LetsEncrypt 로 무료 웹서버 인증서 설치하기

먼저 Certbot을 설치한다.

Apache 설정파일에 추가:

<VirtualHost *:443>
DocumentRoot /var/www/path
ServerName youwant.domain.com
# Baseline setting to Include for SSL sites
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/youwant.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/youwant.domain.com/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/youwant.domain.com/chain.pem
# Add vhost name to log entries:
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-agent}i\”” vhost_combined
LogFormat “%v %h %l %u %t \”%r\” %>s %b” vhost_common
CustomLog logs/https-access_log vhost_combined
#LogLevel warn
ErrorLog logs/https-error_log
# Always ensure Cookies have “Secure” set (JAH 2012/1)
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) “$1; Secure$3$4”
</VirtualHost>

인증서 생성:

$ ./certbot-auto certonly — manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): youwant.domain.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for youwant.domain.com
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.
Are you OK with your IP being logged?
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
(Y)es/(N)o: Y
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Make sure your web server displays the following content at
http://youwant.domain.com/.well-known/acme-challenge/IESnm11KVXoRkHn1YcM_xD-QTxD3eGpY-vxTu5kk5eQ before continuing:
IESnm11KVXoRkHn1YcM_xD-QTxD3eGpY-vxTu5kk5eQ.sFUXG1alFRAzJg6bqtUY6137CK5FJ5YfE1BI3u-KdEU
If you don’t have HTTP server configured, you can run the following
command on the target server (as root):
mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf “%s” IESnm11KVXoRkHn1YcM_xD-QTxD3eGpY-vxTu5kk5eQ.sFUXG1alFRAzJg6bqtUY6137CK5FJ5YfE1BI3u-KdEU > .well-known/acme-challenge/IESnm11KVXoRkHn1YcM_xD-QTxD3eGpY-vxTu5kk5eQ
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
“import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer((‘’, 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()”
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
— Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/youwant.domain.com/fullchain.pem. Your cert
will expire on 2017–05–17. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
“certbot-auto renew”
— If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

소유권 검증용 파일 생성:

$ printf “%s” IESnm11KVXoRkHn1YcM_xD-QTxD3eGpY-vxTu5kk5eQ.sFUXG1alFRAzJg6bqtUY6137CK5FJ5YfE1BI3u-KdEU > .well-known/acme-challenge/IESnm11KVXoRkHn1YcM_xD-QTxD3eGpY-vxTu5kk5eQ

웹서버 재시작

끗!

추신:
만료기한이 90일이므로 자동 갱신을 하도록 cron 에 추가

$ ./certbot-auto renew --quiet