Let’s Encrypt
Let’s Encrypt 에서 발급하는 90일짜리 무료 인증서입니다. 3개월에 한번씩 인증을 해야하지만 자동업데이트를 이용하면 쉽게 사용할 수 있습니다.
Certbot 설치
$ snap install --classic certbot우분투 18.04 기준 snap로 certbot를 설치합니다.
SSL 인증서 발급 받기
// 아파치
$ certbot --apache
// nginx
$ certbot --nginxcertbot 명령을 이용해서 SSL인증서를 발급받습니다. 옵션을 이용해서 웹서버를 지정합니다.
$ certbot --nginx --nginx-server-root /usr/local/nginx/conf/ --nginx-ctl /usr/local/nginx/sbin/nginxnginx 설치위치를 직접지정할 경우
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):이메일주소를 입력합니다. 인증서 만료전에 이메일로 알려줍니다.
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
(Y)es/(N)o: Y
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: Y
Account registered.이용약관에 동의합니다.
Which names would you like to activate HTTPS for?
1: jongwan.com
2: www.jongwan.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):인증서를 발급받을 도메인을 선택합니다. 공백으로 엔터를 누르면 모두 발급합니다. jongwan.com, www.jongwan.com을 모두 받으므로 그냥 엔터를 입력합니다.
Requesting a certificate for jongwan.com and www.jongwan.com
Performing the following challenges:
http-01 challenge for jongwan
http-01 challenge for www.jongwan
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/jongwan_com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/jongwan_com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/jongwan_com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/jongwan_com-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/jongwan_com.conf to ssl vhost in /etc/apache2/sites-available/jongwan_com-le-ssl.conf
Congratulations! You have successfully enabled https://jongwan.com and
https://www.jongwan.com
Subscribe to the EFF mailing list (email: me@jongwan.com).
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jongwan.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jongwan.com/privkey.pem
Your certificate will expire on 2021-04-15. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew all of your certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le 인증서를 발급중입니다.
인증서 자동갱신하기
$ certbot renewrenew 옵션을 이용해서 인증서를 자동갱신할 수 있습니다.
–dry-run 옵션을 추가하면 발급 테스트도 가능합니다.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/jongwan.com.conf
Cert not yet due for renewal
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/jongwan.com/fullchain.pem expires on 2021-04-15 (skipped)
No renewals were attempted. 실행해보면 아래처럼 나옵니다. 방금 인증서를 받았기 때문에 갱신이 되지는 않고 메시지만 출력됩니다.
$ crontab -e// 매일 0시 업데이트 진행
0 0 * * * sudo certbot renewcrontab에 등록해서 자동으로 갱신하도록 합니다.