Let's Encrypt로 SSL 인증서 설치

Let's Encrypt로 SSL 인증서 설치

2022-10-03 last update

5 minutes reading centos7 nginx letsencrypt SSL 인증서

환경



CentOS7
Nginx
대상 도메인 xxx.com

certbot 설치


# yum -y install certbot python2-certbot-nginx

인증서 만들기


# certbot certonly --webroot -w /var/www/html/xxx.com -d xxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel):      [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for xxx.com
Performing the following challenges:
http-01 challenge for xxx.com
Using the webroot path /var/www/html/xxx.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.com/privkey.pem
   Your certificate will expire on 2022-02-08. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

인증서가 만들어졌는지 확인


# ls -la /etc/letsencrypt/live/xxx.com/

그리고 Nginx의 conf에
ssl_certificate/etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key/etc/letsencrypt/live/xxx.com/privkey.pem;
포함하여 재부팅