๐Ÿ›ก Linux์˜ JBoss WildFly์— Let's Encrypt Certificate ์„ค์น˜

6563 ๋‹จ์–ด linuxsecurity
๋‹ค์Œ๊ณผ ๊ฐ™์€ PEM ์ธ์ฝ”๋”ฉ ํŒŒ์ผ์ด ์žˆ๋Š”์ง€ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค.
  • cert.pem: ์„œ๋ฒ„ ์ธ์ฆ์„œ ์ „์šฉ
  • chain.pem: ๋ฃจํŠธ ๋ฐ ์ค‘๊ฐ„ ์ธ์ฆ์„œ ์ „์šฉ, Let's Encrypt chain
  • fullchain.pem: ์ด์ „ cert.pem ๋ฐ chain.pem ๊ฒฐํ•ฉ
  • privkey.pem: ์ธ์ฆ์„œ์˜ ๊ฐœ์ธ ํ‚ค

  • certbot-auto ์Šคํฌ๋ฆฝํŠธ ๋‹ค์šด๋กœ๋“œ

    ๋””๋ ‰ํ† ๋ฆฌ๋ฅผ ํ™ˆ ๋””๋ ‰ํ† ๋ฆฌ๋กœ ๋ณ€๊ฒฝ

    cd /home/orestis
    


    ์ˆ˜ํผ์œ ์ €๋กœ ์ธํ„ฐ๋„ท์—์„œ certbot-auto ๋‹ค์šด๋กœ๋“œ

    sudo wget https://dl.eff.org/certbot-auto
    


    ์ด ๋””๋ ‰ํ† ๋ฆฌ์— ๋Œ€ํ•œ ์ „์ฒด ์“ฐ๊ธฐ ์•ก์„ธ์Šค๋ฅผ ์œ„ํ•œ ๋ชจ๋“œ ๋ณ€๊ฒฝ

    sudo chmod a+x certbot-auto
    


    certbot์ด ์ด์ œ ์„ค์น˜๋˜๊ธฐ๋ฅผ ๋ฐ”๋ผ๋ฉฐ ์ธ์ฆ์„œ๋ฅผ ๊ฐฑ์‹ ํ•˜๊ฑฐ๋‚˜ ์ƒ์„ฑํ•˜๋„๋ก ์š”์ฒญํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

    ํฌํŠธ 80์—์„œ ์ด๋ฏธ ์‹คํ–‰ ์ค‘์ธ ๋ชจ๋“  ๋ฐฑ๊ทธ๋ผ์šด๋“œ ์„œ๋น„์Šค๋ฅผ ์ค‘์ง€ํ•ฉ๋‹ˆ๋‹ค.
  • certbot-์ž๋™ ๊ฐฑ์‹ 

  • ์˜ˆ์‹œ:

    certbot-auto certonly --standalone --standalone-supported-challenges http-01 --agree-tos --rsa-key-size 4096 --renew-by-default --email [email protected] -d example.com -d www.example.com
    


    ์‹ค์ œ ์˜ˆ:

    certbot-auto certonly --standalone --standalone-supported-challenges http-01 --agree-tos --rsa-key-size 4096 --renew-by-default --email [email protected] -d opendevops.dev -d www.opendevops.dev
    


    ๋ช…๋ น์ค„ ์ธ์ˆ˜๋Š” ๋งˆ์ง€๋ง‰์— ๋‹ค์Œ๊ณผ ๊ฐ™์ด ํ‘œ์‹œ๋ฉ๋‹ˆ๋‹ค.

    ์ค‘์š” ์ฐธ๊ณ  ์‚ฌํ•ญ:
    - ์ถ•ํ•˜ํ•ฉ๋‹ˆ๋‹ค! ์ธ์ฆ์„œ ๋ฐ ์ฒด์ธ์ด ๋‹ค์Œ ์œ„์น˜์— ์ €์žฅ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.
    /etc/letsencrypt/live/*/fullchain.pem. ๊ท€ํ•˜์˜ ์ธ์ฆ์„œ๋Š”
    *์— ๋งŒ๋ฃŒ๋ฉ๋‹ˆ๋‹ค. ์ด๊ฒƒ์˜ ์ƒˆ ๋ฒ„์ „์ด๋‚˜ ์กฐ์ •๋œ ๋ฒ„์ „์„ ์–ป์œผ๋ ค๋ฉด
    ๋‚˜์ค‘์— certbot-auto๋ฅผ ๋‹ค์‹œ ์‹คํ–‰ํ•˜๊ธฐ๋งŒ ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค. ์—๊ฒŒ
    ๋น„๋Œ€ํ™”์‹์œผ๋กœ *๋ชจ๋“  ์ธ์ฆ์„œ ๊ฐฑ์‹ , ์‹คํ–‰
    "certbot-์ž๋™ ๊ฐฑ์‹ "*
    - Certbot์ด ๋งˆ์Œ์— ๋“œ์‹œ๋ฉด ๋‹ค์Œ์„ ํ†ตํ•ด ์ €ํฌ ์ž‘์—…์„ ์ง€์›ํ•ด ์ฃผ์‹ญ์‹œ์˜ค.
    ISRG์— ๊ธฐ๋ถ€/Let's Encrypt: https://letsencrypt.org/donate
    EFF์— ๊ธฐ๋ถ€: https://eff.org/donate-le

    ๋…ธํŠธ:

    Java ํ™˜๊ฒฝ์—์„œ ์ž‘์—…ํ•˜๋Š” ๊ฒฝ์šฐ Java ํ‚ค ์ €์žฅ์†Œ๋Š” ๊ฐœ์ธ ํ‚ค๋ฅผ ์ €์žฅํ•˜๋Š” ๊ณต์‹ ์žฅ์†Œ์ž…๋‹ˆ๋‹ค. Java ๋ฐ์Šคํฌํƒ‘ ๋˜๋Š” ์›น ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ์€ ์ผ๋ฐ˜์ ์œผ๋กœ JKS์—์„œ ํ•„์š”ํ•œ ํ‚ค๋ฅผ ์–ป์„ ๊ฒƒ์œผ๋กœ ์˜ˆ์ƒํ•˜๋ฉฐ ์ž์ฒด Java ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ์—์„œ ์‰ฝ๊ฒŒ ์•ก์„ธ์Šคํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. JKS๋Š” ์™ธ๋ถ€ Java ํ™˜๊ฒฝ์—์„œ ์•ก์„ธ์Šคํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

    PKCS#12 ํŒŒ์ผ(PFX)์€ ๊ฐœ์ธ ํ‚ค์™€ ์ธ์ฆ์„œ๋ฅผ ์ €์žฅํ•  ์ˆ˜ ์žˆ๋Š” .p12 ๋˜๋Š” .pfx๋ผ๊ณ ๋„ ํ•˜๋Š” ํŒŒ์ผ ํ˜•์‹์ž…๋‹ˆ๋‹ค.

    JBoss WildFly ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ์„œ๋ฒ„์— ๊ณต๊ฐœ ํ‚ค์™€ ๊ฐœ์ธ ํ‚ค๋ฅผ ๊ฐ€์ ธ์™€์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด Apache, Nginx ์„œ๋ฒ„๋Š” ๊ณต๊ฐœ ํ‚ค์™€ ๊ฐœ์ธ ํ‚ค๊ฐ€ ๋ณ„๋„๋กœ ์ง€์ •๋˜์–ด ์žˆ์ง€๋งŒ ์ผ๋ฐ˜์ ์œผ๋กœ Java ๋Œ€์‹ ์— WildFly๋Š” ํ‚ค ์ €์žฅ์†Œ(.jks)์—์„œ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค. PEM ํŒŒ์ผ์„ Java keytool์—์„œ ์ฝ์„ ์ˆ˜ ์žˆ๋Š” ํ˜•์‹์˜ P12 ํŒŒ์ผ๋กœ ๋ณ€ํ™˜ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

