divB's questions

我创建了一个包含两个域的 LetsEncrypt 证书，one.example.com 和 two.example.com（注意，我知道通配符证书，但这个问题是一个证书中的多个名称）。

该证书以 one.example.com 作为 CN，并以 one.example.com 和 two.example.com 作为 X509v3 主体备用名称属性。

我将证书与 nginx 一起使用。

按照惯例，客户端只需检查 CN 是否与 DNS 名称匹配，我预计只要 one.example.com 和 two.example.com 现在指向同一个 nginx 服务器，我就可以通过这两个 DNS 名称访问它们。但只有 one.example.com 有效。

我可以使用 openssl 重现此问题：

openssl s_client -showcerts -servername one.example.com -connect 192.168.151.97:443                                                          
Connecting to 192.168.151.97
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E5
verify return:1
depth=0 CN=one.example.com
verify return:1
---
Certificate chain
 0 s:CN=one.example.com
   i:C=US, O=Let's Encrypt, CN=E5
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jul 17 05:27:55 2024 GMT; NotAfter: Oct 15 05:27:54 2024 GMT
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=E5
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=CN=one.example.com
issuer=C=US, O=Let's Encrypt, CN=E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2434 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


openssl s_client -showcerts -servername two.example.com -connect 192.168.151.97:443
Connecting to 192.168.151.97
CONNECTED(00000003)
402EB7DC01000000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:907:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 333 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

因此您可以看到，one.example.com 可以工作，但是 two.example.com 不工作，尽管它被列为主题备用名称。

即使我明确指定-servername two.example.com，情况也不会改变。

为什么 browsers/openssl 无法成功验证 two.example.com？

我有一个 /28 网络，我想添加一个 IP（/32 网络）。在我的 Debian 机器上，它看起来像：

auto eth0
iface eth0 inet static 
  address 192.0.2.212/28
  gateway 192.0.2.209
iface eth0 inet static
  address 192.0.2.175/32

然后，在路由器（192.0.2.209/28）上，我有一条静态路由：“route 192.0.2.175/32 next-hop 192.0.2.212”

这种做法有什么问题吗？

给定一个路由到 HostA 的（公共）网络 198.51.100.0/24，我想将它的子网（例如，198.51.100.16/28）路由到 HostB。HostA 和 HostB 通过某种点对点链路（例如 VPN 或 PPP）连接。

路由这样的网络有哪些选项（以及最佳实践是什么）？从技术上讲，我不应该使用私有 IP (RFC1918)，因为这样的 IP 永远不应该与可公开路由的 IP 地址混合。

我可以分离 /30 网络并将其用作 HostA 和 HostB 之间的点对点链接，并在其之上路由 198.51.100.16/28。但这似乎很浪费。

我可以使用 RFC1918 地址吗？我可以使用链接本地地址吗？

编辑：我试过tracert，确实，中间有RFC1918地址（注意：我认为第一个是我的CGNAT，但其他的肯定在公共网络中）：

  [...]
  2    70 ms    70 ms    71 ms  10.8.0.1
  3    78 ms    71 ms    73 ms  D [64.44.32.1]
  4    72 ms    71 ms    71 ms  89-88-12-198.as20278.net [198.12.88.89]
  5    72 ms    74 ms    70 ms  10.8.40.245
  6    71 ms    71 ms    73 ms  10.8.6.33
  7    75 ms    71 ms    73 ms  buf-b1-link.ip.twelve99.net [62.115.59.89]
  8    82 ms     *       81 ms  nyk-bb1-link.ip.twelve99.net [62.115.118.122]
  9   188 ms     *      157 ms  ldn-bb4-link.ip.twelve99.net [62.115.112.245]
 10   364 ms   212 ms   294 ms  prs-bb2-link.ip.twelve99.net [62.115.114.229]
 11   208 ms   297 ms   304 ms  ffm-bb2-link.ip.twelve99.net [62.115.122.139]
 12   282 ms   246 ms   361 ms  win-bb4-link.ip.twelve99.net [62.115.138.23]
 13   303 ms   180 ms   325 ms  win-b2-link.ip.twelve99.net [62.115.114.183]
[...]

我的 ISP 路由 /29 网络（8 个 IP 地址）。第一个和最后一个当然是网络和广播地址，第二个是由 ISP 分配给调制解调器的。调制解调器有一个带有 /29 网络的以太网 LAN 端口，我可以使用它。不幸的是，我无法访问或更换调制解调器，只有 ISP 可以访问它。在此讨论中，它需要被视为黑匣子。我的端点是提供 /29 网络的调制解调器的 LAN 连接。

当然，我可以将剩下的 5 个 IP 地址分配给不同的机器，并通过以太网端口将它们连接到调制解调器。这就是我现在正在做的事情。

但是，我想在两者之间有一个数据包过滤器（防火墙）。通常防火墙需要两个接口和两个子网。从技术上讲，我可以将 /29 分成两个 /30 网络，并将防火墙放在它们之间。

