{"id":310,"date":"2018-10-30T16:01:00","date_gmt":"2018-10-30T07:01:00","guid":{"rendered":"https:\/\/trret.com\/?p=310"},"modified":"2025-03-05T12:58:37","modified_gmt":"2025-03-05T03:58:37","slug":"lets-encrypt-%eb%ac%b4%eb%a3%8c-ssl-%ec%9d%b8%ec%a6%9d%ec%84%9c","status":"publish","type":"post","link":"https:\/\/trret.com\/?p=310","title":{"rendered":"Let’s Encrypt - \ubb34\ub8cc SSL \uc778\uc99d\uc11c"},"content":{"rendered":"\n

\uc11c\ubc84 \ud658\uacbd
OS: CentOS7 Apache 2.4.6<\/strong><\/p>\n\n\n\n

#yum install epel-release
# yum install python-certbot-apache<\/p>\n\n\n\n

\uc778\uc99d\uc11c \uc2e0\uaddc\ucd94\uac00<\/strong><\/p>\n\n\n\n

# certbot --apache -d example.co.kr -d www.example.co.kr #\uc11c\ube0c\ub3c4\uba54\uc778 \uc788\ub2e4\uba74 \uc774\ud6c4\uc5d0 \uacc4\uc18d \ucd94\uac00<\/p>\n\n\n\n

\uc778\uc99d\uc11c \uac31\uc2e0<\/strong><\/p>\n\n\n\n

certbot renew<\/p>\n\n\n\n

\uc790\ub3d9 \uc778\uc99d\uc11c \uc5c5\ub370\uc774\ud2b8<\/strong><\/p>\n\n\n\n

# crontab -e<\/p>\n\n\n\n

\/\/30\uc77c\ub9c8\ub2e4 \uc0c8\ubcbd 4\uc2dc 0\ubd84\uc5d0 \uba85\ub839\uc5b4\uac00 \uc2e4\ud589\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n

0 4 *\/30 * * certbot renew<\/p>\n\n\n\n

\uc774\ubbf8 \ub4f1\ub85d\ub41c \ub3c4\uba54\uc778\uc5d0 \uc11c\ube0c\ub3c4\uba54\uc778 \ucd94\uac00\ud558\uc5ec \uc778\uc99d\uc11c \uac31\uc2e0<\/strong><\/p>\n\n\n\n

certbot --cert-name aaa.com<\/a> -d aaa.com<\/a> -d www.aaa.com<\/a> -d ko.aaa.com<\/a><\/p>\n\n\n\n

\uc774\ubbf8 \ub4f1\ub85d\ub41c \ub3c4\uba54\uc778\uc5d0\uc11c \uc11c\ube0c\ub3c4\uba54\uc778 \ud558\ub098 \uc0ad\uc81c<\/strong>(ko.aaa.com\uc0ad\uc81c\ud560 \ub54c)<\/p>\n\n\n\n

certbot --cert-name aaa.com<\/a> -d aaa.com<\/a> -d www.aaa.com<\/a><\/p>\n\n\n\n

\ub3c4\uba54\uc778 \uc778\uc99d\uc11c \uc0ad\uc81c<\/strong>(\uc11c\ube0c\ub3c4\uba54\uc778 \ud3ec\ud568)<\/p>\n\n\n\n

certbot delete<\/p>\n\n\n\n

————————————————————--<\/p>\n\n\n\n

\uc11c\ubc84 \ud658\uacbd
OS<\/strong>: Ubuntu 16.04 Nginx 1.11.4<\/strong><\/p>\n\n\n\n

\uc778\uc99d\uc11c \uc124\uce58<\/strong><\/p>\n\n\n\n

$ cd \/root   # \/root \ub514\ub809\ud1a0\ub9ac\ub85c \uc774\ub3d9\ud574 \uc791\uc5c5 \uc2dc\uc791
$ apt-get update   # \ucd5c\uc2e0 \uc5c5\ub370\uc774\ud2b8\uac00 \uc788\ub294 \uc9c0 \ud559\uc778
$ apt-get install git # git \uc124\uce58
$ git clone https:\/\/github.com\/certbot\/certbot  # certbot \uc124\uce58<\/p>\n\n\n\n

$ cd certbot  # \/certbot \ub514\ub809\ud1a0\ub9ac\ub85c \uc774\ub3d9\ud574 \uc791\uc5c5 \uc2dc\uc791<\/p>\n\n\n\n

$ service nginx stop   # 80\ud3ec\ud2b8\ub97c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ud1a0\ub85d nginx\ub97c \uc911\ub2e8\uc2dc\ud0b4<\/p>\n\n\n\n

