certbot을 이용한 Let's Encrypt 무료 인증서를 발급하는 과정을 정리하였다. 본 문서는 centos7, apache 환경 기준으로 작성하였고 모든 리눅스 계열 OS에서 공통적으로 적용 가능하며 설치 과정만 변경하여 처리하면 된다.
[목차]
1. 준비과정
certbot 설치
yum install certbot
certbot 아파치 플러그인 설치
yum install epel-release
yum install certbot python2-certbot-apache
apache 재시작
systemctl restart httpd
systemctl status httpd
certbot 확인
# certbot --version
certbot 1.11.0
2. Let's Encrypt 인증서 발급
발급 방법 예시
단일 도메인
certbot certonly --apache -d DOMAIN.com
와일드카드 도메인
certbot certonly --manual -d DOMAIN.com -d *.DOMAIN.com --preferred-challenges dns
멀티(다중) 도메인
certbot certonly --manual -d DOMAIN.com -d www.domain.co,kr -d subdomain.domain.net --preferred-challenges dns
와일드카드 인증서 발급 과정
와일드카드와 멀티 도메인은 DNS-01 인증 방식을 사용하므로 Certbot 실행 과정 인증을 위한 DNS 레코드를 추가하라는 지시가 나타난다.
# certbot certonly --manual -d DOMAIN.com -d *.DOMAIN.com --preferred-challenges dns
## 커맨드를 실행 후 메일 주소를 입력하고 다음과 같은 화면으로 넘어간다.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for DOMAIN.com and *.DOMAIN.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y ## 처음 인증서를 발급 받으면 약관 동의 및 뉴스레터 등록 안내가 나온다. Y
Account registered.
Requesting a certificate for DOMAIN.com *.DOMAIN.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.DOMAIN.com.
with the following value:
GFwdmiAOIh3NF1fE7Zp5UEy
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.DOMAIN.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue ## 도메인 소유자 인증을 DNS TXT 등록으로 처리한다. DNS 설정후 엔터
## DNS 등록이 완료되면 인증서가 발급이 완료된다.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/DOMAIN.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/DOMAIN.com/privkey.pem
Your certificate will expire on 2023-10-24. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
******************************************
## 인증서 발급 경로와 만료일 도메인에 대한 간단한 정보와
## certbot renew 을 통한 갱신방법이 안내된다.
3. 발급된 인증서 확인
인증서 경로
# ls -al /etc/letsencrypt/archive/DOMAIN.com
total 28
drwxr-xr-x 2 root root 4096 Jul 26 14:47 .
drwx------ 3 root root 4096 Jul 26 14:47 ..
-rw-r--r-- 1 root root 1777 Jul 26 14:47 cert1.pem
-rw-r--r-- 1 root root 3749 Jul 26 14:47 chain1.pem
-rw-r--r-- 1 root root 5526 Jul 26 14:47 fullchain1.pem
-rw------- 1 root root 1704 Jul 26 14:47 privkey1.pem인증서 정보 체크
# openssl x509 -in /etc/letsencrypt/live/DOMAIN.com/cert.pem -text -noout | grep DNS
DNS:*.DOMAIN.com, DNS:DOMAIN.com
4. 인증서 갱신 (certbot renew)
인증서 갱신은 만료 30일 전부터 가능하며 certbot renew 명령으로 갱신이 가능하다
crontab에 등록하여 자동 동 갱신되고 apache 가 재시작되도록 관리하면 자동으로 갱신된다.
갱신 인증서 파일 확인
# cat /etc/letsencrypt/renewal/DOMAIN.com.conf
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/DOMAIN.com
cert = /etc/letsencrypt/live/DOMAIN.com/cert.pem
privkey = /etc/letsencrypt/live/DOMAIN.com/privkey.pem
chain = /etc/letsencrypt/live/DOMAIN.com/chain.pem
fullchain = /etc/letsencrypt/live/DOMAIN.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = manual
account = 2c30baaa533097286eca60d0961cb7a3
pref_challs = dns-01,
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
certbot renew 실행 화면
아직 인증서 갱신 날짜가 안되어 skip 되고 있다.
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/DOMAIN.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/DOMAIN.com/fullchain.pem expires on 2023-10-24 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -