뻔뻔한 개발자

0. 설치 환경

(1) Apache 설치

Certbot은 Apache 기본 설치(Yum 을 통한 설치)를 권장한다. 
ssl 인증서 파일인 ssl.conf 파일을 기본 위치에서 찾기 때문에 /etc/httpd/conf.d 폴더에 ssl.conf 파일이 있어야 된다.
또한 ssl.conf 은 기본 설정만 있어야 Certbot 실행시 자동 적용된다.
CentOS 7.3 기본 서비스인 httpd.service 를 참조 하기 때문에 기본 설치 외 설정 작업이 어렵다.

(2) 도메인 등록

Certbot 도메인은 외부 서비스가 등록이 되어 있어야 한다.
ex) www.naver.com 외부 도메인 등록 

Certbot 설치

1. Certbot 페이지 접속

- https://certbot.eff.org/ 도메인 접속  OS / Web Engine에 맞는 매뉴얼 접속

2. Certbot 설치

yum -y install epel-release 명령어 실행 저장소 추가
yum -y install certbot-apache 명령서 실행 certbot-apache 설치

3. 인증서 생성

[root@web03 conf.modules.d]# certbot --apache //도메인 생성 명령어
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):mymail@mail.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
 
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A  
 
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y  
Starting new HTTPS connection (1): supporters.eff.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel):web03.mydomain.com //SSL 생성 도메인 이름 지정
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for web03.mydomain.com
 
We were unable to find a vhost with a ServerName or Address of web03.mydomain.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf                       |                       | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 //SSL 적용 환경 파일 지정
Waiting for verification...
Cleaning up challenges
 
We were unable to find a vhost with a ServerName or Address of web03.mydomain.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf                       |                       | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 //도메인 적용 환경 파일 지정
Deploying Certificate for web03.mydomain.com to VirtualHost /etc/httpd/conf.d/ssl.conf
 
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 //도메인 생성 방식 설정
 
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://web03.mydomain.com
 
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=web03.mydomain.com
-------------------------------------------------------------------------------
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/web03.mydomain.com/fullchain.pem. Your cert
   will expire on 2017-12-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4. ssl.conf 환경 설정

Listen 443 https
 
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>

#ErrorLog logs/ssl_error_log
#TransferLog logs/ssl_access_log
 
ErrorLog    "|/usr/sbin/rotatelogs logs/ssl_error_log.%Y%m%d 86400"
TransferLog "|/usr/sbin/rotatelogs logs/ssl_access_log.%Y%m%d 86400"
 
LogLevel warn
 
SSLEngine on
SSLProtocol  ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
 
SSLCertificateFile /etc/letsencrypt/live/web03.mydomain.com/cert.pem               //도메인 주소 입력
SSLCertificateKeyFile /etc/letsencrypt/live/web03.mydomain.com/privkey.pem       //도메인 주소 입력
SSLCertificateChainFile /etc/letsencrypt/live/web03.mydomain.com/chain.pem      //도메인 주소 입력

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars

</Files>
DocumentRoot "/myProject_data/project/myProject"         //프로젝트 소스 경로 입력

<Directory "/myProject_data/project/myProject">             //프로젝트 소스 경로 입력
        Options FollowSymLinks
        AllowOverride All
        Require all granted
#        Order allow,deny
#        Allow from all

</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
 
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
ServerName web03.mydomain.com                                 //도메인 주소 입력
JKMount /myProject/* tomcat1                                       //프로젝트 경로 및 worker 이름 입력

</VirtualHost>

-끝-