Let’s Encrypt (Certbot)으로 SSL 인증서 발급

Let’s Encrypt

Let’s Encrypt 에서 발급하는 90일짜리 무료 인증서입니다. 3개월에 한번씩 인증을 해야하지만 자동업데이트를 이용하면 쉽게 사용할 수 있습니다.

Certbot 설치

$ snap install --classic certbot

우분투 18.04 기준 snap로 certbot를 설치합니다.

SSL 인증서 발급 받기

// 아파치
$ certbot --apache

// nginx
$ certbot --nginx

certbot 명령을 이용해서 SSL인증서를 발급받습니다. 옵션을 이용해서 웹서버를 지정합니다.

$ certbot --nginx --nginx-server-root /usr/local/nginx/conf/ --nginx-ctl /usr/local/nginx/sbin/nginx

nginx 설치위치를 직접지정할 경우

Plugins selected: Authenticator apache, Installer apache
 Enter email address (used for urgent renewal and security notices)
  (Enter 'c' to cancel):

이메일주소를 입력합니다. 인증서 만료전에 이메일로 알려줍니다.

Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
 agree in order to register with the ACME server. Do you agree?
 (Y)es/(N)o: Y
 Would you be willing, once your first certificate is successfully issued, to
 share your email address with the Electronic Frontier Foundation, a founding
 partner of the Let's Encrypt project and the non-profit organization that
 develops Certbot? We'd like to send you email about our work encrypting the web,
 EFF news, campaigns, and ways to support digital freedom.
 (Y)es/(N)o: Y
 Account registered.

이용약관에 동의합니다.

Which names would you like to activate HTTPS for?
 1: jongwan.com
 2: www.jongwan.com
 Select the appropriate numbers separated by commas and/or spaces, or leave input
 blank to select all options shown (Enter 'c' to cancel):

인증서를 발급받을 도메인을 선택합니다. 공백으로 엔터를 누르면 모두 발급합니다. jongwan.com, www.jongwan.com을 모두 받으므로 그냥 엔터를 입력합니다.

Requesting a certificate for jongwan.com and www.jongwan.com
 Performing the following challenges:
 http-01 challenge for jongwan
 http-01 challenge for www.jongwan
 Waiting for verification…
 Cleaning up challenges
 Created an SSL vhost at /etc/apache2/sites-available/jongwan_com-le-ssl.conf
 Deploying Certificate to VirtualHost /etc/apache2/sites-available/jongwan_com-le-ssl.conf
 Enabling available site: /etc/apache2/sites-available/jongwan_com-le-ssl.conf
 Deploying Certificate to VirtualHost /etc/apache2/sites-available/jongwan_com-le-ssl.conf
 Redirecting vhost in /etc/apache2/sites-enabled/jongwan_com.conf to ssl vhost in /etc/apache2/sites-available/jongwan_com-le-ssl.conf
 Congratulations! You have successfully enabled https://jongwan.com and
 Subscribe to the EFF mailing list (email: me@jongwan.com).
 Congratulations! Your certificate and chain have been saved at:
 Your key file has been saved at:
 Your certificate will expire on 2021-04-15. To obtain a new or
 tweaked version of this certificate in the future, simply run
 certbot again with the "certonly" option. To non-interactively
 renew all of your certificates, run "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le 

인증서를 발급중입니다.

인증서 자동갱신하기

$ certbot renew

renew 옵션을 이용해서 인증서를 자동갱신할 수 있습니다.
–dry-run 옵션을 추가하면 발급 테스트도 가능합니다.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Processing /etc/letsencrypt/renewal/jongwan.com.conf
 Cert not yet due for renewal
 The following certificates are not due for renewal yet:
   /etc/letsencrypt/live/jongwan.com/fullchain.pem expires on 2021-04-15 (skipped)
 No renewals were attempted. 

실행해보면 아래처럼 나옵니다. 방금 인증서를 받았기 때문에 갱신이 되지는 않고 메시지만 출력됩니다.

$ crontab -e
// 매일 0시 업데이트 진행
0 0 * * * sudo certbot renew

crontab에 등록해서 자동으로 갱신하도록 합니다.