Let’s Encrypt라는 비영리 기관을 통해 루트 도메인, 서브 도메인, 와일드 카드 도메인까지 무료로 발급 받을수 있음.
인증서 발급을 위해 certbot을 사용함.
참고 - https://www.vompressor.com/tls1/
3가지 방법
1. Standalone - 가상 웹서버를 가동하여 도메인소유주 확인
- certbot이 인증서를 발급할때 도메인의 소유주를 확인하기 위해 80 Port를 사용하는 간이 웹서버를 가동함.
- 80, 443 port 개방되어 있어야 함
- 자동 갱신 가능
- 와일드카드 서브도메인 불가
- 도메인이 자신의 서버에 연결되어야 함.(A record)
sudo certbot certonly --standalone- 도메인 입력시 여러개를 space로 구분하여 입력할 수 있음.
2. webroot - 자신의 웹서버가 제공하는 특정 파일로 도메인 소유주 확인
- certbot이 서버의 웹서버에 특정 파일을 요청하여 인증함.
- 인증에 사용할 특정 폴더를 만들고 .well-known/acme-challenge 디렉토리를 만들고 외부에서 엑세스가 가능하게 해야 함.
- 웹서버에 사전 세팅이 필요. 자동 갱신 가능, 와일드 카드 서브도메인 사용불가
- 설치 과정
mkdir /var/www/letsencrypt sudo certbot certonly --webroot --webroot-path=/var/www/letsencrypt -d www.ssro.xyz Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): www.test.xyz Obtaining a new certificate Performing the following challenges: http-01 challenge for www.test.xyz Input the webroot for www.test.xyz: (Enter 'c' to cancel): /var/www/letsencrypt Waiting for verification... Challenge failed for domain www.test.xyz http-01 challenge for www.test.xyz Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.test.xyz Type: connection Detail: xxx.xxx.xxx.xxx: Fetching http://www.test.xyz/.well-known/acme-challenge/h-7pCiabj2FlVpKdT44TssmY_CSIl9dGC34-mqHNu_k: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for www.test.xyz Using the webroot path /var/www/letsencrypt for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.test.xyz/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.test.xyz/privkey.pem Your cert will expire on 2022-12-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
3. dns - dns 레코드에 특정 값을 작성하여 도메인 소유주 확인
- 도메인이 연결된 DNS의 TXT 레코드를 이용하여 인증받는 방식임.
- 갱신 시마다 DNS TXT 레코드를 새로 생성해야 함.
- 와일드 카드 방식으로 인증서 발급 가능
- 설치 과정
root@mgmt:~# certbot certonly --manual \ --preferred-challenges dns \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos -m hong@gmail.com \ -d *.test.xyz Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for ssro.xyz - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.test.xyz with the following value: enI6urTmDwQt_r3_SHOTz1t60RAInB_BfdYm4nypaaw Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/test.xyz/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/test.xyz/privkey.pem Your cert will expire on 2022-12-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
인증서 자동 갱신
- nginx
30 4 * * 0 /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1- apache
30 4 * * 0 /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service apache2 restart" > /dev/null 2>&1VM을 이용할 때 주의점
- Virtualbox등의 VM을 이용해서 인증서를 발급받을 경우에는 반드시 외부에서 내부 VM의 웹서버로 접속되는지 확인해야 한다.
- 내 경우 VM을 NAT와 Bridge network을 갖도록 Host bridge형태로 구성했는데 외부에서 접속을 할 수 없는 문제 때문에 한참 고생한 끝에 NAT 네트웍을 삭제하고 Bridge network만 갖도록 하여 해결했다.
클라우드쟁이