let's encrypt 인증서 설치

let’s encrypt 인증서의 경우 python 기반으로 된 무료 보안 인증서입니다.

기본적으로 설치할 때에는 python 버전을 2.7버전 이상 설치되어있어야 진행할 수 있습니다.

 

– 설치 진행

# yum install git
# git clone https://github.com/letsencrypt/letsencrypt

 

– 인증서 등록

 

# ./letsencrypt-auto -a webroot --agree-tos -m 이메일주소 -w 홈디렉토리 -d 도메인주소 --rsa-key-size 4096
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 도메인주소
Using the webroot path /usr/local/apache/htdocs for all unmatched domains.
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/도메인주소/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/도메인주소/privkey.pem
Your cert will expire on 2018-12-03. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run “letsencrypt-auto renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

# ll /etc/letsencrypt/live/도메인주소/
total 4
lrwxrwxrwx 1 root root 35 Sep 4 14:29 cert.pem -> ../../archive/도메인소/cert1.pem
lrwxrwxrwx 1 root root 36 Sep 4 14:29 chain.pem -> ../../archive/도메인주소/chain1.pem
lrwxrwxrwx 1 root root 40 Sep 4 14:29 fullchain.pem -> ../../archive/도메인주소/fullchain1.pem
lrwxrwxrwx 1 root root 38 Sep 4 14:29 privkey.pem -> ../../archive/도메인주소/privkey1.pem
-rw-r–r– 1 root root 682 Sep 4 14:29 README

# vi /usr/local/apache/conf/httpd.conf
아래 내용 주석 해제
LoadModule socache_shmcb_module modules/mod_socache_shmcb.soLoadModule ssl_module modules/mod_ssl.soInclude conf/extra/httpd-ssl.conf

# vi /usr/local/apache/conf/extra/httpd-ssl.conf
DocumentRoot “홈디렉토리”
ServerName 도메인주소:443
ErrorLog “/usr/local/apache/logs/ssl-error_log”
TransferLog “/usr/local/apache/logs/ssl-access_log”
SSLCertificateFile “/etc/letsencrypt/live/도메인주소/cert.pem”
SSLCertificateKeyFile “/etc/letsencrypt/live/도메인주소/privkey.pem”
SSLCertificateChainFile “/etc/letsencrypt/live/도메인주소/fullchain.pem”

 

– 방화벽 설정

 

# vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
# service iptables restart

 

– 인증서 확인

 

# /etc/init.d/apachectl restart
# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Found the following certs:
Certificate Name: 도메인주소
Domains: 도메인주소
Expiry Date: 2018-12-03 04:30:47+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/도메인주소/fullchain.pem
Private Key Path: /etc/letsencrypt/live/도메인주소/privkey.pem
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

 

 

– 인증서 갱신

 

인증서의 유효기한은 90일이기때문에 그 전에 갱신해야 됩니다. 갱신은 만료 30일이전에 가능하나, 설정을 crontab으로 한달단위로 설정해놓았습니다.

 

# vi /etc/crontab
0 1 1 * * root ssl-renew /usr/local/src/letsencrypt/letsencrypt-auto renew –renew-hook ‘/usr/local/apache/bin/apachectl restart’ >> /var/log/ssl-renew.log
매월 1일 새벽 1시에 갱신되게끔 설정했습니다.

 

[에러메시지]

AH00526: Syntax error on line 92 of /usr/local/apache/conf/extra/httpd-ssl.conf:
SSLSessionCache: ‘shmcb’ session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).

해결책
# vi /usr/local/apache/conf/httpd.conf
아래 줄 주석해제 후 재시작

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

 

Tomcat의 경우 server.xml 파일에 등록

 

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>

<SSLHostConfig>

<Certificate certificateKeyFile="/etc/letsencrypt/live/도메인명/privkey.pem"
certificateFile="/etc/letsencrypt/live/도메인명/cert.pem"
certificateChainFile="/etc/letsencrypt/live/도메인명/chain.pem"
type="RSA"/>

</SSLHostConfig>

</Connector>