λ³Έλ¬Έ λ°”λ‘œκ°€κΈ°
Web

[Letsencrypt] 무료 SSL μΈμ¦μ„œ λ°œκΈ‰

by STUDY SOOHYUN 2022. 7. 14.
728x90

πŸ€” SSL Certification ?

→ SSL κΈ°λ°˜ν•˜μ—μ„œ μ‚¬μš©μžμ˜ μ›ΉλΈŒλΌμš°μ €μ™€ 인터넷 μ‚¬μ΄νŠΈμ˜ μ›Ήμ„œλ²„κ°„

μ•”ν˜Έν™” 톡신을 κ°€λŠ₯ν•˜κ²Œ ν•˜λŠ” 제3의 신뒰기관이 μΈμ¦ν•œ μΈμ¦μ„œλ₯Ό λ§ν•΄μš”.

 

βš™οΈ SSL

SSL(Secure Socket Layer)

μ›ΉλΈŒλΌμš°μ €μ™€ μ„œλ²„κ°„ μ•”ν˜Έν™” 톡신을 μœ„ν•œ ν”„λ‘œν† μ½œ

 

 

🧷 Letsencrypt HomePage

 

 

Let's Encrypt - 무료 SSL/TLS μΈμ¦μ„œ

 

letsencrypt.org

 

βš™οΈ Letsencrypt Install & Setting [ Ubuntu : 18.04 ]

 

πŸ“Œ Package Update

root@soohyun:/# apt-get update

 

πŸ“Œ Letsencrypt Package Install

root@soohyun:/# apt-get install letsencrypt

 

πŸ“Œ Letsencrypt Certification Issued

root@soohyun:/# letsencrypt certonly --webroot-path=/var/www/html -d soohyun.im

Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): tossinvest@naver.com [μ‚¬μš©ν•˜μ‹€ Email μž…λ ₯]

Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A

Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y

Obtaining a new certificate Performing the following challenges: http-01 challenge for soohyun.im Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/soohyun.im/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/soohyun.im/privkey.pem Your cert will expire on 2022-03-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew" Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

 

πŸ“Œ KEY Confirm

root@soohyun:/# cd /etc/letsencrypt/live/soohyun.im

root@soohyun:/etc/letsencrypt/live/soohyun.im# ls

README cert.pem chain.pem fullchain.pem privkey.pem

 

πŸ“Œ SSL File Setting

root@soohyun:/# cd /etc/apache2/sites-available/

root@soohyun:/etc/apache2/sites-available# ls -l

total 12
-rw-r--r-- 1 root root 1332 Apr 14 2020 000-default.conf
-rw-r--r-- 1 root root 6338 Apr 14 2020 default-ssl.conf

root@05d87cef2c9a:/etc/apache2/sites-available# vi default-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost default:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/html
        ServerName soohyun.im
        ServerAlias soohyun.im

        # Enable/Disable SSL for this virtual host.
        SSLEngine on

        # A self-signed (snakeoil) certificate can be created by installing
        # the ssl-cert package. See
        # /usr/share/doc/apache2/README.Debian.gz for more info.
        # If both key and certificate are stored in the same file, only the
        # SSLCertificateFile directive is needed.

        SSLCertificateFile        /etc/letsencrypt/live/soohyun.im/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/soohyun.im/privkey.pem

:wq

 

πŸ“Œ SSL File Apply

root@soohyun:/# a2ensite default-ssl.conf

 

πŸ“Œ Open SSL Install

root@soohyun:/# apt-get install openssl

root@soohyun:/# a2enmod ssl

 

πŸ“Œ Apache2 Restart

root@soohyun:/# service apache2 restart

 

 

🌍 HTTP → HTTPS Redirect [ Ubuntu : 18.04 ] / VER.01

 

πŸ“Œ File Setting

root@soohyun:/# cd /etc/apache2/sites-available/

root@soohyun:/etc/apache2/sites-available# ls -l
total 12
-rw-r--r-- 1 root root 1332 Apr 14 2020 000-default.conf
-rw-r--r-- 1 root root 6338 Apr 14 2020 default-ssl.conf

root@soohyun:/etc/apache2/sites-available# vi ./000-default.conf

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly. #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    # LogLevel info ssl:warn

    ErrorLog     ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Location />
        RedirectMatch /(.*)$ <https://soohyun.im/$1>
    </Location>

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

</VirtualHost>

:wq

 

πŸ“Œ Apache2 Restart

root@soohyun:/# service apache2 restart

 

🌍 HTTP → HTTPS Redirect [ Ubuntu : 18.04 ] / VER.02

 

πŸ“Œ Rewrite Module Activate

root@soohyun:/# a2enmod rewrite

 

πŸ“Œ File Setting

root@soohyun:/# cd /etc/apache2/sites-available/

root@soohyun:/etc/apache2/sites-available# ls -l
total 12
-rw-r--r-- 1 root root 1332 Apr 14 2020 000-default.conf
-rw-r--r-- 1 root root 6338 Apr 14 2020 default-ssl.conf

root@soohyun:/etc/apache2/sites-available# vi ./000-default.conf

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    # ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All Order allow,deny allow from all
    </Directory>

    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

</VirtualHost>

:wq

 

πŸ“Œ Apache2 Restart

root@soohyun:/# service apache2 restart
728x90
μ €μž‘μžν‘œμ‹œ λΉ„μ˜λ¦¬ λ³€κ²½κΈˆμ§€

λŒ“κΈ€

ν‹°μŠ€ν† λ¦¬νˆ΄λ°”