[CentOS7] Let’s Encrypt Wildcard 설정

[CentOS7] Let’s Encrypt Wildcard 설정

site : https://letsencrypt.org/

site: https://certbot.eff.org/docs/install.html

Let’s Encrypt 이용시 2차 도메인 마다 인증서를 생성 해야 합니다. 만약  test.com 을 가지고 있다고 하면

www.test.com / blog.test.com / work.test.com 등으로 인증서를 계속 생성 해서 관리 해야 하죠.

Wildcard 인증서를 사용하게 되면, 한번 등록으로 사이트에 적용할수 있습니다.

참고사항: Let’s encrypt wildcard 설정의 아래내용을 참고 하여 작업하시면 됩니다.

일반적인 named 운영 환경에서는 자동인증을 사용할수 없으며 Obtain API Key 를 제공 하는 DNS 를 이용 해야 합니다.

https://developerinsider.co/how-to-create-and-auto-renew-lets-encrypt-wildcard-certificate/

 

 

  •  기존 인증서 삭제
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]#

 

  • Wildcard 인증서 생성
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. web.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.web.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: web.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.web.com
[root@CentOS7 certbot]#

 

  • named 작업 ( mha , mhb 값을 dns zone 파일에 txt 값으로 넣어야 합니다.)
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb


[root@CentOS7 certbot]# vi /var/named/web.com
$TTL 3H
@       IN SOA  @ ns.web.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                        IN      NS      ns.web.com.
                        IN      MX 10   mail.web.com.
web.com.             IN      A       200.200.200.200
                        IN      A       200.200.200.200
mail                    IN      A       200.200.200.200
ns                      IN      A       200.200.200.200
ns1                     IN      A       200.200.200.201
www                     IN      A       200.200.200.200
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mha
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mhb


[root@CentOS7 certbot]# systemctl restart named



[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]# vi /var/named/web.com
[root@CentOS7 certbot]# systemctl restart named
[root@CentOS7 certbot]# nslookup -q=txt _acme-challenge.web.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_acme-challenge.web.com      text = "-----------------------------------------mha"
_acme-challenge.web.com      text = "-----------------------------------------mhb"

Authoritative answers can be found from:

[root@CentOS7 certbot]#

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/web.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/web.com/privkey.pem
Your cert will expire on 2019-05-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • nginx 설정을 변경 합니다.
[root@CentOS7 certbot]# vi /etc/nginx/sites-enabled/web_com.conf
server {
    listen       443;
    server_name  www.web.com web.com;
    root   /var/www/html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/web.com/logs/access.log;
    error_log  /var/www/html/web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/wweb.com/privkey.pem;
    ssl_session_timeout  5m;

 

  • blog.web.com 을 테스트 합니다.
[root@CentOS7 certbot]# cd /etc/nginx/sites-enabled/
[root@CentOS7 sites-enabled]# cp web_com.conf web_blog.conf
[root@CentOS7 sites-enabled]# vi web_blog.conf
server {

    listen       80;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}
server {
    listen       443;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/blog.web.com/logs/access.log;
    error_log  /var/www/html/blog.web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/web.com/privkey.pem;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}
[root@CentOS7 ~]# mkdir -p /var/www/html/blog.web.com/{public_html,logs}
[root@CentOS7 ~]# chown -R nginx:nginx /var/www/html/blog.web.com/
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# vi /var/www/html/blog.web.com/public_html/index.php
<?php phpinfo(); ?>

 

  • web 테스트 https 와 http 를 테스트 합니다.

 

 

 

댓글 남기기