Apache 서버에 centbot를 이용한 SSL(letsencrypt) 설정 및 추가하기. 복사

centbot 설치

$yum install epel-release
$yum install certbot-apache

 

인증서 발급

 

• certbot certonly --webroot -w /서비스경로 -d 발급대상도메인1,발급대상도메인2 -m 관리자메일주소
• KT 클라우드 호스팅 서버 예시

 

$certbot certonly --webroot -w /hosting/2021/test -d test.tistory.co.kr -m ghgo@tistory.co.kr
$certbot certonly --webroot -w /hosting/2021/test2 -d test2.tistory.ac.kr -m ghgo@tistory.co.kr
$certbot certonly --webroot -w /hosting/2020/test3/www/ -d test3.or.kr,www.test3.or.kr -m ghgo@tistory.co.kr
$certbot certonly --webroot -w /hosting/2019/test4/ -d test4.kr -m ghgo@tistory.co.kr

 

SSL 인증서 발급 확인

$ls -l /etc/letsencrypt/live/
total 20
drwxr-xr-x 2 root root 4096 Jan  5 11:19 test.tistory.ac.kr
-rw-r--r-- 1 root root  740 Jan  5 11:02 README
drwxr-xr-x 2 root root 4096 Jan  5 11:02 test2.tistory.co.kr
drwxr-xr-x 2 root root 4096 Jan  5 11:46 www.test.or.kr
drwxr-xr-x 2 root root 4096 Jan  5 11:20 test.kr

 

인증서 적용

 

• 아파치 virtualhost conf 수정
• 거제 사회적 공동체 예시
• 모든 사이트는 강제로 SSL 페이지로 Rewrite 되게끔 구성.

 

<VirtualHost *:80>
    ServerName test.or.kr
    ServerAlias www.test.or.kr
    JkMount /* utf8
    DocumentRoot "/hosting/2020/test/www/"
    <Directory /hosting/2020/test/www>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =test.kr
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    CustomLog "|/usr/sbin/rotatelogs /hosting/logs/httpd/test/test_access_%Y%m%d.log 86400" combined env=!do_not_log
    ErrorLog "|/usr/sbin/rotatelogs /hosting/logs/httpd/test/test_error_%Y%m%d.log 86400"
</VirtualHost>

<VirtualHost *:443>
    ServerName test.or.kr
    ServerAlias www.test.or.kr
    JkMount /* utf8
    DocumentRoot "/hosting/2020/test/www/"
    <Directory /hosting/2020/test/www>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    LogLevel warn
    SSLEngine on
    SSLProtocol  ALL -SSLv2
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
    SSLCertificateFile /etc/letsencrypt/live/www.test.or.kr/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.test.or.kr/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/www.test.or.kr/chain.pem
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    CustomLog "|/usr/sbin/rotatelogs /hosting/logs/httpd/test/test_ssl_access_%Y%m%d.log 86400" combined env=!do_not_log
    ErrorLog "|/usr/sbin/rotatelogs /hosting/logs/httpd/test/test_ssl_error_%Y%m%d.log 86400"
</VirtualHost>

 

인증서 갱신

• 무료 SSL 인증서의 경우 인증서 유효기간이 3개월로 한정.
• 스케줄링에 의한 인증서 갱신 진행.
• KT 클라우드 호스팅 서버 예시

 

$/usr/bin/certbot renew --renew-hook
Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.tistory.ac.kr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
[생략]
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/test.tistory.ac.kr/fullchain.pem expires on 2021-04-05 (skipped)
  /etc/letsencrypt/live/test2.tistory.co.kr/fullchain.pem expires on 2021-04-05 (skipped)
  /etc/letsencrypt/live/www.test.or.kr/fullchain.pem expires on 2021-04-05 (skipped)
  /etc/letsencrypt/live/test.kr/fullchain.pem expires on 2021-04-05 (skipped)
No renewals were attempted.
No hooks were run.


Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/geojescc.or.kr.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
$
$
$crontab -e
0 1 * * * /usr/bin/certbot renew --renew-hook "systemctl restart httpd.service"