secure

Letsencrypt SSL 적용

C/H 2018. 8. 6. 08:30

letencrypt 설치

Apache 는 서버중지 없이 자동으로 인증서 발급 및 설정이 되지만, Nginx는 서버를 중지해서 인증서 발급후 다시 시작해야 한다.

sudo apt update -y && sudo apt install letsencrypt -y

dhparms.pem.추가

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

설정

sudo systemctl stop nginx

sudo letsencrypt certonly --standalone -m username@domain.com -d domain.com -d www.domain.com
# /etc/letsencrypt/archive/domain.com/ 에 생성
# /etc/letsencrypt/live/domain/ 에 링크를 사용한다.

Nginx 적용

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name _;

        return 301 htps://domain.com$request_uri;
}
server {
        listen 443 ssl;
        server_name www.domain.com;
        ssl_stapling on;
        ssl_certificate     /etc/letsencrypt/live/doamin.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
        resolver 1.1.1.1 1.0.0.1;

        return 301 https://domain.com$request_uri;
}
server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	ssl_certificate     /etc/letsencrypt/live/domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
	ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers         HIGH:!aNULL:!MD5;

	...
}
server {
	listen 443 ssl http2 default_server;
	server_name domain.com;
	root /home/username/www/;

	add_header Strict-Transport-Security "max-age=31536000; .domain.com";
	add_header X-Frame-Options DENY;

	ssl_certificate     /etc/letsencrypt/live/domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
	# resolver 8.8.8.8 8.8.4.4;
	resolver 1.1.1.1 1.0.0.1;
	ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	ssl_prefer_server_ciphers on;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;

	...
}

Apache 적용

<VirtualHost *:443>
    ....

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    SSLHonorCipherOrder on

    SSLCertificateFile "/etc/letsencrypt/live/funfarm.kr/cert.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/funfarm.kr/privkey.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/funfarm.kr/chain.pem"
</VirtualHost>

letsencrypt 갱신

sudo systemctl stop nginx
# 갱신 주기내 인증서를 갱신한다.
# 갱신 주기가 되지 않았다면 갱신하지 않는다.
sudo letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/domain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/img.domain.com.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/domain.com.conf with version 0.23.0 of Certbot. This might not work.
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/domain.com/fullchain.pem expires on 2018-10-28 (skipped)
  /etc/letsencrypt/live/img.domain/fullchain.pem expires on 2018-10-28 (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------

sudo systemctl start nginx

certbot installation

git clone https://github.com/certbot/certbot certbot

설정

sudo systemctl stop nginx
cd certbot
./certbot-auto certonly -m domain.com -d domain.com -d www.domain.com -d blog.domain.com
sudo systemctl start nginx

certbot 갱신

letsencrypt 와 동일하다.
설치된 소스를 보면 certbot-auto, letsencrypt-auto 가 있다.
이는 위에서 설치한 letsencrypt와 동일하게 적용된다.

#./certbot-auto renew
./letsencrypt-auto renew
# letsencrypt와 동일한 결과

crontab 등록

0 5 * * 0 systemctl stop nginx; letsencrypt renew >> /var/log/letsencrypt/le-renew.log; systemctl start nginx;
#0 5 * * 0 systemctl stop nginx; /root/certbot/certbot-auto renew >> /var/log/letsencrypt/le-renew.log; systemctl start nginx;

0 5 * * 0 systemctl stop apache2; letsencrypt renew >> /var/log/letsencrypt/le-renew.log; systemctl start apache2;

매주 일요일 새벽 5시 갱신

반응형

'secure' 카테고리의 다른 글

SPF(Sender Policy Framework)  (0) 2019.11.01
centos7 firewalld  (0) 2017.02.23
웹 취약점 9요소  (0) 2006.10.12