$ .\/certbot-auto certonly # \uc778\uc99d \uc808\ucc28 \uc9c4\ud589, \uc870\uae08 \uc2dc\uac04\uc774 \uac78\ub9bd\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc778\uc99d \uc808\ucc28 \uc0c1\uc138- <\/strong>\uc5f0\ub77d\ubc1b\uc544\ubcfc \uba54\uc77c \uc801\uae30, standalone \uc120\ud0dd, \ub3c4\uba54\uc778\uc744 \uc804\ubd80 \uae30\ub85d. www\ub3c4 \ubcc4\ub3c4\ub85c \uae30\ub85d. \ucef4\ub9c8\ub85c \uad6c\ubd84.$ service nginx start # \uc791\uc5c5\uc774 \ub05d\ub098\uba74 \ub2e4\uc2dc nginx\ub97c \uac00\ub3d9\uc2dc\ud0b4<\/p>\n\n\n\n

$ cd \/etc\/nginx\/sites-available \uc5d0 \ub2e4\uc74c\ud30c\uc77c\uc0dd\uc131<\/p>\n\n\n\n

server {\n    listen       80;\n    server_name  yourdomain.com<\/a> www.yourdomain.com<\/a><\/u>;\n    return 301 https:\/\/$host$request_uri;\n}\n\nserver {\n\n    listen 443 ssl http2;\n    server_name yourdomain.com<\/a>;\n<\/u>    root   \/home\/ubuntu\/yourdomain<\/u>;\n\n    add_header Strict-Transport-Security \"max-age=31536000; includeSubdomains\";\n    add_header X-Frame-Options DENY;\n\n    ssl on;\n    ssl_certificate \/etc\/letsencrypt\/live\/yourdomain.com<\/u>\/fullchain.pem;\n    ssl_certificate_key \/etc\/letsencrypt\/live\/yourdomain.com<\/u>\/privkey.pem;\n\n\n    #OCSP Stapling(\uc778\uc99d\uc11c\uac00 \uc720\ud6a8\ud558\ub2e4\ub294 \uc99d\uba85\uc744 \ubbf8\ub9ac \ubc1b\uc544\ub450\uc5b4\uc11c \uc0ac\uc774\ud2b8\uc5d0 \ucc98\uc74c \ubc29\ubb38\ud560 \ub54c \uc811\uc18d \uc18d\ub3c4\ub97c \ub192\uc5ec\uc8fc\ub294 \ubc29\ubc95dla)\n\n    ssl_dhparam \/etc\/nginx\/ssl\/yourdomain.com.pem<\/u>;\n    ssl_stapling on;\n    ssl_stapling_verify on;\n    ssl_trusted_certificate \/etc\/letsencrypt\/live\/yourdomain.com<\/u>\/fullchain.pem; \n    resolver 8.8.8.8 8.8.4.4;\n\n    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\n    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';\n\n\n    ssl_prefer_server_ciphers on;\n    ssl_session_timeout 1d;\n    ssl_session_cache shared:SSL:10m;\n\n    access_log \/var\/log\/nginx\/yourdomain.com<\/u>.access.log;\n    error_log \/var\/log\/nginx\/yourdomain.com<\/u>.error.log warn;\n\n\n   location \/ {\n       try_files $uri $uri\/ \/index.php?$args;\n       index index.php index.html index.htm;\n    }\n\n\n    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)\n    location ~ \/. {\n        deny all;\n    }\n\n    location = \/favicon.ico {\n        log_not_found off;\n        access_log off;\n    }\n\n    location = \/robots.txt {\n        allow all;\n        log_not_found off;\n        access_log off;\n    }\n\n    location ~* \/(?:uploads|files|data)\/.*.php$ {\n        deny all;\n    }\n\n    # Add trailing slash to *\/wp-admin requests.\n    rewrite \/wp-admin$ $scheme:\/\/$host$uri\/ permanent;\n\n    location ~* ^.+.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {\n        access_log off;\n        log_not_found off;\n        expires max;\n    }\n\n    location ~ [^\/].php(\/|$) {\n        fastcgi_split_path_info ^(.+?.php)(\/.