另一种选择是将所有五个静态 IP 分配给防火墙并进行 NAT 和端口转发。

第三种选择是让所有 L2 流量通过我的防火墙，将其配置为网桥并使用基本的 L2 过滤。

这些选项中没有一个对我有吸引力。

有没有一种无需NAT 或 L2 过滤即可在我的 IP 网络前面放置防火墙的好方法？

它总是在“状态：准备安装 - 80%”时失败。

我已经尝试了我能想到的一切：

DISM.exe /Online /Cleanup-image /Scanhealth
sfc /scannow

删除 c:\Windows\SoftwareDistribution ( https://community.spiceworks.com/topic/2223969-1809-update-error-at-install-0x80070490?page=1#entry-8486582 ) 或“Windows 修复” ( https: //www.tweaking.com/content/page/windows_repair_all_in_one.html）。

我得到的 WindowsUpdate.logGet-WindowsUpdateLog也不包含任何有用的东西。最后的消息是：

[...]
2020-03-29 16:05:06.3603049 5044  13616 DownloadManager Downloading from http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3b376681-46d3-4369-a7f1-3af38277adc8?P1=1585512870&P2=402&P3=2&P4=aCBW3EDTml8B3XQaaUTnexmcly%2bmH%2byssGFFFtbhnYX8QDW1RHpyPd4Opi2NSoMTypqeNB6%2btIJcpPn8xt0hvw%3d%3d to C:\WINDOWS\SoftwareDistribution\Download\9a7a8eff8aff2a1fe2261d6b7d7a8929\amd64_Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package_rs4_release.17134.1304.180410-1804.cab (full file).
2020-03-29 16:05:06.3604000 5044  13616 DownloadManager Created download job 251FE845-A47A-400C-B811-5176752184E0; memory stream: No.
2020-03-29 16:05:06.3750224 5044  13616 DownloadManager New download job {251FE845-A47A-400C-B811-5176752184E0} for UpdateId 6EA6D7FF-D374-4148-AED4-0830478A03FC.1
2020-03-29 16:05:06.7986064 5044  13616 DownloadManager Update the URLs for DO Job 251FE845-A47A-400C-B811-5176752184E0 - Update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1
2020-03-29 16:05:07.1322490 5044  13616 DownloadManager Download job 251FE845-A47A-400C-B811-5176752184E0 resumed.
2020-03-29 16:09:14.2221009 5044  5340  DownloadManager DO job {251FE845-A47A-400C-B811-5176752184E0} completed successfully, updateId = 6EA6D7FF-D374-4148-AED4-0830478A03FC.1
2020-03-29 16:09:15.7372836 5044  13616 DownloadManager Queueing update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1 for download handler request generation.
2020-03-29 16:09:15.8376936 5044  7388  DownloadManager Generating download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:09:15.9092473 5044  7388  DownloadManager Calling into handler 0xc to generate download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:09:15.9389298 5044  6840  Misc            Validating signature for C:\WINDOWS\SoftwareDistribution\Download\9a7a8eff8aff2a1fe2261d6b7d7a8929\DesktopDeployment.cab with dwProvFlags 0x00000080:
2020-03-29 16:09:15.9770877 5044  6840  Misc             Microsoft signed: Yes
2020-03-29 16:09:16.0383498 5044  6840  Handler         Using the update's service stack dll file 'C:\WINDOWS\SoftwareDistribution\Download\9a7a8eff8aff2a1fe2261d6b7d7a8929\Metadata\UpdateAgent.dll' 
2020-03-29 16:09:16.9296167 5044  7388  Handler         UUP GDR: Event Fired: TimeOut
2020-03-29 16:09:16.9296380 5044  7388  DownloadManager GenerateDownloadRequest returned WU_E_OPERATIONINPROGRESS for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:15:45.7517899 5044  6840  DownloadManager Subscribing to GDR Retry due to async handler trigger.
2020-03-29 16:15:46.1669676 5044  7388  DownloadManager Generating download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:15:46.2460245 5044  7388  DownloadManager Calling into handler 0xc to generate download request for update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1.
2020-03-29 16:15:46.2460364 5044  7388  Handler         *FAILED* [80070490] UUP GDR: Completed
2020-03-29 16:15:46.2523025 5044  7388  DownloadManager *FAILED* [80070490] GDR
2020-03-29 16:15:46.5577866 5044  7388  DownloadManager *FAILED* [80070490] Error occurred while downloading update 6EA6D7FF-D374-4148-AED4-0830478A03FC.1; notifying dependent calls.
2020-03-29 16:15:46.6679550 5044  13616 DownloadManager * END * Download Call Complete Call 4 for caller UpdateOrchestrator has completed; signaling completion.
2020-03-29 16:15:46.6685862 5044  13616 Agent           Effective power state: AC; IsOnAC: Yes.
2020-03-29 16:15:46.6685996 5044  13616 IdleTimer       WU operation (DL.UpdateOrchestrator, operation # 425) stopped; does use network; is not at background priority
2020-03-29 16:15:46.6686071 5044  13616 Agent           Released network PDC reference for callId {7C31AE7B-B2E8-4E9D-9FAE-E69C5EEB4AA5}; ActivationID: 425
2020-03-29 16:15:46.6689426 5044  5276  ComApi          *RESUMED* Download ClientId = UpdateOrchestrator
2020-03-29 16:15:46.6689474 5044  5276  ComApi          Download call complete (succeeded = 0, succeeded with errors = 0, failed = 1, cancelled = 0, unaccounted = 0)
2020-03-29 16:15:46.6689588 5044  5276  ComApi          ClientId = UpdateOrchestrator: Exit code = 0x00000000; Call error code = 0x80240022
2020-03-29 16:15:46.6689608 5044  5276  ComApi          * END *   Download ClientId = UpdateOrchestrator
2020-03-29 16:15:46.6689667 5044  5276  Agent           WU client calls back to download call {7C31AE7B-B2E8-4E9D-9FAE-E69C5EEB4AA5} with code Call complete and error 0x80070490
2020-03-29 16:15:46.6693800 5044  5796  ComApi          Download call complete (succeeded = 0, succeeded with errors = 0, failed = 1, cancelled = 0, unaccounted = 0)
2020-03-29 16:15:46.6693911 5044  5796  ComApi          * END *   All federated downloads have completed. ClientId = UpdateOrchestrator (cV = Kuodo0a890eUtjBr.3.1)
2020-03-29 16:15:46.6823141 5044  13616 DownloadManager DynamicDownloadDataFetcher Refresh Svc: {8B24B027-1DEE-BABB-9A95-3517DFB9C552}
2020-03-29 16:15:46.6823196 5044  13616 DownloadManager *FAILED* [8024000C] DynamicDownloadDataFetcher Refresh complete

