지금 웹서버에 사용하는 StartSSL 무료인증서가 구글 크롬에서는 안전하지 않은 사이트로 나오는 것을 확인했다. 이것은 구글이 SHA-1을 안전하지 않은 것으로 (http://thehackernews.com/2017/02/sha1-collision-attack.html 참고) 간주하면서 발생한듯 하다.
사파리에서는 아무 문제 없다.
구글 크롬에서는 안전하지 않은 사이트로 표시된다.
그래서, 무료로 사용할 수 있는 다른 SSL 인증서인 let’s encrypt를 사용하게 되었다. let’s encrypt는 현재, public beta 상태이다.
1. CertBot 설치 및 인증서 생성(자동)
https://certbot.eff.org 에 접속하여, 웹서버와 OS를 선택하면 설치 문서를 볼 수 있다.
certbot 다운로드하고 실행권한을 준다.
# wget https://dl.eff.org/certbot-auto # chmod a+x certbot-auto
certbot-auto를 실행하면, 필요한 패키지와 업데이트를 자동으로 실행한다.
# ./certbot-auto # ./certbot-auto Bootstrapping dependencies for Debian-based OSes... Ign http://ports.ubuntu.com trusty InRelease Ign http://ppa.launchpad.net trusty InRelease Get:1 http://ports.ubuntu.com trusty-updates InRelease [65.9 kB] Hit http://ppa.launchpad.net trusty Release.gpg ... ... The following packages will be upgraded: libssl-dev libssl1.0.0 openssl 3 upgraded, 10 newly installed, 0 to remove and 49 not upgraded. Need to get 26.2 MB of archives. After this operation, 34.9 MB of additional disk space will be used. Do you want to continue? [Y/n] y ... ... Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: boxcorea.com 2: blog.boxcorea.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):2 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):your@email.com ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for blog.boxcorea.com Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem Deploying Certificate to VirtualHost /etc/apache2/sites-available/blog.boxcorea.com.conf Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://blog.boxcorea.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=blog.boxcorea.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/blog.boxcorea.com/fullchain.pem. Your cert will expire on 2017-05-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you lose your account credentials, you can recover through e-mails sent to snowffox@gmail.com. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
자동으로 설치가 완료 된다.
이제 아파치 웹서버를 재실행하면 새로 적용된 인증서가 사용됨을 확인 할 수 있다.
# service apache2 start
적용후, 사파리와 크롬 모두 이상없이 잘 표시된다.
인증서 자동 업데이트하기
StartSSL 무료 인증서는 기간이 1년인데 비해서, let’s encrypt 인증서는 기간이 3개월(90일) 이다. 따라서, 90일 전에 인증서를 갱신해야한다.
인증서를 갱신하기 전에 아래와 같이 갱신을 테스트 해 볼 수 있다
# ./certbot-auto renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/blog.boxcorea.com.conf ------------------------------------------------------------------------------- Cert not due for renewal, but simulating renewal for dry run Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for blog.boxcorea.com Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/blog.boxcorea.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
이상이 없으면 cron이나 systemd에 등록준다. 하루에 두번 실행하도록 권고하고 있다. 인증서가 갱신되거나 폐기되기 전에는 아무런 일도 하지 않기 때문에 하루에 두 번 실행되도록 등록해 준다.
# crontab -e 0,10 0 * * * /root/certbot-auto renew --quiet --no-self-upgrade