*)$;\n        if (!-f $document_root$fastcgi_script_name) {\n            return 404;\n        }\n\n        fastcgi_pass unix:\/run\/php\/php7.0-fpm.sock<\/u>;\n        fastcgi_index index.php;\n        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\n        include fastcgi_params;\n\n    }\n\n    # pagespeed on;\n    # pagespeed FileCachePath \/var\/ngx_pagespeed_cache;\n\n    # pagespeed RewriteLevel CoreFilters;\n    # pagespeed EnableFilters defer_javascript;\n\n    # Ensure requests for pagespeed optimized resources go to the pagespeed handler\n    # and no extraneous headers get set.\n    # location ~ \".pagespeed.([a-z].)?[a-z]{2}.[^.]{10}.[^.]+\" {\n    #  add_header \"\" \"\";\n    # }\n    # location ~ \"^\/pagespeed_static\/\" { }\n    # location ~ \"^\/ngx_pagespeed_beacon$\" { }\n}<\/code><\/pre>\n\n\n\n
DH Param \uc0dd\uc131, \uc801\uc6a9 - <\/strong>\uc554\ud638\ud654 \uc131\ub2a5\uc744 \ud5a5\uc0c1<\/p>\n\n\n\n
$ mkdir \/etc\/nginx\/ssl
$ cd \/etc\/nginx\/ssl
$ openssl dhparam -out dhparams.pem 4096  # \uc2dc\uac04\uc774 \ub9ce\uc774 \uc18c\uc694.
$ openssl rand 48 > session_ticket.key  # \uc138\uc158 \ud2f0\ucf13\ud0a4\ub3c4 \uc0dd\uc131. \uc774\ub294 \uc2dc\uac04\uc774 \uac70\uc758 \uac78\ub9ac\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n
\uc778\uc99d\uc11c \uc0c1\ud0dc\ubcf4\uae30<\/strong><\/p>\n\n\n\n
$ certbot certificates<\/p>\n\n\n\n
\uc778\uc99d\uc11c \uc218\ub3d9\uac31\uc2e0<\/strong><\/p>\n\n\n\n
$ certbot renew<\/p>\n\n\n\n
crontab\uc5d0 \uc778\uc99d\uc11c \uac31\uc2e0 \uba85\ub839 \ub4f1\ub85d\ud558\uae30<\/strong><\/p>\n\n\n\n
0  4    1 *\/3 * root \/root\/certbot\/certbot renew >> \/var\/log\/letsencrypt\/le-renew.log<\/strong><\/p>\n\n\n\n
\u203b cron\uc744 3\uac1c\uc6d4\uc5d0 \ud55c\ubc88\uc529 \uc0c8\ubcbd 4\uc2dc\uc5d0 \uac31\uc2e0\uc744 \ud655\uc778\ud558\ub77c\ub294 \uba85\ub839<\/p>\n\n\n\n
crontab\uc5d0 \uc778\uc99d\uc11c \uac31\uc2e0 \uba85\ub839 \ub4f1\ub85d\ud558\uae30 - sudo\uc77c\ub54c<\/strong><\/p>\n\n\n\n
0  4    1 *\/3 * root \/root\/certbot\/certbot renew --pre-hook “sudo service nginx stop” --post-hook “sudo service nginx start” 
<\/strong>
\ub9ac\ub274\uc5bc\uc2dc\uc5d0 nginx \uaed0\ub2e4\ucf1c\uae30<\/strong><\/p>\n\n\n\n
$ vim \/etc\/letsencrypt\/renewal\/ example.co.kr.conf<\/p>\n\n\n\n
[renewalparams]
pre_hook = service nginx stop
post_hook = service nginx start
\ucd94\uac00<\/p>\n\n\n\n
\uc778\uc99d\uc11c\uc5d0 \ub3c4\uba54\uc778 \ucd94\uac00<\/strong><\/p>\n\n\n\n
# service nginx stop<\/p>\n\n\n\n
# certbot certonly<\/p>\n\n\n\n
\uc778\uc99d \uc808\ucc28 \uc0c1\uc138 - <\/strong>standalone \uc120\ud0dd, \ub3c4\uba54\uc778\uc744 \uae30\ub85d. www\ub3c4 \ubcc4\ub3c4\ub85c \uae30\ub85d. \ucef4\ub9c8\ub85c \uad6c\ubd84<\/p>\n\n\n\n
# service nginx start<\/p>\n\n\n\n
# certbot certificates<\/p>\n\n\n\n
\uc778\uc99d\uc11c\uc5d0 \uc11c\ube0c\ub3c4\uba54\uc778 \ucd94\uac00<\/strong><\/p>\n\n\n\n
