[일:] 2019년 2월월 06일

[CentOS7] Let’s Encrypt Wildcard 설정

2019-02-06 by sanjuk·0 Comments

[CentOS7] Let’s Encrypt Wildcard 설정

site : https://letsencrypt.org/

site: https://certbot.eff.org/docs/install.html

Let’s Encrypt 이용시 2차 도메인 마다 인증서를 생성 해야 합니다. 만약 test.com 을 가지고 있다고 하면

www.test.com / blog.test.com / work.test.com 등으로 인증서를 계속 생성 해서 관리 해야 하죠.

Wildcard 인증서를 사용하게 되면, 한번 등록으로 사이트에 적용할수 있습니다.

참고사항: Let’s encrypt wildcard 설정의 아래내용을 참고 하여 작업하시면 됩니다.

일반적인 named 운영 환경에서는 자동인증을 사용할수 없으며 Obtain API Key 를 제공 하는 DNS 를 이용 해야 합니다.

https://developerinsider.co/how-to-create-and-auto-renew-lets-encrypt-wildcard-certificate/

기존 인증서 삭제

[root@CentOS7 certbot]# ./certbot-auto delete --cert-name web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]#

Wildcard 인증서 생성

[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. web.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.web.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: web.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.web.com
[root@CentOS7 certbot]#

named 작업 ( mha , mhb 값을 dns zone 파일에 txt 값으로 넣어야 합니다.)

_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb


[root@CentOS7 certbot]# vi /var/named/web.com
$TTL 3H
@       IN SOA  @ ns.web.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                        IN      NS      ns.web.com.
                        IN      MX 10   mail.web.com.
web.com.             IN      A       200.200.200.200
                        IN      A       200.200.200.200
mail                    IN      A       200.200.200.200
ns                      IN      A       200.200.200.200
ns1                     IN      A       200.200.200.201
www                     IN      A       200.200.200.200
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mha
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mhb


[root@CentOS7 certbot]# systemctl restart named



[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]# vi /var/named/web.com
[root@CentOS7 certbot]# systemctl restart named
[root@CentOS7 certbot]# nslookup -q=txt _acme-challenge.web.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_acme-challenge.web.com      text = "-----------------------------------------mha"
_acme-challenge.web.com      text = "-----------------------------------------mhb"

Authoritative answers can be found from:

[root@CentOS7 certbot]#

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/web.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/web.com/privkey.pem
Your cert will expire on 2019-05-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@CentOS7 certbot]#

nginx 설정을 변경 합니다.

[root@CentOS7 certbot]# vi /etc/nginx/sites-enabled/web_com.conf
server {
    listen       443;
    server_name  www.web.com web.com;
    root   /var/www/html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/web.com/logs/access.log;
    error_log  /var/www/html/web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/wweb.com/privkey.pem;
    ssl_session_timeout  5m;

blog.web.com 을 테스트 합니다.

[root@CentOS7 certbot]# cd /etc/nginx/sites-enabled/
[root@CentOS7 sites-enabled]# cp web_com.conf web_blog.conf
[root@CentOS7 sites-enabled]# vi web_blog.conf
server {

    listen       80;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}
server {
    listen       443;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/blog.web.com/logs/access.log;
    error_log  /var/www/html/blog.web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/web.com/privkey.pem;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}
[root@CentOS7 ~]# mkdir -p /var/www/html/blog.web.com/{public_html,logs}
[root@CentOS7 ~]# chown -R nginx:nginx /var/www/html/blog.web.com/
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# vi /var/www/html/blog.web.com/public_html/index.php
<?php phpinfo(); ?>

web 테스트 https 와 http 를 테스트 합니다.

[CentOS7] Let’s Encrypt 설정 및 apache-nginx 설정

2019-02-06 by sanjuk·0 Comments

[CentOS7] Let’s Encrypt 설정 및 apache-nginx 설정

certboot 설치전 apache 필수 패키지
# yum -y update
# yum -y install httpd mod_ssl epel-release yum-utils
certbot 참고 페이지 : https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html

스크린샷에 보이는 web.com 의 도메인은 임의로 지정한 도메인 입니다.

