Let’s Encrypt 와일드카드 DNS SSL 인증서 발급 받기

인증서 확인

[root@www conf]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: chohi.ga-0001
    Domains: *.chohi.ga chohi.ga
    Expiry Date: 2018-11-13 04:13:35+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/chohi.ga-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/chohi.ga-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

## 기존 인증서 삭제
# certbot delete  --cert-name chohi.ga-0001

certbot-auto 설치

## certbot-auto 다운로드
[root@www temp]# wget https://dl.eff.org/certbot-auto
--2018-08-15 11:41:37--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 151.101.0.201, 151.101.64.201, 151.101.128.201, ...
Connecting to dl.eff.org (dl.eff.org)|151.101.0.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 62299 (61K) [application/octet-stream]
Saving to: ‘certbot-auto’

100%[==========================================================================================>] 62,299      --.-K/s   in 0.1s    

2018-08-15 11:41:38 (441 KB/s) - ‘certbot-auto’ saved [62299/62299]


## 실행권한 변경
[root@www temp]# chmod +x certbot-auto 

인증서 다운로드

./certbot-auto certonly –manual -d *.도메인명 -d 도메인명 –preferred-challenges dns-01 –server https://acme-v02.api.letsencrypt.org/directory

certbot-auto 명령을 실행하면 친철하게 필요한 패키지들을 설치하면서 구동됩니다.

[root@www temp]# ./certbot-auto certonly --manual -d "*.chohi.ga" -d chohi.ga  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /bin/yum
/usr/bin/yum
yum is hashed (/bin/yum)
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                         | 4.9 kB  00:00:00     
 * base: mirror.navercorp.com
 * epel: ftp.jaist.ac.jp
 * extras: mirror.navercorp.com
 * updates: mirror.navercorp.com
base                                                                                                         

...

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for chohi.ga
dns-01 challenge for chohi.ga

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.chohi.ga with the following value:

K74FykR-HXsjhF8L_PRxKaVfnpX4U4OiPmy5blCbkas

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.chohi.ga with the following value:

l9cWMIZUb9zkhB9UR3oMyiHqWDO4HdWnKSg0_OrqpxE

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. chohi.ga (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.chohi.ga

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: chohi.ga
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.chohi.ga

아래와 같은 오류가 발생한다.

IMPORTANT NOTES:
The following errors were reported by the server:

Domain:  chohi.ga
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.chohi.ga

저의 경우 txt레코드를 아래와 같이 추가했습니다.

DNS txt 레코드 확인

# nslookup -q=txt _acme-challenge.chohi.ga
서버:    kns.kornet.net
Address:  168.126.63.1

권한 없는 응답:
_acme-challenge.chohi.ga        text =      "NnzdPW7AT3LrTQVCEAxXd6XSSSfNf7uXTip1DgH-Is0"
_acme-challenge.chohi.ga        text =       "l9cWMIZUb9zkhB9UR3oMyiHqWDO4HdWnKSg0_OrqpxE"

다시 certbot-auto 구동하니 정상적으로 인증서를 받아옵니다.

[root@www temp]# ./certbot-auto certonly --manual -d *.chohi.ga -d chohi.ga  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Attempting to parse the version 0.27.0.dev0 renewal configuration file found at /etc/letsencrypt/renewal/duksfarm.ga.conf with version 0.26.1 of Certbot. This might not work.
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for chohi.ga
dns-01 challenge for chohi.ga

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.chohi.ga with the following value:

l9cWMIZUb9zkhB9UR3oMyiHqWDO4HdWnKSg0_OrqpxE

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.chohi.ga with the following value:

NnzdPW7AT3LrTQVCEAxXd6XSSSfNf7uXTip1DgH-Is0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/chohi.ga-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/chohi.ga-0001/privkey.pem
   Your cert will expire on 2018-11-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
    

httpd 재기동

ssl.conf 파일에서 인증서 위치를 변경해 주고 httpd 서비스를 재기동 시켜 주면됩니다.

[root@www conf.d]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service

와이드카드 도메인 인증서 확인

도메인 추가할때 마다 인증서 추가 작업을 했었는데 이제 좀더 편리하게 도메인을 추가할 수 있게 되었습니다.

Let’s Encrypt 인증서는 무료인데도 와이드카드 인증서를 지원합니다.

인증서 갱신

인증서는 3개월에 한번씩 갱신해 줘야 합니다. crontab에 certbot renew 인증서 갱신하는 키워드를 등록해 놓으면 정해진 시간에 업데이트가 되는데요. 와이드 카드 인증서는 갱신이 되는지 3개월 뒤에 알 수 있을것 같습니다.

0 3 * * * certbot renew #매일 3시에 구동

[root@www conf]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/chohi.ga-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  /etc/letsencrypt/live/chohi.ga-0001/fullchain.pem expires on 2018-11-13 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

##강제로 갱신하기
certbot renew --dry-run

국내 유명 포털회사인 Naver도 아직 와이드카드 SSL 인증서를 사용하고 있지 않군요..

2019-02-06 내용 추가

와이드카드 SSL인증서는 자동으로 갱신이 안됩니다.

3개월마다 위의 처리 순서로 인증서를 갱신하고 HTTP웹서버를 재시작시켜 줘야 합니다.

이유는 DNS서버에 TXT타입의 _acme-challenge 항목을 넣어줘야 합니다. 2개를 넣어 줘야 하는데, 첫번째 항목을 DNS에 갱신시켜 주고 “nslookup -q=txt _acme-challenge.<도메인명>” 갱싱된 내용확인후 다음진행 해야합니다.

구글도메인인 경우 갱신되기까지 10분정도 소요되는군요.

두번째 _acme-challenge 항목도 마찬가지로 DNS갱신된 내용 확인 후 다음 진행 해야 합니다.

인증서를 갱신하는데, 거의 30분정도 소요 되는군요…

그래도 공짜니까 감사히 사용하고 있습니다.

안전한 사이트를 위해 30분정도는 아낌없이 투자를 합시다.

You May Also Like

About the Author: chohi

익명에 답글 남기기 응답 취소

이메일 주소는 공개되지 않습니다.