# service nginx stop<\/p>\n\n\n\n
# certbot certonly<\/p>\n\n\n\n
\uc778\uc99d \uc808\ucc28 \uc0c1\uc138 - <\/strong>standalone \uc120\ud0dd, \uba54\uc778\ub3c4\uba54\uc778\uc744 \ud3ec\ud568\ud558\uc5ec \uc804\ubd80 \uae30\ub85d. www\ub3c4 \ubcc4\ub3c4\ub85c \uae30\ub85d. \ucef4\ub9c8\ub85c \uad6c\ubd84 - \ucd94\uac00\ub85c \ud558\ub294 \uac70\uae30 \ub54c\ubb38\uc5d0 Expand \uc120\ud0dd<\/p>\n\n\n\n
# service nginx start<\/p>\n\n\n\n
# certbot certificates<\/p>\n\n\n\n
\uc778\uc99d\uc11c \uc0ad\uc81c<\/strong><\/p>\n\n\n\n
certbot delete --cert-name example.co.kr<\/p>\n\n\n\n
<\/a> <\/a><\/p>\n\n\n\n
\n\n\n\n
 \uc11c\ubc84 \ud658\uacbd
OS: Rocky8 Apache 2.4.37<\/strong> <\/p>\n\n\n\n
<\/p>\n\n\n\n
1. \ud328\ud0a4\uc9c0 \ub2e4\uc6b4\ub85c\ub4dc<\/strong><\/p>\n\n\n\n
# yum -y install epel-release mod_ssl<\/p>\n\n\n\n
# yum -y install certbot python3-certbot-apache<\/p>\n\n\n\n
<\/p>\n\n\n\n
2. \ubc1c\uae09<\/strong><\/p>\n\n\n\n
# certbot --apache -d \ub3c4\uba54\uc778 -d www.\ub3c4\uba54\uc778<\/p>\n\n\n\n
<\/p>\n\n\n\n
3. \uc790\ub3d9 \uac31\uc2e0 \uc124\uc815<\/strong><\/p>\n\n\n\n
\ubc1c\uae09\ub41c \uc778\uc99d\uc11c \uc720\ud6a8\uae30\uac04\uc740 3\uac1c\uc6d4\uc774\uba70, \ub9cc\ub8cc 1\uac1c\uc6d4 \uc804\ubd80\ud130 \uac31\uc2e0\uc774 \uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc790\ub3d9\uc73c\ub85c \ubc1c\uae09\ubc1b\uc544\uc9c8 \uc218 \uc788\uac8c crontab \uc5d0 \ub4f1\ub85d\ud574 \uc90d\ub2c8\ub2e4. (1\ub2ec\uc5d0 \ud55c\ubc88\uc529 \uc0c8\ubcbd 4\uc2dc\uc5d0 \uac31\uc2e0)<\/p>\n\n\n\n
# crontab -e<\/p>\n\n\n\n
 0  4  *\/30  *  *  root \/usr\/sbin\/certbot renew<\/p>\n\n\n\n
 # service crond restart<\/p>\n","protected":false},"excerpt":{"rendered":"
\uc11c\ubc84 \ud658\uacbdOS: CentOS7 Apache 2.4.6 #yum install epel-release# yum install python-certbot-apache \uc778\uc99d\uc11c \uc2e0\uaddc\ucd94\uac00 # certbot --apache -d example.co.kr -d www.example.co.kr #\uc11c\ube0c\ub3c4\uba54\uc778 \uc788\ub2e4\uba74 \uc774\ud6c4\uc5d0 \uacc4\uc18d \ucd94\uac00 \uc778\uc99d\uc11c \uac31\uc2e0 certbot renew \uc790\ub3d9 \uc778\uc99d\uc11c \uc5c5\ub370\uc774\ud2b8 # crontab -e \/\/30\uc77c\ub9c8\ub2e4 \uc0c8\ubcbd 4\uc2dc 0\ubd84\uc5d0 \uba85\ub839\uc5b4\uac00 \uc2e4\ud589\ub429\ub2c8\ub2e4. 0 4 *\/30 * * certbot renew \uc774\ubbf8 \ub4f1\ub85d\ub41c \ub354 \uc77d\uae30<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[28],"tags":[],"_links":{"self":[{"href":"https:\/\/trret.com\/index.php?rest_route=\/wp\/v2\/posts\/310"}],"collection":[{"href":"https:\/\/trret.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trret.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trret.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=310"}],"version-history":[{"count":7,"href":"https:\/\/trret.com\/index.php?rest_route=\/wp\/v2\/posts\/310\/revisions"}],"predecessor-version":[{"id":381,"href":"https:\/\/trret.com\/index.php?rest_route=\/wp\/v2\/posts\/310\/revisions\/381"}],"wp:attachment":[{"href":"https:\/\/trret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trret.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}