太令人沮丧了。是否希望在不重新安装 Windows 的情况下安装更新？

我正在为 Win 10 更新而苦苦挣扎：

Feature update to Windows 10, version 1809 x64 2020-03B - Error 0x80070490

谷歌充斥着关于随机人经历的无用文章，但没有实际或系统的解决方案，我已经完成了通常的解决方案 [ DSIM, Sfc]：

• 根据我的研究，0x80070490与驱动程序问题有关，但在设备管理器中一切正常，所有设备都按预期工作（Windows 必须在某个地方放置比这个愚蠢代码更多的信息）
• 据说里面应该有日志文件C:\$WINDOWS.~BT\Sources\Rollback，但是Rollback不存在；同样，事件日志中没有（当前）文件C:\Windows\Panther\或有用信息

更新实际上将日志文件放在哪里？

我删除了 /var/lib/apt 和 /var/cache/apt 因为我无法摆脱 apt 的奇怪问题。

现在我总是得到：

Get:1 http://security-cdn.debian.org buster/updates InRelease [65.4 kB]
Err:1 http://security-cdn.debian.org buster/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
Reading package lists... Done
W: GPG error: http://security-cdn.debian.org buster/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
E: The repository 'http://security.debian.org buster/updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

这显然不是真的。但是好的，删除 /etc/apt/trusted.gpg 并重新开始：

# rm /etc/apt/trusted.gpg
# apt-key adv --keyserver pgp.mit.edu --recv-keys AA8E81B4331F7F50
Executing: /tmp/apt-key-gpghome.DwxpIbllfu/gpg.1.sh --keyserver pgp.mit.edu --recv-keys AA8E81B4331F7F50
gpg: key EDA0D2388AE22BA9: public key "Debian Security Archive Automatic Signing Key (9/stretch) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# apt-key adv --keyserver pgp.mit.edu --recv-keys 112695A0E562B32A
Executing: /tmp/apt-key-gpghome.TFiPCm4ThF/gpg.1.sh --keyserver pgp.mit.edu --recv-keys 112695A0E562B32A
gpg: key 4DFAB270CAA96DFA: public key "Debian Security Archive Automatic Signing Key (10/buster) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <[email protected]>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <[email protected]>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

# apt update
Get:1 http://security-cdn.debian.org buster/updates InRelease [65.4 kB]
Err:1 http://security-cdn.debian.org buster/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
Reading package lists... Done
W: GPG error: http://security-cdn.debian.org buster/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
E: The repository 'http://security.debian.org buster/updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Apt 只是显示远离现实的信息。它在撒谎！这个怎么可能？

PS：我应该说我在删除它们之前从 /var/lib/apt 和 /var/apt/cache 创建了一个备份。当我将备份复制回来时，没有任何变化。所以似乎有别的东西坏了。

PSS：我还删除了 /etc/apt、/var/lib/apt、/var/cache/apt 并通过“dpkg -i apt_1.8.2_amd64.deb”重新安装了 apt。所有目录都是从头开始重新创建的，但 apt update 仍然失败并出现同样的错误！

它让我发疯：Windows 10 中存储的普通 Windows 图标在哪里？

winver.exe 过去一直是一个安全的选择，但现在已经不存在了。

我尝试了通常的候选人（explorer.exe，shell32.dll，...）