Official site: https://letsencrypt.org

certbot-auto site: https://certbot.eff.org/docs/install.html

certbot-auto down

[root@CentOS7 ~]# mkdir /usr/local/certbot
[root@CentOS7 ~]# cd /usr/local/certbot
[root@CentOS7 certbot]# wget https://dl.eff.org/certbot-auto
[root@CentOS7 certbot]# chmod a+x ./certbot-auto
[root@CentOS7 certbot]# ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

  --debug                                   attempt experimental installation
  -h, --help                                print this help
  -n, --non-interactive, --noninteractive   run without asking for user input
  --no-bootstrap                            do not install OS dependencies
  --no-self-upgrade                         do not download updates
  --os-packages-only                        install OS dependencies and exit
  --install-only                            install certbot, upgrade if needed, and exit
  -v, --verbose                             provide more output
  -q, --quiet                               provide only update/error output;
                                            implies --non-interactive

All arguments are accepted and forwarded to the Certbot client when run.
[root@CentOS7 certbot]#

certbot-auto 실행
certbot-auto 실행시 필요한 패키지를 자동 설치 합니다.
y를 눌러 설치를 완료 합니다.

[root@CentOS7 certbot]# ./certbot-auto
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.mirror.cdnetworks.com
 * epel: mirror.premi.st
 * extras: data.aonenetworks.kr
 * remi-php71: ftp.riken.jp
 * remi-safe: ftp.riken.jp
 * updates: data.aonenetworks.kr
Package gcc-4.8.5-36.el7.x86_64 already installed and latest version
Package augeas-libs-1.4.0-6.el7_6.1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-16.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-87.el7.centos.noarch already installed and latest version
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
~중략
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webtest@gamil.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.web.com
2: web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Failed redirect for web.com
Unable to set enhancement redirect for web.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:
 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
[root@CentOS7 certbot]#

certbot 인증서 생성후 ssl.conf 파일의 설정을 확인 합니다.

[root@CentOS7 ~]# vi /etc/httpd/conf.d/ssl.conf

<VirtualHost *:443>
ServerName web.com
ServerAlias www.web.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCACertificateFile /etc/pki/tls/certs/webca.crt

 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
  </Files>
  <Directory "/var/www/cgi-bin">
     SSLOptions +StdEnvVars
  </Directory>
SetEnvIf User-Agent ".*MSIE.*"nokeepalive ssl-unclean-shutdown
ErrorLog logs/example.com-ssl_error_log
TransferLog logs/example.com-ssl_access_log
LogLevel warn
CustomLog logs/example.com-ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLCertificateFile /etc/letsencrypt/live/web.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/web.com/chain.pem
</VirtualHost>

web접속 테스트를 진행 합니다.
https://web.com 이며 www.web.com 의 경우 별도의 인증서가 필요 합니다.
모든 2차 도메인을 지정 하기 위해서는 wildcard 인증서가 필요 합니다.
wildcard 인증서는 별도로 다루 도록 하겠습니다.

www.web.com 의 인증서를 생성 합니다.

[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.web.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/httpd-vhosts.conf to ssl vhost in /etc/httpd/conf.d/ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

apache 데몬을 재시작 합니다.

[root@CentOS7 certbot]# systemctl restart httpd

web site 를 확인 합니다.

Nginx 설정

[root@CentOS7 ~]# cd /usr/local/certbot/
[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/web.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web_com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web_com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

web 테스트 https://web.com 접속 테스트

https://www.web.com 인증서 생성

[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.web.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web_com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web_com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

인증서 생성시 참고

./certbot-auto -d web.com -d www.web.com   형식으로 만들어야 http://www.web.com 접속시 https 오류가 없으며 
./certbot-auto --nginx 로 web-server 를 지정 할수 있습니다.

web 테스트 https://www.web.com 접속 테스트

Let’s Encrypt 인증서 자동 갱신 추가

[root@CentOS7 ~]# vi /etc/crontab
* 1 1 * * root /usr/local/certbot/certbot-auto renew >> /var/log/le-renew.log

자동갱신 테스트
[root@CentOS7 ~]# /usr/local/certbot/certbot-auto renew >> /var/log/le-renew.log
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Cert not yet due for renewal
[root@CentOS7 ~]#

2019 2월
일	월	화	수	목	금	토
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28

[일:] 2019년 2월월 06일

[CentOS7] Let’s Encrypt Wildcard 설정

[CentOS7] Let’s Encrypt 설정 및 apache-nginx 설정

certbot-auto down