1. CentOS의 경우 EPEL저장소 활성화

[root@centos webapp]# yum install epel-release
...
Updated:
  epel-release.noarch 0:7-13  

Complete!

 

2. Certbot(인증서 관리 package) 설치

[root@centos /]# yum install python-certbot-nginx

certbot과 python2-certbot-nginx가 설치된다. CentOS 7에서는 python2, CentOS 8에서는 python3가 기본이다.

 

3. 인증서 설치(dns 인증)

[root@centos /]# certbot certonly -d blog.daonelab.com --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for blog.daonelab.com
Performing the following challenges:
dns-01 challenge for blog.daonelab.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.blog.daonelab.com with the following value:

4wj4eavkjfFcgQ5lmbFaSGqTHWTmeuBojSlEPjESlU0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

certonly 옵션은 다른 작업은 하지 말고(conf 수정 등) 인증서만 발급하게 한다. 나중에 conf파일은 직접 수정해야 됨.

 

 

다른 console에서 nslookup 테스트

[root@centos conf.d]# nslookup -q=TXT _acme-challenge.blog.daonelab.com
Server:         192.168.93.2
Address:        192.168.93.2#53

Non-authoritative answer:
_acme-challenge.blog.daonelab.com       text = "4wj4eavkjfFcgQ5lmbFaSGqTHWTmeuBojSlEPjESlU0"

Authoritative answers can be found from:
daonelab.com    nameserver = ns.anzinda.com.
daonelab.com    nameserver = ns.daonelab.com.
ns.daonelab.com internet address = 220.122.147.73

 

테스트가 완료되었다면 설치 console에서 Enter!

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Subscribe to the EFF mailing list (email: anzinda76@nate.com).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/blog.daonelab.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/blog.daonelab.com/privkey.pem
   Your certificate will expire on 2021-07-17. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@centos /]#

 

성공메시지 확인,  인증서 확인

[root@centos blog.daonelab.com]# pwd
/etc/letsencrypt/live/blog.daonelab.com
[root@centos blog.daonelab.com]# 
[root@centos blog.daonelab.com]# 
[root@centos blog.daonelab.com]# ls -al
total 4
drwxr-xr-x 2 root root  88 Apr 18 14:48 .
drwx------ 3 root root  43 Apr 18 14:48 ..
lrwxrwxrwx 1 root root  41 Apr 18 14:48 cert.pem -> ../../archive/blog.daonelab.com/cert1.pem
lrwxrwxrwx 1 root root  42 Apr 18 14:48 chain.pem -> ../../archive/blog.daonelab.com/chain1.pem
lrwxrwxrwx 1 root root  46 Apr 18 14:48 fullchain.pem -> ../../archive/blog.daonelab.com/fullchain1.pem
lrwxrwxrwx 1 root root  44 Apr 18 14:48 privkey.pem -> ../../archive/blog.daonelab.com/privkey1.pem
-rw-r--r-- 1 root root 692 Apr 18 14:48 README

 

4. Nginx 설정

# https://uwsgi-docs.readthedocs.io/en/latest/tutorials/Django_and_nginx.html?highlight=charset#configure-nginx-for-your-site
# https://docs.nginx.com/nginx/admin-guide/web-server/app-gateway-uwsgi-django/

upstream django {
    server unix:/tmp/uwsgi_blog.daonelab.com.sock;
}

server {
    listen      8000;
    server_name localhost;

    location / {
        # return 301을 이용해 redirect
        # $host <- server_name
        # $request_uri <- host 하위uri 

        return 301 https://$host$request_uri;
    }
}

server {
    listen      443 ssl;
    server_name localhost;
    charset     utf-8;
    root        /home/webapp/blog.daonelab.com;

    ssl                 on;
    ssl_certificate     /etc/letsencrypt/live/blog.daonelab.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blog.daonelab.com/privkey.pem;

    # max upload size
    client_max_body_size 100M;

    #access_log  /var/log/nginx/blog.daonelab.com_access.log;
    #error_log   /var/log/nginx/blog.daonelab.com_error.log;

    location = favicon.ico {access_log off; log_not_found off;}

    location / {
        uwsgi_pass  django;
        include     /etc/nginx/uwsgi_params;
    }

    location /static {
        alias /home/webapp/blog.daonelab.com_static;
        access_log off;
        expires 1M;
        add_header Cache-Control "public";
    }
}

기존 http 8000 port로 접근해도 https로 redirect하도록 설정

인증서는 90간 무료이고 90마다 갱신하여야 한다.

 

5. Nginx 재시작

[root@centos ~]# systemctl stop nginx.service

[root@centos ~]# systemctl start nginx.service

 

6. SSL 보안등급 테스트

https://www.ssllabs.com/ssltest/analyze.html

 

7. 인증서 자동갱신 스케줄

https://blog.daonelab.com/post/33/1752/