이 글에서는 Amazon Linux 2023에서 Let’s Encrypt를 이용하여 홈페이지에 https프로토콜로 접속하는 설정 방법을 설명합니다.
Amazon Linux 2023에서 WordPress웹서비스를 설치하는 방법은 Amazon Linux 2023에 Apache HTTPD하고 WordPress를 설치 글을 참조하십시오.
또한 CentOS7(Linux7)에서 Let’s Encrypt를 설치하는 방법은 snap 사용 무료SSL증명서(Let’s Encrypt)작성 스케줄러(cron)에 등록하기 글을 참조하십시오.
certbot설치하기
/usr/bin/certbot명령을 사용하기 위해 다음과 같이 순차적으로 명령을 실행합니다.
$ sudo dnf install -y python3 augeas-libs pip
...
Complete!
$ sudo python3 -m venv /opt/certbot/
$ ls /opt/certbot
bin include lib lib64 pyvenv.cfg
$ ls /opt/certbot/bin
Activate.ps1 activate activate.csh activate.fish pip pip3 pip3.9 python python3 python3.9
$ sudo /opt/certbot/bin/pip install --upgrade pip
....
Successfully installed pip-23.1.2
$ sudo /opt/certbot/bin/pip install certbot
...
Successfully installed ConfigArgParse-1.5.3 PyOpenSS-23.1.1 acme-2.6.0 certbot-2.6.0 certifi-2023.5.7 cffi-1.15.1 charset-normalizer-3.1.0 configobj-5.0.8 cryptography-40.0.2 distro-1.8.0 idna-3.4 josepy-1.13.0 parsedatetime-2.6 pycparser-2.21
$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
CA가 서명한 인증서 작성
httpd서버를 정지하고 CA가 서명한 인증서 privkey.pem ,cert.pem,chain.pem를 만들기위해 다음과 같이 순차적으로 명령을 실행합니다.
$ sudo systemctl stop httpd
$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): root@localhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.sample.com
Requesting a certificate for www.sample.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.sample.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.sample.com/privkey.pem
This certificate expires on 2023-08-18.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
인증서 설정
작성되 인증서는 다음과 같이 웹서버 환경파일에 설정하고 httpd서비스를 재기동합니다.
$ sudo vi /etc/httpd/conf.d/ssl.conf
....
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/www.sample.com/cert.pem
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/letsencrypt/live/www.sample.com/privkey.pem
##SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/www.sample.com/chain.pem
.....
$ sudo systemctl restart httpd
스케줄 등록
Amazon Linux 2023에서는 cron서비스가 설치되어있지 않습니다. 다음과 같이 cron을 설치한고 crontab에 명령을 등록하여 인증서 갱신 명령 실행을 자동화할 수 있습니다.
$ sudo dnf install cronie-noanacron
$ sudo vi /etc/crontab
...
# * * * * * user-name command to be executed
# every tue 1:30
30 1 * * 2 root /usr/bin/certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" # Apache
Comment
선생님 덕분에 awd linux 2023 환경에서 https 설정 편하게 했습니다 ㅠㅠㅠㅠㅠㅠㅠㅠ
정말 감사합니다…. 아마존 공식문서 봐도 이게 뭐지? 싶었는데 선생님 따라하니 바로 되네요… 압도적 감사…!!!
선생님은 분명 천재십니다.