Linux [CentOS 6.8] Let’s encrypt 설치 및 운용
페이지 정보
본문
1. Let's Encrypt 클라이언트 설치하기
[root@localhost /] yum update
패키지 리스트 업데이트
2. Python 2.7 설치하기
[root@localhost /] cd /usr/local
3. Epel Repository 설치
[root@localhost /] yum install epel-release
4. IUS Repository 설치
[root@localhost /] rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
5. Python 2.7과 Git 설치
[root@localhost /] yum --enablerepo=ius install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv python27-libs -y
6. 설치
[root@localhost /] cd /root
[root@localhost /] git clone https://github.com/certbot/certbot
7. 실행
[root@localhost /] chattr -i /usr/bin/gcc /usr/bin/g++
chattr: No such file or directory while trying to stat /usr/bin/gcc
chattr: No such file or directory while trying to stat /usr/bin/g++
7-1. chattr 실행시 위와 같이 오류가 뜨면 gcc, g++ 설치
[root@localhost /] yum install gcc
[root@localhost /] yum install gcc-c++
7-2.
[root@localhost /] chmod 700 /usr/bin/gcc /usr/bin/g++;chattr +i /usr/bin/gcc /usr/bin/g++
8. Let's Encrypt 인증서 설치
[root@localhost /] cd /root/certbot
8-1. 단계적 설치
[root@localhost /] ./certbot-auto certonly 를 이용하면 순차적으로 정보 입력을 한다.
...
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache) 아파치 웹 서버 플러그인 - 베타 (아파치)
2: Place files in webroot directory (webroot) 웹 루트 디렉토리에 파일 배치 (webroot)
3: Spin up a temporary webserver (standalone) 임시 웹 서버를 스핀 업 (독립형)
위 명령어를 실행하면, certbot-auto는 작은 자체 웹 서버를 80 포트로 기동한다.
이를 통해 Let's Encrypt CA로 부터 도메인 인증을 수행한다.
위 명령어를 실행 하기 전, 서비스 포트 80에 웹 서비스가 사용되고 있는지 점검한다.
만약, 웹 서비스가 실행 중이라면 정지하거나 기존 웹서버를 사용한 webroot plugin 모드를 사용한다.
8-2. 한번에 설치
[root@localhost /] ./certbot-auto certonly --server https://acme-v01.api.letsencrypt.org/directory \
--rsa-key-size 4096 --agree-tos --email 도메인소유이메일 \
--webroot -w /home/happyjung/public_html/ \
-d 도메인.com -d www.도메인.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 도메인.com
http-01 challenge for www.도메인.com
Using the webroot path /home/happyjug/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/도메인.com/fullchain.pem. Your cert will
expire on 2017-06-19. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
9. 인증서 확인
[root@localhost /] pwd
/etc/letsencrypt/live/도메인.com
[root@localhost /] ls -al
total 12
drwxr-xr-x 2 root root 4096 Mar 22 00:21 .
drwx------ 3 root root 4096 Mar 22 00:21 ..
lrwxrwxrwx 1 root root 36 Mar 22 00:21 cert.pem -> ../../archive/도메인.com/cert1.pem
lrwxrwxrwx 1 root root 37 Mar 22 00:21 chain.pem -> ../../archive/도메인.com/chain1.pem
lrwxrwxrwx 1 root root 41 Mar 22 00:21 fullchain.pem -> ../../archive/도메인.com/fullchain1.pem
lrwxrwxrwx 1 root root 39 Mar 22 00:21 privkey.pem -> ../../archive/도메인.com/privkey1.pem
-rw-r--r-- 1 root root 543 Mar 22 00:21 README
10. 아파치 ssl 모듈 설치
[root@localhost /] yum install mod_ssl
아파치 설정
...
