Apache, CentOS 7 에서 Certbot 설치
Certbot 이 EPEL (Extra Packages for Enterprise Linux). 형태로 제공된다.설치
혹시 repository 설정이 안되어 있다면, the EPEL repository 를 설정해야 한다. 보통 기본으로 되어 있긴 한다.(참고)- sudo yum install python2-certbot-apache
실행
- sudo certbot --apache
- certificate 을 가져오게 된다.
- cerbot 이 가져온 certificate 에 대해서 apache configuration 을 수정한다.
- sudo certbot --apache certonly
- certificate 만 가져온다.
- 직접 apache configuration 을 수정해야 한다.
- sudo certbot certonly
- 서버의 지정없이 certificate 을 가져올 수 있다.
아래는 cloudflare 용 dns plugin (cerbot-dns-cloudflare ) 를 사용하는 command 이다.
- sudo certbot -a certbot-dns-cloudflare -i apache -d "*.example.com" -d example.com --server https://acme-v02.api.letsencrypt.org/directory
- 서버 지정없이(아래참고)
sudo certbot certonly --manual -d "*.example.com" -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
server 지정없이 하는 방법(certbot certonly)
아래 링크에 자세한 방법이 나와 있다.- Let’s Encrypt 와일드카드 DNS SSL 인증서 발급 받기 – chohi's HOME
- sudo certbot certonly --manual -d "*.example.com" -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
server 지정없이 한 경우 결과화면
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/certbot renew/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/certbot renew/privkey.pem Your cert will expire on 2010-02-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
apache vhost 설정
SSLCipherSuite 는 Cipher Suites and Enforcing Strong Security 를 참고하자.
아래 설정에서 보면 알겠지만, 3개의 file 이 필요하다.
- 인증서
- 인증서를 만들때 쓰인 privatekey
- 인증서Chain
<VirtualHost *:443>
DocumentRoot /home/myserverdomain/public
ServerName dd.myserverdomain.com
ServerAlias dd.myserverdomain.com
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLOptions +StrictRequire
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/myserverdomain.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/myserverdomain.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/myserverdomain.com/fullchain.pem"
...
인증서 갱신
cerbot renew 이용
인증서를 갱신(renew) 하는 방법은 아래와 같다. 이것을 주기적으로 하고 싶다면 cron 이나 systemd timer 에 넣어놓으면 된다. 보통 하루에 2번 수행하는 것을 추천한다. renew 시점이 아니면 아무일도 하지 않아서 계속 돌려도 문제는 없다.[ref. 1]- sudo certbot renew --dry-run
cerbot renew 가 안되는 경우
위의 방법을 사용하면, 에러가 발생한다. 아래에서 답을 찾았다.방법은, 일단 다시 아래처럼 신청하면 새롭게 만들어진다. 물론 DNS 확인도 해야 한다.
- certbot certonly --manual -d '*.mydomain.com'
[root@myserver bin]# certbot certonly --manual -d '*.mydomain.com' Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for mydomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.mydomain.com with the following value: Rfdklsfjkldsehtdfdsfdsgdgaga4 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mydomain.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mydomain.com-0001/privkey.pem Your cert will expire on 2019-04-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
인증서 위치
기존에 아래 path 에 인증서가 있는 경우,- /etc/letsencrypt/live/mydomain.com
- /etc/letsencrypt/live/mydomain.com-0001
- /etc/letsencrypt/archive/mydomain.com
인증서 삭제
certbot delete --cert-name mydomain.com
문제
httpd: Syntax error on line 23 of /etc/httpd/conf/httpd.conf: Cannot load modules/mod_mpm_event.so into serverhttpd 가 yum 에 의해 설치되지 않아서 일까 위의 문제가 발생했다. 그래서 Cerbot 없이 설치하는 법을 택했다.
댓글 없음:
댓글 쓰기