• Created by Unknown User (5f5715ed8d3ae70076b245a8), last updated by Unknown User (daniel@dmove.kr) on Nov 19, 2020 5 minute read

open book Let’s Encrypt 를 활용하여 무료 SSL 인증서를 발급받아 사용해보려고 합니다. 무료 인증서의 유효 기간이 90일로 짧기는 하지만, 자동 연장을 할 수 있다는 구성할 수 있으니 한번 발급받으면 계속 사용할 수 있을 것 같습니다.

공식 가이드 문서 참고하여 작업 진행했습니다.
Certbot 관련해서 궁금한 내용은 가이드 문서를 참고하세요.

Instructions

  1. certbot 설치하기

  2. 아파치 설치하기

  3. certbot 을 활용한 인증서 신규 발급

  4. SSL 인증서 적용

  5. 인증서 갱신 자동화 구성

 

아래 가이드는 CentOS 8 에 Apache 를 Web Server 사용하는 환경에 맞게 작성되었습니다.

1. certbot 설치

## snapd 설치를 위해 epel release repo 추가
$ dnf install epel-release
$ dnf upgrade

## snapd 설치
$ yum install snapd
$ systemctl enable --now snapd.socket

$ ln -s /var/lib/snapd/snap /snap
$ systemctl restart snapd

## 이전에 certbot 을 설치한 적이 있다면 기존 package 제거
$ yum remove certbot

## certbot 설치
$ snapd install --classic certbot

## certbot 명령어 사용을 위해 symbolic 링크 생성
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

2. Apache 설치

$ yum install httpd mod-ssl
## virtual host configuration 관리용 디렉토리 생성 및 적용
$ vi /etc/httpd/conf/httpd.conf
## 아래 내용 추가
IncludeOptional site-enabled/*.conf

$ mkdir /etc/httpd/site-available
$ mkdir /etc/httpd/site-enabled
$ touch /etc/httpd/site-available/jira.httpd.conf
$ ln -s /etc/httpd/site-available/jira.httpd.conf /etc/httpd/site-enabled
$ vi /etc/httpd/site-enabled/jira.httpd.conf
## 인증서 적용받을 도메인의 Virtual Host 셋업
<VirtualHost *:80>
    ServerName jira.dmove.co.kr
    DocumentRoot /var/www/html
</VirtualHost>

## 인증서 생성 시 도메인 Verification 을 위한 uri 경로를 위한 폴더 생성
$ mkdir /var/www/html/.well-known

3. certbot 을 활용한 SSL 인증서 적용

[root@DMOVE site-enabled]# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: jira.dmove.co.kr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jira.dmove.co.kr
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: wign21@dmove.kr).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/jira.dmove.co.kr/privkey.pem
   Your cert will expire on 2021-02-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4. SSL 인증서 적용

## SSL 인증서 위치 확인
$ ls -al /etc/letsencrypt/live/jira.dmove.co.kr/
합계 4
drwxr-xr-x 2 root root  93 11월 19 13:02 .
drwx------ 3 root root  44 11월 19 13:02 ..
-rw-r--r-- 1 root root 692 11월 19 13:02 README
lrwxrwxrwx 1 root root  40 11월 19 13:02 cert.pem -> ../../archive/jira.dmove.co.kr/cert1.pem
lrwxrwxrwx 1 root root  41 11월 19 13:02 chain.pem -> ../../archive/jira.dmove.co.kr/chain1.pem
lrwxrwxrwx 1 root root  45 11월 19 13:02 fullchain.pem -> ../../archive/jira.dmove.co.kr/fullchain1.pem
lrwxrwxrwx 1 root root  43 11월 19 13:02 privkey.pem -> ../../archive/jira.dmove.co.kr/privkey1.pem

## SSL 인증서 적용
$ cp /etc/httpd/site-available/jira.http.conf /etc/httpd/site-available/jira.ssl.conf
$ ln -s /etc/httpd/site-available/jira.ssl.conf /etc/httpd/site-enabled/

$ vi /etc/httpd.site-enabled/jira.ssl.conf

<VirtualHost *:443>
    ServerName jira.dmove.co.kr

    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/jira.dmove.co.kr/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/jira.dmove.co.kr/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem

    DocumentRoot /var/www/html
</VirtualHost>

5. 인증서 갱신 자동화 구성 

## certbot 자동 갱신 테스트
$ certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/jira.dmove.co.kr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jira.dmove.co.kr
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/jira.dmove.co.kr/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

## 스케줄러 등록 여부 확인
$ systemctl list-timers
NEXT                         LEFT       LAST                         PASSED      UNIT                         ACTIVATES
Thu 2020-11-19 13:51:57 KST  46min left Thu 2020-11-19 12:51:41 KST  13min ago   dnf-makecache.timer          dnf-makecache.service
Fri 2020-11-20 00:00:00 KST  10h left   Thu 2020-11-19 00:00:00 KST  13h ago     unbound-anchor.timer         unbound-anchor.service
Fri 2020-11-20 00:53:00 KST  11h left   Thu 2020-11-19 12:41:00 KST  24min ago   snap.certbot.renew.timer     snap.certbot.renew.service
Fri 2020-11-20 10:56:40 KST  21h left   Thu 2020-11-19 10:56:40 KST  2h 8min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

4 timers listed.
Pass --all to see loaded but inactive timers, too.

DMOVE

주소 : 서울시 서초구 반포대로 28길 94, 4F

CONTACT INFO

대표전화 : 02-6405-0800

E-MAIL : sales@dmove.kr

Error rendering macro 'contentbylabel'

parameters should not be empty