공짜로 SSL 설치해 보자.
Are certificate prices reasonable? Maybe, maybe not. Some companies try to charge even more with price tiers that add more features, but a lot of them are basically gimmicks.
참조 : https://www.quora.com/Why-does-an-SSL-certificate-cost-money
설명 나무위키 참조:
Let’s Encrypt는 사용자에게 무료로 TLS 인증서를 발급해주는 비영리기관이다. 모질라 재단, 페이스북, 구글 등 많은 업체가 스폰서로 등록되어 있다.
발급된 인증서는 3개월간 사용할 수 있으며, 만료 전 갱신하면 계속해서 사용이 가능하다. 짧은 유효기간과 더불어서 DV(도메인검증) 인증서만 발급이 가능하다는 단점이 있다
테스트 설치 서버: ubuntu server 16.02
1. sudo apt-get install git
1 2 3 |
sudo apt-get install git |
1.1 centos 5.9 에서 yum install git 로 error 가 발생할 경우 (지원하지 않음 – 포기)
1 2 3 4 5 |
echo "http://vault.centos.org/5.9/os/x86_64/" > /var/cache/yum/base/mirrorlist.txt echo "http://vault.centos.org/5.9/extras/x86_64/" > /var/cache/yum/extras/mirrorlist.txt echo "http://vault.centos.org/5.9/updates/x86_64/" > /var/cache/yum/updates/mirrorlist.txt |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[root@localhost]# yum install git Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile base | 1.1 kB 00:00 base/primary | 1.3 MB 00:00 base 3667/3667 extras | 2.1 kB 00:00 extras/primary_db | 173 kB 00:00 updates | 1.9 kB 00:00 updates/primary_db | 1.0 MB 00:01 Setting up Install Process No package git available. Nothing to do |
1 2 3 4 5 6 7 8 |
sudo yum build-dep git wget http://kernel.org/pub/software/scm/git/git-1.8.2.3.tar.gz tar -xvjf git-2.9.5.tar.gz cd <git> make (possibly a ./configure before this) sudo make install |
2. sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
1 2 3 |
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt |
3. cd /opt/letsencrypt
1 2 3 |
cd /opt/letsencrypt |
4.0 apache2 stop
1 2 3 |
service apache2 stop |
4. sudo -H ./letsencrypt-auto certonly –standalone -d example.com -d www.example.com
1 2 3 |
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com |
5. …..설치 진행….
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): <strong>mail@yahoo.co.kr</strong> ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: <strong>A</strong> ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:<strong> Y</strong> Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for images.auctionpro.co.kr Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/images.auctionpro.co.kr/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/images.auctionpro.co.kr/privkey.pem Your cert will expire on 2017-12-04. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
5.1 Email 인증
6. 확인
1 2 3 4 5 6 7 8 |
sudo ls /etc/letsencrypt/live sudo ls /etc/letsencrypt/live/example.com cert.pem (사용) chain.pem fullchain.pem (사용) privkey.pem |
7. 90일 마다 갱신 해야 하기 때문에 Cron (자동)으로 한달에 한번에 갱신되게 세팅– 오류 발생 -> 7.1 로 대체
1 2 3 4 5 6 7 |
Obtaining a new certificate Performing the following challenges: http-01 challenge for reservationbook.kr Cleaning up challenges Problem binding to port 80: Could not bind to IPv4 or IPv6. |
1 2 3 |
echo '@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d example.com -d www.example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab |
또는 매월 17일에 재갱신
1 2 3 |
0 0 */10 * * certbot renew >> /logs/certbot-cron.log 2>&1 |
7.1 apache2 멈춘후 install 명령어 진행 하면 재경신 됩니다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
root@: cd /opt/letsencrypt root@: service apache2 stop root@:/opt/letsencrypt# sudo -H ./letsencrypt-auto certonly --standalone -d images.auctionpro.co.kr Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for images.auctionpro.co.kr Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/images.auctionpro.co.kr/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/images.auctionpro.co.kr/privkey.pem Your cert will expire on 2018-03-02. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le root@: service apache2 start |
8. Apache 에 세팅
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
<VirtualHost *:443> SSLEngine On SSLProtocol All # SSLProtocol TLSv1.2 # SSLProtocol SSLv2 SSLCertificateFile /etc/letsencrypt/live/yoursite.co.kr/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/yoursite.co.kr/privkey.pem # SSLCACertificateFile /etc/letsencrypt/live/yoursite.co.kr/fullchain.pem ServerName yoursite.co.kr #ServerAlias .co.kr ServerAdmin root@localhost DocumentRoot /var/www/yoursite/wordpress ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <VirtualHost *:80> ServerName yoursite.co.kr #ServerAlias yoursite.co.kr ServerAdmin root@localhost DocumentRoot /var/www/yoursite/wordpress ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <Directory /var/www/yoursite/wordpress > Options FollowSymLinks #AddType application/x-httpd-php .php .jsp AllowOverride None Order Deny,Allow Allow from all Require all granted </Directory> |
9. 적용
1 2 3 4 5 |
a2enmod ssl a2ensite example.com service apache2 restart |
10. Test
1 2 3 |
openssl s_client -CApath /etc/ssl/certs/ -connect example.com:443 |
11. http -> https (CentOS)
1 2 3 |
>httpd -M |
12. .htaccess
1 2 3 4 5 6 |
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] |
11. ubunt18.04 업데이트 한후 갱신시 다음과 같은 오류가 나오면
참조: https://auctionpro.co.kr/?p=5643
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
root@local:/opt/letsencrypt# sudo -H ./letsencrypt-auto certonly --standalone -d images.ihavenomoney.co.kr Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 5, in <module> import logging.handlers File "/usr/lib/python2.7/logging/__init__.py", line 26, in <module> import sys, os, time, cStringIO, traceback, warnings, weakref, collections File "/usr/lib/python2.7/weakref.py", line 14, in <module> from _weakref import ( ImportError: cannot import name _remove_dead_weakref |