2018년 6월 30일 토요일

Wildcard SSL 설정

목표

  • letsencrypt wildcard SSL 설정

환경

  • CentOS7
  • Nnginx 1.13.8
  • DigitalOcean Droplet

예상 결과

  • www.{domain}.com 및 {domain}.com 호출시 SSL 접속


Certbot으로 인증서 발급

command

sudo certbot certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual \
--preferred-challenges dns \
-d *.{domain}.com \
-d {domain}.com \

  • wildcard 도메인 뿐 아니라 서브도메인이 없는 경우가 필요하다면 함께 추가

Issuing

Please deploy a DNS TXT record under the name
_acme-challenge.{domain}.com with the following value:

{value}

Before continuing, verify the record is deployed.

  • 위 값을 _acme-challenge 도메인의 DNS TXT 타입으로 등록
  • DNS record가 등록되어야만 다음단계 진행 가능
    • DNS Record 등록 부분 확인

성공시

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/{domain}.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/{domain}.com/privkey.pem
   Your cert will expire on 2018-09-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


DNS Record 등록

  • TXT
    • _acme-challenge.thebudding.com => 위에서 제시한 값
    • 확인방법
      • nslookup -q=TXT {domain}
  • CNAME
    • wildcard 도메인을 redirect 하기 위함
    • *.{domain}.com => {domain}.com
  • NS / A


Nginx 설정

  • server {
    listen       80;
    server_name  ~.;
    return 301 https://$host$request_uri;
}

server {
    server_name  ~.;
    listen 443;
    
    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/{domain}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{domain}/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+ED';
    ssl_prefer_server_ciphers   on;

    location / {
     root   html;
     index  index.html index.htm;
  }
}

참고자료

  • https://www.netmanias.com/ko/post/blog/5365/dns-network-protocol/three-types-of-dns-message-a-ns-and-cname
  • https://levelup.gitconnected.com/how-to-get-certbot-wildcard-certificates-3d25618a81e0
  • https://www.lesstif.com/pages/viewpage.action?pageId=27984443
  • https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
  • https://blog.perfectacle.com/2017/10/05/letsencrypt-with-certbot-feat-aws/




작성자: 시간:

댓글 없음:

댓글 쓰기

피드 구독하기: 댓글 (Atom)