[Ubuntu] Certbot을 이용한 인증서 발급하기

노션에서 보기

이채현

💡 Certbot을 통해 무료로 서버인증서를 발급하고, 자동으로 갱신 가능

snapd 설치하기 (snapd 없는 경우)

최신 버전의 우분투에는 snapd가 설치되어있는 것으로 알고 있음

# apt # snap
# Ubuntu
sudo apt install snapd
sudo reboot

certbot 설치하기 (snap)

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

cloudflare plugin 설치하기

# dns  cloudflare
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

cloudflare api token 넣기

mkdir -p ~/.secrets/certbot
vi ~/.secrets/certbot/cloudflare.ini
----------------------------------
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = IdgrE2pGEQxdq43kQPJ8*****************
chmod 600 ~/.secrets/certbot/cloudflare.ini

자신의 도메인 인증서 등록하기

#
# *.4084.live
sudo certbot certonly --dns-cloudflare \\
   --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \\
   -d *.4084.live

-----------------
ubuntu@dev-project-app:~$ sudo certbot certonly --dns-cloudflare \\
>    --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \\
>    -d *.4084.live
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for *.4084.live
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/4084.live/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/4084.live/privkey.pem
This certificate expires on 2022-02-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   <https://letsencrypt.org/donate>
 * Donating to EFF:                    <https://eff.org/donate-le>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

생성된 인증서 경로 /etc/letsencrypt/live/4084.live/fullchain.pem /etc/letsencrypt/live/4084.live/privkey.pem

인증서 갱신하기

#     (--dry-run)
sudo certbot renew --dry-run

#(xx )
sudo certbot renew

crontab을 이용하여 주기적으로 갱신

(매주 일요일 2시 1분에 실행)

crontab -e
-----------
# cert renewal
1 2 * * 0 sudo /usr/bin/certbot renew

참고링크

---

• Let’s Encrypt (letsencrypt.org)
• https://certbot.eff.org/
• User Guide — Certbot 1.15.0.dev0 documentation (eff.org)
• https://certbot-dns-cloudflare.readthedocs.io/en/stable/
• User Guide — Certbot 1.15.0.dev0 documentation (eff.org)
• How to install SSL certificate for Nginx server in Amazon Linux | by Sagar Shrestha | Level Up Coding (gitconnected.com)