我在用https://github.com/jhaals/yopass#docker-compose配置 otm 服务。我对它nginx-proxy-letsencrypt及其日志记录有一些疑问。当我这样做时docker logs -f otm-nginx-proxy-letsencrypt-1,我可以看到证书已记录:
2022/10/10 10:31:27 [notice] 59#59: signal process started
Creating/renewal otm.my.domain certificates... (otm.my.domain)
[Mon Oct 10 10:31:28 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Oct 10 10:31:29 UTC 2022] Creating domain key
[Mon Oct 10 10:31:30 UTC 2022] The domain key is here: /etc/acme.sh/[email protected]/otm.my.domain/otm.my.domain.key
[Mon Oct 10 10:31:30 UTC 2022] Single domain='otm.my.domain'
[Mon Oct 10 10:31:30 UTC 2022] Getting domain auth token for each domain
[Mon Oct 10 10:31:32 UTC 2022] Getting webroot for domain='otm.my.domain'
[Mon Oct 10 10:31:32 UTC 2022] Verifying: otm.my.domain
[Mon Oct 10 10:31:36 UTC 2022] Success
[Mon Oct 10 10:31:36 UTC 2022] Verify finished, start to sign.
[Mon Oct 10 10:31:36 UTC 2022] Lets finalize the order.
[Mon Oct 10 10:31:36 UTC 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/3***/1*********'
[Mon Oct 10 10:31:37 UTC 2022] Downloading cert.
[Mon Oct 10 10:31:37 UTC 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/8...f'
[Mon Oct 10 10:31:37 UTC 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISA9Y2oiyXcvf0rbdIWa6HeqdvMA0GCSqGSIb3DQEBCwUA
...
TwgOT5rz9z6bx9BVHsmKqw1uWwcA7ltIGWT6cJd5k8VIdnS59xfYJLiqNWNW+v0=
-----END CERTIFICATE-----
[Mon Oct 10 10:31:37 UTC 2022] Your cert is in /etc/acme.sh/[email protected]/otm.my.domain/otm.my.domain.cer
[Mon Oct 10 10:31:37 UTC 2022] Your cert key is in /etc/acme.sh/[email protected]/otm.my.domain/otm.my.domain.key
[Mon Oct 10 10:31:38 UTC 2022] The intermediate CA cert is in /etc/acme.sh/[email protected]/otm.my.domain/ca.cer
[Mon Oct 10 10:31:38 UTC 2022] And the full chain certs is there: /etc/acme.sh/[email protected]/otm.my.domain/fullchain.cer
[Mon Oct 10 10:31:38 UTC 2022] Installing cert to:/etc/nginx/certs/otm.my.domain/cert.pem
[Mon Oct 10 10:31:38 UTC 2022] Installing CA to:/etc/nginx/certs/otm.my.domain/chain.pem
[Mon Oct 10 10:31:38 UTC 2022] Installing key to:/etc/nginx/certs/otm.my.domain/key.pem
[Mon Oct 10 10:31:38 UTC 2022] Installing full chain to:/etc/nginx/certs/otm.my.domain/fullchain.pem
Reloading nginx proxy (7a...b2)...
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----有日志可以吗?
答案1
如果您担心安全性,那么证书出现在日志中没有任何问题。此对象仅包含公共证书信息,如果有人窃取此字符串,攻击者无法利用它做任何事情,因为私钥不包含在日志中。而私钥是攻击者可以获得的重要部分。