[CentOS] 17. Apache 기준, SSL/TLS 구성 (도메인 등록(Duck DNS) + SSL 인증서 발급(Let’s Encrypt))
카테고리: CENTOS
01) 도메인 등록(Duck DNS) + SSL 인증서 발급(Let’s Encrypt)
■ Duck DNS에서 도메인 등록
Duck DNS는 Amazon의 Dynamic DNS(DDNS) 서비스으로 Duck DNS는 무료로 제공되며, 누구나 사용할 수 있다.
1) 원하는 계정으로 로그인(예제에서는 구글 계정으로함)
2) 도메인 항목에 원하는 도메인을 넣고 “add domain”을 클릭하면 등록되며, 외부 IP 주소를 입력하고 업데이트
■ SSL 인증서 발급
Let’s Encrypt라는 비영리 기관을 통해 무료로 TLS인증서를 발급받을수 있으며, 인증서의 만료 날짜는 90일이다.
1) Let’s Encrypt에서 인증서를 가져오는 도구인 Certbot Client를 설치
$ dnf -y install epel-release; dnf -y install certbot
2) 인증서 발급
- “[1]” 명령은 Apache 또는 Nginx 등과 같은 웹 서버가 실행 중이어야 하며, 실행 중이지 않은 경우에 사용하려면 “[2]” 명령
# [1]
$ certbot certonly --webroot -w /var/www/html -d chsrv3.duckdns.org
# [2]
$ certbot certonly --standalone -d chsrv3.duckdns.org
# [1] 명령 사용
$ certbot certonly --webroot -w /var/www/html -d chsrv3.duckdns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): root@test3.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for chsrv3.duckdns.org
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/chsrv3.duckdns.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/chsrv3.duckdns.org/privkey.pem
This certificate expires on 2024-01-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3) SSL/TLS 설정을 활성화
$ dnf -y install mod_ssl
$ vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/chsrv3.duckdns.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chsrv3.duckdns.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/chsrv3.duckdns.org/chain.pem
$ systemctl restart httpd
4) HTTPS로 리디렉션하도록 HTTP 연결을 설정하려면 RewriteRule을 각 호스트 설정으로 설정
$ vi /etc/httpd/conf.d/vhost.conf
<VirtualHost *:80>
DocumentRoot /var/www/html
ServerName chsrv3.duckdns.org
# 추가
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
$ systemctl restart httpd
# 방화벽 허용
$ firewall-cmd --add-service=https
$ firewall-cmd --runtime-to-permanent
5) 결과 확인
댓글 남기기