Amazon Linux 2023에서 Let’s Encrypt를 설치하기 

스폰서 링크
linux Linux
스폰서 링크

이 글에서는 Amazon Linux 2023에서 Let’s Encrypt를 이용하여 홈페이지에 https 프로토콜로 접속하는 설정 방법을 설명합니다.

Amazon Linux 2023에서 WordPress 웹 서비스를 설치하는 방법은 Amazon Linux 2023에 Apache HTTPD하고 WordPress를 설치 글을 참조하십시오.

또한 CentOS7(Linux7)에서 Let’s Encrypt를 설치하는 방법은 snap 사용 무료SSL증명서(Let’s Encrypt)작성 스케줄러(cron)에 등록하기 글을 참조하십시오.

스폰서 링크

Certbot 설치하기

/usr/bin/certbot명령을 사용하기 위해 다음과 같이 순차적으로 명령을 실행합니다.

$ sudo dnf install -y python3 augeas-libs pip
...
Complete!
$ sudo python3 -m venv /opt/certbot/
$ ls /opt/certbot
bin  include  lib  lib64  pyvenv.cfg
$ ls /opt/certbot/bin
Activate.ps1  activate  activate.csh  activate.fish  pip  pip3  pip3.9  python  python3  python3.9
$ sudo /opt/certbot/bin/pip install --upgrade pip
....
Successfully installed pip-23.1.2
$ sudo /opt/certbot/bin/pip install certbot
...
Successfully installed ConfigArgParse-1.5.3 PyOpenSS-23.1.1 acme-2.6.0 certbot-2.6.0 certifi-2023.5.7 cffi-1.15.1 charset-normalizer-3.1.0 configobj-5.0.8 cryptography-40.0.2 distro-1.8.0 idna-3.4 josepy-1.13.0 parsedatetime-2.6 pycparser-2.21

$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

CA가 서명한 인증서 작성

httpd서버를 정지하고 CA가 서명한 인증서 privkey.pem, cert.pem, chain.pem를 만들기 위해 다음과 같이 순차적으로 명령을 실행합니다.

$ sudo systemctl stop httpd
$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): root@localhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at

404 Page not found - Let's Encrypt
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Res...
You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): www.sample.com Requesting a certificate for www.sample.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/www.sample.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/www.sample.com/privkey.pem This certificate expires on 2023-08-18. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

인증서 설정

작성된 인증서는 다음과 같이 웹 서버 환경파일에 설정하고 httpd 서비스를 재기동합니다.

$ sudo vi /etc/httpd/conf.d/ssl.conf
....
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/www.sample.com/cert.pem
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/letsencrypt/live/www.sample.com/privkey.pem
##SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/www.sample.com/chain.pem
.....

$ sudo systemctl restart httpd

스케줄 등록

Amazon Linux 2023에서는 cron 서비스가 설치되어있지 않습니다. 다음과 같이 cron을 설치한고 crontab에 명령을 등록하여 인증서 갱신 명령 실행을 자동화할 수 있습니다.

$ sudo dnf install cronie-noanacron
$ sudo vi /etc/crontab
...
# *  *  *  *  * user-name  command to be executed
# every tue 1:30
30  1  *  *  2  root /usr/bin/certbot renew --post-hook "systemctl reload httpd" --no-self-upgrade # Apache

댓글

  1. 감삼다... 댓글:

    선생님 덕분에 awd linux 2023 환경에서 https 설정 편하게 했습니다 ㅠㅠㅠㅠㅠㅠㅠㅠ
    정말 감사합니다…. 아마존 공식문서 봐도 이게 뭐지? 싶었는데 선생님 따라하니 바로 되네요… 압도적 감사…!!!

제목과 URL을 복사했습니다