open book Let’s Encrypt 를 활용하여 무료 SSL 인증서를 발급받아 사용해보려고 합니다. 무료 인증서의 유효 기간이 90일로 짧기는 하지만, 자동 연장을 할 수 있다는 구성할 수 있으니 한번 발급받으면 계속 사용할 수 있을 것 같습니다.

공식 가이드 문서 참고하여 작업 진행했습니다.
Certbot 관련해서 궁금한 내용은 가이드 문서를 참고하세요.

Instructions

Create a step-by-step guide:

  1. certbot 설치하기

  2. 아파치 설치하기

  3. certbot 을 활용한 인증서 신규 발급

  4. SSL 인증서 적용

  5. 인증서 갱신 자동화 구성

 

아래 가이드는 CentOS 8 에 Apache 를 Web Server 사용하는 환경에 맞게 작성되었습니다.

1. certbot 설치

## snapd 설치를 위해 epel release repo 추가
$ dnf install epel-release
$ dnf upgrade

## snapd 설치
$ yum install snapd
$ systemctl enable --now snapd.socket

$ ln -s /var/lib/snapd/snap /snap
$ systemctl restart snapd

## 이전에 certbot 을 설치한 적이 있다면 기존 package 제거
$ yum remove certbot

## certbot 설치
$ snapd install --classic certbot

## certbot 명령어 사용을 위해 symbolic 링크 생성
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

2. Apache 설치

$ yum install httpd mod-ssl
## virtual host configuration 관리용 디렉토리 생성 및 적용
$ vi /etc/httpd/conf/httpd.conf
## 아래 내용 추가
IncludeOptional site-enabled/*.conf

$ mkdir /etc/httpd/site-available
$ mkdir /etc/httpd/site-enabled
$ touch /etc/httpd/site-available/jira.httpd.conf
$ ln -s /etc/httpd/site-available/jira.httpd.conf /etc/httpd/site-enabled
$ vi /etc/httpd/site-enabled/jira.httpd.conf
## 인증서 적용받을 도메인의 Virtual Host 셋업
<VirtualHost *:80>
    ServerName jira.dmove.co.kr
    DocumentRoot /var/www/html
</VirtualHost>

## 인증서 생성 시 도메인 Verification 을 위한 uri 경로를 위한 폴더 생성
$ mkdir /var/www/html/.well-known

3. certbot 을 활용한 SSL 인증서 적용

[root@DMOVE site-enabled]# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: jira.dmove.co.kr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jira.dmove.co.kr
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: wign21@dmove.kr).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/jira.dmove.co.kr/privkey.pem
   Your cert will expire on 2021-02-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4. SSL 인증서 적용

## SSL 인증서 위치 확인
$ ls -al /etc/letsencrypt/live/jira.dmove.co.kr/
합계 4
drwxr-xr-x 2 root root  93 11월 19 13:02 .
drwx------ 3 root root  44 11월 19 13:02 ..
-rw-r--r-- 1 root root 692 11월 19 13:02 README
lrwxrwxrwx 1 root root  40 11월 19 13:02 cert.pem -> ../../archive/jira.dmove.co.kr/cert1.pem
lrwxrwxrwx 1 root root  41 11월 19 13:02 chain.pem -> ../../archive/jira.dmove.co.kr/chain1.pem
lrwxrwxrwx 1 root root  45 11월 19 13:02 fullchain.pem -> ../../archive/jira.dmove.co.kr/fullchain1.pem
lrwxrwxrwx 1 root root  43 11월 19 13:02 privkey.pem -> ../../archive/jira.dmove.co.kr/privkey1.pem

## SSL 인증서 적용
$ cp /etc/httpd/site-available/jira.http.conf /etc/httpd/site-available/jira.ssl.conf
$ ln -s /etc/httpd/site-available/jira.ssl.conf /etc/httpd/site-enabled/

$ vi /etc/httpd.site-enabled/jira.ssl.conf

<VirtualHost *:443>
    ServerName jira.dmove.co.kr

    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/jira.dmove.co.kr/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/jira.dmove.co.kr/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem

    DocumentRoot /var/www/html
</VirtualHost>

5. 인증서 갱신 자동화 구성 

## certbot 자동 갱신 테스트
$ certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/jira.dmove.co.kr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jira.dmove.co.kr
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

## 스케줄러 등록 여부 확인
$ systemctl list-timers
NEXT                         LEFT       LAST                         PASSED      UNIT                         ACTIVATES
Thu 2020-11-19 13:51:57 KST  46min left Thu 2020-11-19 12:51:41 KST  13min ago   dnf-makecache.timer          dnf-makecache.service
Fri 2020-11-20 00:00:00 KST  10h left   Thu 2020-11-19 00:00:00 KST  13h ago     unbound-anchor.timer         unbound-anchor.service
Fri 2020-11-20 00:53:00 KST  11h left   Thu 2020-11-19 12:41:00 KST  24min ago   snap.certbot.renew.timer     snap.certbot.renew.service
Fri 2020-11-20 10:56:40 KST  21h left   Thu 2020-11-19 10:56:40 KST  2h 8min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

4 timers listed.
Pass --all to see loaded but inactive timers, too.

DMOVE

주소 : 서울시 서초구 반포대로 28길 94, 4F

CONTACT INFO

대표전화 : 02-6405-0800

E-MAIL : sales@dmove.kr

Related articles

The content by label feature displays related articles automatically, based on labels you choose. To edit options for this feature, select the placeholder below and tap the pencil icon.

Related issues