장영호
– 패키지 설치
[root@jyh-test ~]# dnf install epel-release curl mod_ssl
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 3:01:39 ago on Thu Nov 10 09:27:23 2022.
Package epel-release-8-18.el8.noarch is already installed.
Package curl-7.61.1-22.el8_6.4.x86_64 is already installed.
Dependencies resolved.
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.37-47.module+el8.6.0+985+b8ff6398.2 appstream 137 k
Transaction Summary
===================================================================================================================================================================================================================
Install 1 Package
Total download size: 137 k
Installed size: 266 k
Is this ok [y/N]: y
[root@jyh-test ~]# dnf install python3-certbot-apache
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 3:02:07 ago on Thu Nov 10 09:27:23 2022.
Dependencies resolved.
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Installing:
python3-certbot-apache noarch 1.22.0-1.el8 epel 145 k
Installing dependencies:
augeas-libs x86_64 1.12.0-7.el8 baseos 436 k
python3-acme noarch 1.22.0-1.el8 epel 96 k
python3-augeas noarch 0.5.0-12.el8 appstream 30 k
python3-certbot noarch 1.22.0-1.el8 epel 426 k
python3-configargparse noarch 0.14.0-6.el8 epel 36 k
python3-distro noarch 1.4.0-2.module+el8.3.0+120+426d8baf appstream 36 k
python3-josepy noarch 1.9.0-1.el8 epel 103 k
python3-parsedatetime noarch 2.5-1.el8 epel 79 k
python3-pyOpenSSL noarch 19.0.0-1.el8 appstream 102 k
python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k
python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k
python3-zope-component noarch 4.3.0-8.el8 epel 313 k
python3-zope-event noarch 4.2.0-12.el8 epel 210 k
python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k
Installing weak dependencies:
certbot noarch 1.22.0-1.el8 epel 54 k
python-josepy-doc noarch 1.9.0-1.el8 epel 23 k
Transaction Summary
===================================================================================================================================================================================================================
Install 17 Packages
Total download size: 2.3 M
Installed size: 8.6 M
Is this ok [y/N]: y
# apache를 사용할 경우 python3-certbot-apache 를 설치하며 현재 nginx설치 되어 있어서 dnf install python3-certbot-nginx 설치.
[root@jyh-test ~]# dnf install python3-certbot-nginx
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 3:04:56 ago on Thu Nov 10 09:27:23 2022.
Dependencies resolved.
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Installing:
python3-certbot-nginx noarch 1.22.0-1.el8 epel 85 k
Transaction Summary
===================================================================================================================================================================================================================
Install 1 Package
Total download size: 85 k
Installed size: 291 k
Is this ok [y/N]: y
– 발급
[root@jyh-test ~]# certbot --nginx -d {도메인} -d {도메인}
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): {메일주소}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for {도메인} and {도메인}
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/{도메인}/fullchain.pem
Key is saved at: /etc/letsencrypt/live/{도메인}/privkey.pem
This certificate expires on 2023-02-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for {도메인} to /etc/nginx/nginx.conf
Successfully deployed certificate for {도메인} to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on {도메인} and {도메인}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
– 발급 현황 및 설정 확인
[root@jyh-test ~]# cat /etc/nginx/nginx.conf
..
..
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{도메인}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{도메인}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
..
..
[root@jyh-test ~]# cat /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
[root@jyh-test ~]# ll /etc/letsencrypt/live/{도메인}/
total 4
-rw-r--r-- 1 root root 692 Nov 10 12:35 README
lrwxrwxrwx 1 root root 35 Nov 10 12:35 cert.pem -> ../../archive/{도메인}/cert1.pem
lrwxrwxrwx 1 root root 36 Nov 10 12:35 chain.pem -> ../../archive/{도메인}/chain1.pem
lrwxrwxrwx 1 root root 40 Nov 10 12:35 fullchain.pem -> ../../archive/{도메인}/fullchain1.pem
lrwxrwxrwx 1 root root 38 Nov 10 12:35 privkey.pem -> ../../archive/{도메인}/privkey1.pem
– 갱신 관련
[root@jyh-test ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/{도메인}.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for {도메인} and {도메인}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/{도메인}/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 실제 적용은 하지 않고 체크시.
[root@jyh-test ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/{도메인}.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/{도메인}/fullchain.pem expires on 2023-02-08 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 갱신.
[root@jyh-test ~]# certbot renew --renew-hook "service nginx reload"
# 갱신 쉘 명령어 실행(--post-hook, --pre-hook, --deploy-hook기타 옵션들...) .
[root@jyh-test ~]# certbot renew --renew-hook "service nginx reload"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/{도메인}.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/{도메인}/fullchain.pem expires on 2023-02-08 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 갱신을 너무 빨리 하면 갱신 안함....
– 갱신 만료 시간 확인
[root@jyh-test ~]# openssl x509 -dates -noout < /etc/letsencrypt/live/{도메인}/fullchain.pem notBefore=Nov 10 02:33:10 2022 GMT notAfter=Feb 8 02:33:09 2023 GMT [root@jyh-test ~]# echo | openssl s_client -servername kr.object.iwinv.kr -connect kr.object.iwinv.kr:443 2>/dev/null | openssl x509 -noout -dates | cut -d= -f2
Sep 13 23:40:38 2022 GMT
Dec 12 23:40:37 2022 GMT
[root@jyh-test ~]# echo | openssl s_client -servername kr.object.iwinv.kr -connect kr.object.iwinv.kr:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2
Dec 12 23:40:37 2022 GMT
[root@jyh-test ~]# openssl x509 -checkend 100 -noout -in /etc/letsencrypt/live/{도메인}/fullchain.pem
Certificate will not expire
[root@jyh-test ~]# let expire_date=3600*24*100
[root@jyh-test ~]# openssl x509 -checkend $expire_date -noout -in /etc/letsencrypt/live/{도메인}/fullchain.pem
Certificate will expire
# -checkend의 값은 초기준.
– 갱신 자동화 생성
[root@jyh-test ~]# cat ssl_expire_check.sh
#!/bin/bash
let expire_date=3600*24*10
check=`openssl x509 -checkend $expire_date -noout -in /etc/letsencrypt/live/{도메인}/fullchain.pem`
[ "$check" == "Certificate will expire" ] && certbot renew --renew-hook "service nginx reload" && tag=yes
if [ "$tag" == "yes" ]
then
re_check=`echo | openssl s_client -servername {도메인} -connect {도메인}:443 2>/dev/null | openssl x509 -checkend $expire_date -noout`
[ "$re_check" == "Certificate will expire" ] && curl -F chat_id={id} -F text="{도메인} ssl 갱신 실패 했습니다. 확인 ㄱㄱ." https://api.telegram.org/{봇주소}/sendMessage
[ ! "$re_check" == "Certificate will expire" ] && curl -F chat_id={id} -F text="{도메인} ssl 갱신 성공 했습니다.." https://api.telegram.org/{봇주소}/sendMessage
fi
[root@jyh-test ~]# tail -n 1 /etc/crontab
1 5 * * 7 root bash /root/ssl_expire_check.sh