Apache 도메인과 https 적용(3)

이번에는 https를 적용시켜 보겠다.

인증서는 무료 인증서인 Let's Encrypt를 사용하겠다.

Let's Encrpyt는 무료로 TLS 인증서를 발급해주는 비영리기관이고

certbot은 초보자들도 쉽고 빠르게 https를 적용시킬 수 있게 도와주는 툴이다.

참고로 사후 관리나 안전성 면에서 유료 인증서가 더 유리하기 때문에 회사들은 https를 적용시킬 때 무료 인증서보단 유료 인증서를 사용한다.

그렇다고 암호화 수준이 유료 인증서보다 떨어지는 것은 아니니 개인 서비스는 무료 인증서를 사용해도 괜찮을 것 같다.

 

1. epel 패키지 설치

yum -y install epel-release

 

2. certbot 설치

yum -y install certbot-apache

 

3. cerbot 적용

certbot --apache


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): hinos@test.com // 관리자용 이메일주소
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n // 뉴스,캠페인 소식 안받기
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hinos.test.co.kr // 도메인 리스트
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for hinos.test.co.kr
Performing the following challenges:
http-01 challenge for hinos.test.co.kr
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/vhost.conf to ssl vhost in /etc/httpd/conf.d/vhost-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://hinos.test.co.kr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hinos.test.co.kr/fullchain.pem // 인증서와 체인이 저장된 곳
   Your key file has been saved at:
   /etc/letsencrypt/live/hinos.test.co.kr/privkey.pem // 개인키 저장된 곳
   Your certificate will expire on 2021-12-23. To obtain a new or // 유효기간 2021-12-23
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

4. 인증서 자동 갱신

인증서 유효 기간이 대략 3개월정도 된다. (갱신은 30일 안에 요청하는 것이 좋다고 한다.)

인증서를 자동으로 갱신 할 수 있도록 크론탭을 사용한다.

vim /etc/crontab






# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

  00 03 1  *  * certbot renew