«   2018/10   »
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
Archives
Today
542
Total
1,166,947
안정적인 DNS서비스 DNSEver
관리 메뉴

Blue Breeze

Letsencrypt SSL 적용 본문

보안

Letsencrypt SSL 적용

푸른바람 C/H 2018.08.06 08:30

letencrypt 설치

Apache 는 서버중지 없이 자동으로 인증서 발급 및 설정이 되지만, Nginx는 서버를 중지해서 인증서 발급후 다시 시작해야 한다.

sudo apt update -y && sudo apt install letsencrypt -y

설정

sudo systemctl stop nginx

sudo letsencrypt certonly --standalone -m username@domain.com -d domain.com -d www.domain.com
# /etc/letsencrypt/archive/domain.com/ 에 생성
# /etc/letsencrypt/live/domain/ 에 링크를 사용한다.

Nginx 적용

listen 443 ssl default_server;
listen [::]:443 ssl default_server;

ssl_certificate     /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

Apache 적용

<VirtualHost *:443>
    ....

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    SSLHonorCipherOrder on

    SSLCertificateFile "/etc/letsencrypt/live/funfarm.kr/cert.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/funfarm.kr/privkey.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/funfarm.kr/chain.pem"
</VirtualHost>

letsencrypt 갱신

sudo systemctl stop nginx
# 갱신 주기내 인증서를 갱신한다.
# 갱신 주기가 되지 않았다면 갱신하지 않는다.
sudo letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/domain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/img.domain.com.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/img.gag1.net.conf with version 0.23.0 of Certbot. This might not work.
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/domain.com/fullchain.pem expires on 2018-10-28 (skipped)
  /etc/letsencrypt/live/img.domain/fullchain.pem expires on 2018-10-28 (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------

sudo systemctl start nginx

certbot installation

git clone https://github.com/certbot/certbot certbot

설정

sudo systemctl stop nginx
cd certbot
./certbot-auto certonly -m domain.com -d domain.com -d www.domain.com -d blog.domain.com
sudo systemctl start nginx

certbot 갱신

letsencrypt 와 동일하다.
설치된 소스를 보면 certbot-auto, letsencrypt-auto 가 있다.
이는 위에서 설치한 letsencrypt와 동일하게 적용된다.

#./certbot-auto renew
./letsencrypt-auto renew
# letsencrypt와 동일한 결과

crontab 등록

0 5 * * 0 systemctl stop nginx; letsencrypt renew >> /var/log/letsencrypt/le-renew.log; systemctl start nginx;
#0 5 * * 0 systemctl stop nginx; /root/certbot/certbot-auto renew >> /var/log/letsencrypt/le-renew.log; systemctl start nginx;

0 5 * * 0 systemctl stop apache2; letsencrypt renew >> /var/log/letsencrypt/le-renew.log; systemctl start apache2;

매주 일요일 새벽 5시 갱신

'보안' 카테고리의 다른 글

Letsencrypt SSL 적용  (0) 2018.08.06
centos7 firewalld  (0) 2017.02.23
웹 취약점 9요소  (0) 2006.10.12
0 Comments
댓글쓰기 폼