTuNKCZxxLg3vUksYLCPXEVwIlVj7elI1mpr2xvqnPmjqQ=
-----END CERTIFICATE-----
bash-4.3# echo $?
0
刻意造一個損毀的 cert
bash-4.3# cp iweb_cert.pem iweb_cert.pem.broken
bash-4.3# echo "" > iweb_cert.pem.broken
bash-4.3# openssl x509 -in iweb_cert.pem.broken
unable to load certificate
1995502800:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
bash-4.3# echo $?
1
整到 c code
static void gen_key_files(void)
{
int ret_1, ret_2;
char cmd[256];
WEB_INFO("IN\n");
if (-1 == access(WEB_DAEMON_KEY_FILE, F_OK))
{
ICOS_ProcLaunch(MODULE_WEB, "web_x509.sh", NULL, NULL);
WEB_INFO("iweb genkey pid = %d\n", pid);
}
sprintf(cmd, "openssl rsa -in %s", WEB_DAEMON_KEY_FILE);
ret_1 = system(cmd);
WEB_INFO("result of 'openssl rsa -in %s': %d\n", WEB_DAEMON_KEY_FILE, ret_1);
sprintf(cmd, "openssl x509 -in %s", WEB_DAEMON_CERT_FILE);
ret_2 = system(cmd);
WEB_INFO("result of 'openssl x509 -in %s': %d\n", WEB_DAEMON_CERT_FILE, ret_2);
if (ret_1 != 0 || ret_2 != 0)
{
WEB_INFO("key or cert invalid\n");
ICOS_ProcLaunch(MODULE_WEB, "web_x509.sh", NULL, NULL);
WEB_INFO("iweb genkey pid = %d\n", pid);
}
WEB_INFO("OUT\n");
}
1440
HYTEC 客戶已確認 reset default 解決了他們的問題
那表示問題的發生真的是異常的 key 和 cert
趕著明早的 release 加上補救的機制
在異常的 key 和 cert 發上讓 HTTPS 無法啟動地當下
重新產生 key 和 cert
1530
剛剛透過 teamview 遠端協助 Telewell upgrade firmware
兩台 device 都成功的從 V1.61 upgrade 成 V1.70
1805
verify key 與 cert 是否 valid 弄不完了
趕不上明天的 release 了