Amazon Linux 2023에서 Let’s Encrypt를 설치하기 

linux Linux

이 글에서는 Amazon Linux 2023에서 Let’s Encrypt를 이용하여 홈페이지에 https프로토콜로 접속하는 설정 방법을 설명합니다.

Amazon Linux 2023에서 WordPress 웹 서비스를 설치하는 방법은 Amazon Linux 2023에 Apache HTTPD하고 WordPress를 설치 글을 참조하십시오.

또한 CentOS7(Linux7)에서 Let’s Encrypt를 설치하는 방법은 snap사용 무료SSL증명서(Let’s Encrypt)작성 스케줄러(cron)에 등록하기 글을 참조하십시오.

Certbot 설치하기

/usr/bin/certbot명령을 사용하기 위해 다음과 같이 순차적으로 명령을 실행합니다.

$ sudo dnf install -y python3 augeas-libs pip
..중간생략..
Complete!
$ sudo python3 -m venv /opt/certbot/
$ ls /opt/certbot
bin  include  lib  lib64  pyvenv.cfg
$ ls /opt/certbot/bin
Activate.ps1  activate  activate.csh  activate.fish  pip  pip3  pip3.9  python  python3  python3.9
$ sudo /opt/certbot/bin/pip install --upgrade pip
..중간생략..
Successfully installed pip-23.1.2
$ sudo /opt/certbot/bin/pip install certbot
..중간생략..
Successfully installed ConfigArgParse-1.5.3 PyOpenSS-23.1.1 acme-2.6.0 certbot-2.6.0 certifi-2023.5.7 cffi-1.15.1 charset-normalizer-3.1.0 configobj-5.0.8 cryptography-40.0.2 distro-1.8.0 idna-3.4 josepy-1.13.0 parsedatetime-2.6 pycparser-2.21

$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

CA가 서명한 인증서 작성하기

httpd서버를 정지하고 CA가 서명한 인증서 privkey.pem, cert.pem, chain.pem를 만들기 위해 다음과 같이 순차적으로 명령을 실행합니다.

$ sudo systemctl stop httpd
$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): root@localhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
"https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf". You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.sample.com
Requesting a certificate for www.sample.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.sample.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.sample.com/privkey.pem
This certificate expires on 2023-08-18.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

인증서 설정하기

작성된 인증서는 다음과 같이 웹 서버 환경파일에 설정하고 httpd 서비스를 재기동합니다.

$ sudo vi /etc/httpd/conf.d/ssl.conf
..중간생략..
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/www.sample.com/cert.pem
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/letsencrypt/live/www.sample.com/privkey.pem
##SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/www.sample.com/chain.pem
..중간생략..
$ sudo systemctl restart httpd

매주 자동실행 스케줄 등록하기

Amazon Linux 2023에서는 cron 서비스가 설치되어있지 않습니다. 다음과 같이 cron을 설치하고 crontab에 명령을 등록하여 인증서 갱신 명령 실행을 자동화합니다.

$ sudo dnf install cronie-noanacron
$ sudo vi /etc/crontab
..중간생략..
# *  *  *  *  * user-name  command to be executed
# 매주 화요일 1시30분 실행
30  1  *  *  2  root /usr/bin/certbot renew --post-hook "systemctl reload httpd" --no-self-upgrade # Apache

댓글

タイトルとURLをコピーしました