[CentOS7] Let’s Encrypt Wildcard 설정
site : https://letsencrypt.org/
site: https://certbot.eff.org/docs/install.html
Let’s Encrypt 이용시 2차 도메인 마다 인증서를 생성 해야 합니다. 만약 test.com 을 가지고 있다고 하면
www.test.com / blog.test.com / work.test.com 등으로 인증서를 계속 생성 해서 관리 해야 하죠.
Wildcard 인증서를 사용하게 되면, 한번 등록으로 사이트에 적용할수 있습니다.
참고사항: Let’s encrypt wildcard 설정의 아래내용을 참고 하여 작업하시면 됩니다.
일반적인 named 운영 환경에서는 자동인증을 사용할수 없으며 Obtain API Key 를 제공 하는 DNS 를 이용 해야 합니다.
https://developerinsider.co/how-to-create-and-auto-renew-lets-encrypt-wildcard-certificate/
- 기존 인증서 삭제
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name web.com Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deleted all files relating to certificate web.com. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deleted all files relating to certificate www.web.com. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@CentOS7 certbot]#
- Wildcard 인증서 생성
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deleted all files relating to certificate www.web.com. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for web.com dns-01 challenge for web.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.web.com with the following value: -----------------------------------------mha Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.web.com with the following value: -----------------------------------------mhb Before continuing, verify the record is deployed. (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet. Note that you might be asked to create multiple distinct TXT records with the same name. This is permitted by DNS standards.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges Failed authorization procedure. web.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.web.com IMPORTANT NOTES: - The following errors were reported by the server: Domain: web.com Type: None Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.web.com [root@CentOS7 certbot]#
- named 작업 ( mha , mhb 값을 dns zone 파일에 txt 값으로 넣어야 합니다.)
_acme-challenge.web.com with the following value: -----------------------------------------mha Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.web.com with the following value: -----------------------------------------mhb [root@CentOS7 certbot]# vi /var/named/web.com $TTL 3H @ IN SOA @ ns.web.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns.web.com. IN MX 10 mail.web.com. web.com. IN A 200.200.200.200 IN A 200.200.200.200 mail IN A 200.200.200.200 ns IN A 200.200.200.200 ns1 IN A 200.200.200.201 www IN A 200.200.200.200 _acme-challenge.web.com. IN TXT -----------------------------------------mha _acme-challenge.web.com. IN TXT -----------------------------------------mhb [root@CentOS7 certbot]# systemctl restart named [root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for web.com dns-01 challenge for web.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.web.com with the following value: -----------------------------------------mha Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.web.com with the following value: -----------------------------------------mhb Before continuing, verify the record is deployed. (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet. Note that you might be asked to create multiple distinct TXT records with the same name. This is permitted by DNS standards.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/web.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/web.com/privkey.pem Your cert will expire on 2019-05-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@CentOS7 certbot]# vi /var/named/web.com [root@CentOS7 certbot]# systemctl restart named [root@CentOS7 certbot]# nslookup -q=txt _acme-challenge.web.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: _acme-challenge.web.com text = "-----------------------------------------mha" _acme-challenge.web.com text = "-----------------------------------------mhb" Authoritative answers can be found from: [root@CentOS7 certbot]#
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/web.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/web.com/privkey.pem Your cert will expire on 2019-05-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@CentOS7 certbot]#
- nginx 설정을 변경 합니다.
[root@CentOS7 certbot]# vi /etc/nginx/sites-enabled/web_com.conf server { listen 443; server_name www.web.com web.com; root /var/www/html; index index.php index.html index.htm; location / { try_files $uri $uri/ /index.php?$query_string; autoindex on; } access_log /var/www/html/web.com/logs/access.log; error_log /var/www/html/web.com/logs/error.log warn; ssl on; ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wweb.com/privkey.pem; ssl_session_timeout 5m;
- blog.web.com 을 테스트 합니다.
[root@CentOS7 certbot]# cd /etc/nginx/sites-enabled/ [root@CentOS7 sites-enabled]# cp web_com.conf web_blog.conf [root@CentOS7 sites-enabled]# vi web_blog.conf server { listen 80; server_name blog.web.com; root /var/www/html/blog.web.com/public_html; index index.php index.html index.htm; error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 443; server_name blog.web.com; root /var/www/html/blog.web.com/public_html; index index.php index.html index.htm; location / { try_files $uri $uri/ /index.php?$query_string; autoindex on; } access_log /var/www/html/blog.web.com/logs/access.log; error_log /var/www/html/blog.web.com/logs/error.log warn; ssl on; ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/web.com/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; error_page 500 502 503 504 /50x.html; location = /50x.html { } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } [root@CentOS7 ~]# mkdir -p /var/www/html/blog.web.com/{public_html,logs} [root@CentOS7 ~]# chown -R nginx:nginx /var/www/html/blog.web.com/ [root@CentOS7 ~]# systemctl restart nginx [root@CentOS7 ~]# vi /var/www/html/blog.web.com/public_html/index.php <?php phpinfo(); ?>
- web 테스트 https 와 http 를 테스트 합니다.