Amazon Linux 2023에서 Let’s Encrypt를 설치하기 

이 글에서는 Amazon Linux 2023에서 Let’s Encrypt를 이용하여 홈페이지에 https프로토콜로 접속하는 설정 방법을 설명합니다.

Amazon Linux 2023에서 WordPress웹서비스를 설치하는 방법은 Amazon Linux 2023에 Apache HTTPD하고 WordPress를 설치 글을 참조하십시오.

또한 CentOS7(Linux7)에서 Let’s Encrypt를 설치하는 방법은 snap 사용 무료SSL증명서(Let’s Encrypt)작성 스케줄러(cron)에 등록하기 글을 참조하십시오.

certbot설치하기

/usr/bin/certbot명령을 사용하기 위해 다음과 같이 순차적으로 명령을 실행합니다.

$ sudo dnf install -y python3 augeas-libs pip
...
Complete!
$ sudo python3 -m venv /opt/certbot/
$ ls /opt/certbot
bin  include  lib  lib64  pyvenv.cfg
$ ls /opt/certbot/bin
Activate.ps1  activate  activate.csh  activate.fish  pip  pip3  pip3.9  python  python3  python3.9
$ sudo /opt/certbot/bin/pip install --upgrade pip
....
Successfully installed pip-23.1.2
$ sudo /opt/certbot/bin/pip install certbot
...
Successfully installed ConfigArgParse-1.5.3 PyOpenSS-23.1.1 acme-2.6.0 certbot-2.6.0 certifi-2023.5.7 cffi-1.15.1 charset-normalizer-3.1.0 configobj-5.0.8 cryptography-40.0.2 distro-1.8.0 idna-3.4 josepy-1.13.0 parsedatetime-2.6 pycparser-2.21

$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

CA가 서명한 인증서 작성

httpd서버를 정지하고 CA가 서명한 인증서 privkey.pem ,cert.pem,chain.pem를 만들기위해 다음과 같이 순차적으로 명령을 실행합니다.

$ sudo systemctl stop httpd
$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): root@localhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf.
letsencrypt.org
 You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.sample.com
Requesting a certificate for www.sample.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.sample.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.sample.com/privkey.pem
This certificate expires on 2023-08-18.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

인증서 설정

작성되 인증서는 다음과 같이 웹서버 환경파일에 설정하고 httpd서비스를 재기동합니다.

$ sudo vi /etc/httpd/conf.d/ssl.conf
....
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/www.sample.com/cert.pem
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/letsencrypt/live/www.sample.com/privkey.pem
##SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/www.sample.com/chain.pem
.....

$ sudo systemctl restart httpd

스케줄 등록

Amazon Linux 2023에서는 cron서비스가 설치되어있지 않습니다. 다음과 같이 cron을 설치한고 crontab에 명령을 등록하여 인증서 갱신 명령 실행을 자동화할 수 있습니다.

$ sudo dnf install cronie-noanacron

$ sudo vi /etc/crontab
...
# *  *  *  *  * user-name  command to be executed
# every tue 1:30
30  1  *  *  2  root /usr/bin/certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" # Apache