참조 : 최신 Let’s Encrypt SSL 인증서 발급 방법 4가지 정리
1. CentOS의 경우 EPEL저장소 활성화
[root@centOS7 webapp]# yum install epel-release
...
Updated:
epel-release.noarch 0:7-13
Complete!
2. Certbot(인증서 관리 package) 설치
[root@centOS7 /]# yum install python-certbot-nginxcertbot과 python2-certbot-nginx가 설치된다. CentOS 7에서는 python2, CentOS 8에서는 python3가 기본이다.
3. nginx conf파일에 server_name에 도메인 지정여부 확인
[root@centOS7 /]# vi /etc/nginx/conf.d/default.conf
---------------------------------------------------------------
server {
server_name blog.daonelab.com;
---------------------------------------------------------------
4. 아래 모듈 Update
/bin/pip3.6 uninstall requests
yum reinstall python-requests
/bin/pip3.6 uninstall six
yum reinstall python-six
/bin/pip3.6 uninstall urllib3
yum reinstall python-urllib3
5. Certbot 인증서 설치
[root@centOS7 bin]# certbot certonly -d blog.daonelab.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): anzinda76@nate.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
TypeError: __str__ returned non-string (type Error)
Please see the logfiles in /var/log/letsencrypt for more details.
자꾸에러 발생!!
에러 명령어로 openssl관련 모듈 update
[root@centOS7 bin]# yum install ca-certificates openssl
그리고 나서 manual로 설정
[root@centOS7 bin]# certbot certonly --manual -d blog.daonelab.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for blog.daonelab.com
Performing the following challenges:
http-01 challenge for blog.daonelab.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
QsrQ15NhlvIUSz_-loXzxCjGCMPgJxf8jvl6I9O3Nvo.gmvilRRmx9uSOWy5NWVVHJhdvyqI5IN23uPOWp2bF78
And make it available on your web server at this URL:
http://blog.daonelab.com/.well-known/acme-challenge/QsrQ15NhlvIUSz_-loXzxCjGCMPgJxf8jvl6I9O3Nvo
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
아래 처럼 IIS에서 가상 디렉토리 만들고 위에서 제시한 경로의 해당 파일에 구문적어 준비한 다음
(본인은 윈도서버에 virtual machine으로 linux를 테스트용으로 가동하고 있다.)
enter!!
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Subscribe to the EFF mailing list (email: anzinda76@nate.com).
Starting new HTTPS connection (1): supporters.eff.org
An unexpected error occurred:
TypeError: __str__ returned non-string (type Error)
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/blog.daonelab.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/blog.daonelab.com/privkey.pem
Your certificate will expire on 2022-04-19. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
뭐 약간의 에러가 뜨지만 상관없다.
[root@centOS7 /]# cd /etc/letsencrypt/live/blog.daonelab.com/
[root@centOS7 blog.daonelab.com]# ls
cert.pem chain.pem fullchain.pem privkey.pem README
[root@centOS7 blog.daonelab.com]#
인증서가 생성된걸 확인할 수 있다.
nginx 재시작하고 사이트 뜨는지 확인!!
참고로 윈도즈 서버 443포트 기본설정은 윈도즈 서버에서 점유하도록 설정되어 있음으로 사용중지 시키고 추가로 HTTPS용 정책추가한다.