렛츠인크립트(Letsencrypt)

개요

  • 지금까지의 SSL의 유료서비스였는데 이는 SSL(https)도입의 적지 않은 장벽이었음
  • 이 장벽을 없애고자 씨스코, 크롬, 페이스북 등의 단체에서 렛츠인크립트라는 인증기관을 설립하고 SSL인증서를 무료로 나눠주기 시작함

인증서 발급받기(도커(Docker)이용)

  1. 아래에서 *.yourdomain.com은 꼭!!! 자신에게 맞는 걸로 바꾸세요.

    docker run -it --rm --name certbot \
      -v '/etc/letsencrypt:/etc/letsencrypt' \
      -v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
      certbot/certbot certonly -d '*.yourdomain.com' --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
    
  2. 도커가 실행되고 아래의 메세지가 나옵니다.

    2.1. 이메일주소입력

     Saving debug log to /var/log/letsencrypt/letsencrypt.log
     Plugins selected: Authenticator manual, Installer None
     Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel)
    

    2.2. 약관동의(A=동의, C=취소)

     Please read the Terms of Service at
     https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at
     https://acme-v02.api.letsencrypt.org/directory
    
     (A)gree/(C)ancel:
    

    2.3. EFF재단에 이메일 주소를 공유하겠느냐는 질문(Y=동의,N=동의안함)

     Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
    
     (Y)es/(N)o:
    

    2.4. 인증서 발급을 시도한 장비의 IP주소가 공개적으로 기록될 수 있다는 안내(Y=동의,N=동의안함)

     Obtaining a new certificate Performing the following challenges:
     dns-01 challenge for yourdomain.com
    
     NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
    
     Are you OK with your IP being logged?
    
     (Y)es/(N)o:
    

    2.5. 해당도메인 DNS에 추가할 TXT값 확인(2.6.부터 진행하고 엔터)

    아래의 [TXT레코드에 추가할 값]부분에 나타난 값을 _acme-challenge.yourdomain.com 도메인의 TXT 레코드로 등록(dig 명령어로 도메인 등록이 잘 되었는지 확인하고 엔터)

    도메인 설정은 시간이 걸리니 여유를 가지고 확인하세요.

     Please deploy a DNS TXT record under the name
     _acme-challenge.yourdomain.com with the following value:
    
     [TXT레코드에 추가할 값]
    
     Before continuing, verify the record is deployed.
    
     Press Enter to Continue
    

    2.6. 위 작업이 끝나면 인증서 발급이 완료됩니다.

     Waiting for verification...
     Cleaning up challenges
    
     IMPORTANT NOTES:
      - Congratulations! Your certificate and chain have been saved at:
        /etc/letsencrypt/live/yourdomain.com/fullchain.pem
        Your key file has been saved at:
        /etc/letsencrypt/live/yourdomain.com/privkey.pem
        Your cert will expire on 2019-04-12. To obtain a new or tweaked
        version of this certificate in the future, simply run certbot
        again. To non-interactively renew *all* of your certificates, run
        "certbot renew"
      - If you like Certbot, please consider supporting our work by:
    
        Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
        Donating to EFF:                    https://eff.org/donate-le
    

인증서 재발급

docker run -it --rm --name certbot \
  -v '/etc/letsencrypt:/etc/letsencrypt' \
  -v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
  certbot/certbot renew --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

참고