참고자료
https://www.enteroa.com/2016/03/12/lets-encrypt-설치-및-운용centos/comment-page-1/
https://digitz.org/blog/lets-encrypt-ssl-centos-7-setup/
http://zephlee2.blogspot.kr/2016/06/haproxy-lets-encrypt.html
[root@localhost /] yum update
패키지 리스트 업데이트
2. Python 2.7 설치하기
[root@localhost /] cd /usr/local
3. Epel Repository 설치
[root@localhost /] yum install epel-release
4. IUS Repository 설치
[root@localhost /] rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
5. Python 2.7과 Git 설치
[root@localhost /] yum --enablerepo=ius install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv python27-libs -y
6. 설치
[root@localhost /] cd /root
[root@localhost /] git clone https://github.com/certbot/certbot
7. 실행
[root@localhost /] chattr -i /usr/bin/gcc /usr/bin/g++
chattr: No such file or directory while trying to stat /usr/bin/gcc
chattr: No such file or directory while trying to stat /usr/bin/g++
7-1. chattr 실행시 위와 같이 오류가 뜨면 gcc, g++ 설치
[root@localhost /] yum install gcc
[root@localhost /] yum install gcc-c++
7-2.
[root@localhost /] chmod 700 /usr/bin/gcc /usr/bin/g++;chattr +i /usr/bin/gcc /usr/bin/g++
8. Let's Encrypt 인증서 설치
[root@localhost /] cd /root/certbot
8-1. 단계적 설치
[root@localhost /] ./certbot-auto certonly 를 이용하면 순차적으로 정보 입력을 한다.
...
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache) 아파치 웹 서버 플러그인 - 베타 (아파치)
2: Place files in webroot directory (webroot) 웹 루트 디렉토리에 파일 배치 (webroot)
3: Spin up a temporary webserver (standalone) 임시 웹 서버를 스핀 업 (독립형)
위 명령어를 실행하면, certbot-auto는 작은 자체 웹 서버를 80 포트로 기동한다.
이를 통해 Let's Encrypt CA로 부터 도메인 인증을 수행한다.
위 명령어를 실행 하기 전, 서비스 포트 80에 웹 서비스가 사용되고 있는지 점검한다.
만약, 웹 서비스가 실행 중이라면 정지하거나 기존 웹서버를 사용한 webroot plugin 모드를 사용한다.
8-2. 한번에 설치
[root@localhost /] ./certbot-auto certonly --server https://acme-v01.api.letsencrypt.org/directory \
--rsa-key-size 4096 --agree-tos --email 도메인소유이메일 \
--webroot -w /home/happyjung/public_html/ \
-d 도메인.com -d www.도메인.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 도메인.com
http-01 challenge for www.도메인.com
Using the webroot path /home/happyjug/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/도메인.com/fullchain.pem. Your cert will
expire on 2017-06-19. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
9. 인증서 확인
[root@localhost /] pwd
/etc/letsencrypt/live/도메인.com
[root@localhost /] ls -al
total 12
drwxr-xr-x 2 root root 4096 Mar 22 00:21 .
drwx------ 3 root root 4096 Mar 22 00:21 ..
lrwxrwxrwx 1 root root 36 Mar 22 00:21 cert.pem -> ../../archive/도메인.com/cert1.pem
lrwxrwxrwx 1 root root 37 Mar 22 00:21 chain.pem -> ../../archive/도메인.com/chain1.pem
lrwxrwxrwx 1 root root 41 Mar 22 00:21 fullchain.pem -> ../../archive/도메인.com/fullchain1.pem
lrwxrwxrwx 1 root root 39 Mar 22 00:21 privkey.pem -> ../../archive/도메인.com/privkey1.pem
-rw-r--r-- 1 root root 543 Mar 22 00:21 README
10. 아파치 ssl 모듈 설치
[root@localhost /] yum install mod_ssl
아파치 설정
...
참고자료
https://www.enteroa.com/2016/03/12/lets-encrypt-설치-및-운용centos/comment-page-1/
https://digitz.org/blog/lets-encrypt-ssl-centos-7-setup/
http://zephlee2.blogspot.kr/2016/06/haproxy-lets-encrypt.html
댓글목록
등록된 댓글이 없습니다.