개요
Let’s Encrypt SSL 인증서
- 비용: 무료
- 인증유효기간: 90일
- Certbot CLI로 간단하게 인증서 발급
사전조건
- Ubuntu Server
- DNS Service
Nginx 설치
- Ubuntu 18 버전부터 Nginx가 Default로 설치 되어 있습니다.
- sudo systemctl status nginx 명령으로 nginx 상태를 확인 합니다.
- curl ifconfig.me 로 NAT IP를 확인 합니다.
sansae@sansae-ubuntu:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-10-08 08:56:53 UTC; 2min 10s ago
Docs: man:nginx(8)
Main PID: 14681 (nginx)
Tasks: 3 (limit: 9545)
Memory: 6.1M
CGroup: /system.slice/nginx.service
├─14681 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─14682 nginx: worker process
└─14683 nginx: worker process
Oct 08 08:56:52 sansae-ubuntu systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 08 08:56:53 sansae-ubuntu systemd[1]: Started A high performance web server and a reverse proxy server.
sansae@sansae-ubuntu:~$ curl localhost
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
sansae@sansae-ubuntu:~$
sansae@sansae-ubuntu:~$ curl ifconfig.me
20.196.207.131
DNS Record 설정
Dns설정에 cert.sansae.net A Record를 추가하고, IP를 Ubuntu Server의 NAT IP(20.196.207.131)를 설정합니다.
추가한 Subdomain(cert.sansae.net)으로 Nginx가 서비스 되는지 확인합니다.
Certbot 설치
sudo apt update sudo apt-get install letsencrypt -y sudo apt install certbot python3-certbot-nginx
인증서 발급
sudo certbot --nginx -d cert.sansae.net
Your certificate and chain have been saved at:
/etc/letsencrypt/live/cert.sansae.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cert.sansae.net/privkey.pem
sansae@sansae-ubuntu:~$ sudo certbot --nginx -d cert.sansae.net Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): sooabia@gmail.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for cert.sansae.net Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://cert.sansae.net You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=cert.sansae.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/cert.sansae.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/cert.sansae.net/privkey.pem Your cert will expire on 2022-01-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le - We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. sansae@sansae-ubuntu:~$
PEM to PFX
openssl pkcs12 -export -out cert.sansae.net.pfx -inkey /etc/letsencrypt/live/cert.sansae.net/privkey.pem -in /etc/letsencrypt/live/cert.sansae.net/fullchain.pem