목표
- letsencrypt wildcard SSL 설정
환경
- CentOS7
- Nnginx 1.13.8
- DigitalOcean Droplet
예상 결과
- www.{domain}.com 및 {domain}.com 호출시 SSL 접속
Certbot으로 인증서 발급
command
sudo certbot certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual \
--preferred-challenges dns \
-d *.{domain}.com \
-d {domain}.com \
- wildcard 도메인 뿐 아니라 서브도메인이 없는 경우가 필요하다면 함께 추가
Issuing
Please deploy a DNS TXT record under the name
_acme-challenge.{domain}.com with the following value:
{value}
Before continuing, verify the record is deployed.
- 위 값을 _acme-challenge 도메인의 DNS TXT 타입으로 등록
- DNS record가 등록되어야만 다음단계 진행 가능
성공시
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/{domain}.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/{domain}.com/privkey.pem
Your cert will expire on 2018-09-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
DNS Record 등록
- TXT
- _acme-challenge.thebudding.com => 위에서 제시한 값
- 확인방법
- CNAME
- wildcard 도메인을 redirect 하기 위함
- *.{domain}.com => {domain}.com
- NS / A
Nginx 설정
참고자료
- https://www.netmanias.com/ko/post/blog/5365/dns-network-protocol/three-types-of-dns-message-a-ns-and-cname
- https://levelup.gitconnected.com/how-to-get-certbot-wildcard-certificates-3d25618a81e0
- https://www.lesstif.com/pages/viewpage.action?pageId=27984443
- https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
- https://blog.perfectacle.com/2017/10/05/letsencrypt-with-certbot-feat-aws/