    OpenSSL ๋ณด์•ˆ ํˆดํ‚ท ์‚ฌ์šฉ:

    ์˜ˆ์‹œ:

    openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out KEYSTORENAME.p12 -name KEYSTOREALIAS
    


    ์‹ค์ œ ์˜ˆ:

    YOURDOMAIN ๊ต์ฒด๋Š” ํ‚ค๋ฅผ ์ƒ์„ฑํ•˜๋Š” ๋„๋ฉ”์ธ ๊ฐœ์ฒด์— ํ•ด๋‹นํ•˜๋Š” ํด๋”์ด๋ฉฐ ์ด์ „ ๋‹จ๊ณ„์—์„œ ๋‚˜์—ด๋œ ์ฝ˜์†” ์ถœ๋ ฅ์— ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค.

    KEYSTORENAME์€ ์ƒ์„ฑ๋œ ํŒŒ์ผ ์ด๋ฆ„(.p12)์˜ ์ผ๋ถ€๊ฐ€ ๋˜๊ณ  ๊ตฌ์„ฑ์˜ JBoss WildFly XML ๋ถ€๋ถ„์—์„œ KEYSTOREALIAS๋กœ ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค.

    ENTER ๋‹จ์ถ•ํ‚ค๋ฅผ ๋ˆ„๋ฅด๋ฉด ์ƒˆ ์•”ํ˜ธ ์ž๊ฒฉ ์ฆ๋ช…์„ ์ž…๋ ฅํ•˜๋ผ๋Š” ๋ฉ”์‹œ์ง€๊ฐ€ ํ‘œ์‹œ๋˜๊ณ  ํ™•์ธ๋ฉ๋‹ˆ๋‹ค. ์ด ์ƒˆ ๋น„๋ฐ€๋ฒˆํ˜ธ๋Š” ์ž ์‹œ ํ›„ ํ‚ค ์ €์žฅ์†Œ๋ฅผ ์ƒ์„ฑํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค.

    Java ํ‚ค ์ €์žฅ์†Œ(.jks) ์ƒ์„ฑ

    ์˜ˆ์‹œ:

    /usr/lib/jvm/jdk1.7.0_80/bin/keytool -importkeystore -deststorepass WILDFLY_NEW_STORE_PASS -destkeypass WILDFLY_NEW_KEY_PASS -destkeystore NEW_KEYSTORE_FILE.jks -srckeystore KEYSTORENAME.p12 -srcstoretype PKCS12 -srcstorepass PREVIOUSPASSWORD -alias KEYSTOREALIAS
    


    ์‹ค์ œ ์˜ˆ:

    /usr/lib/jvm/jdk1.8.0_80/bin/keytool -importkeystore -deststorepass athens -destkeypass athens -destkeystore mycert.jks -srckeystore mycert.p12 -srcstoretype PKCS12 -srcstorepass athens -alias mycert
    


    ์ˆ˜ํผ์œ ์ €๋กœ JBoss WildFly ์„œ๋ฒ„ ๊ตฌ์„ฑ ๋””๋ ‰ํ† ๋ฆฌ๋กœ ์ด๋™ํ•˜์—ฌ mycert.jks ํŒŒ์ผ์„ ๋ณต์‚ฌํ•ฉ๋‹ˆ๋‹ค.

    sudo cp mycert.jks /opt/wildfly/standalone/configuration/
    


    WILDFLY_NEW_STORE_PASS: ํ‚ค ์ €์žฅ์†Œ ์•”ํ˜ธ ์ž๊ฒฉ ์ฆ๋ช…์ž…๋‹ˆ๋‹ค.
    WILDFLY_NEW_KEY_PASS: ๋Œ€์ƒ ํ‚ค ์ €์žฅ์†Œ ์•”ํ˜ธ์ž…๋‹ˆ๋‹ค.
    NEW_KEYSTORE_FILE: ์ตœ์ข… .jks ํŒŒ์ผ ์ด๋ฆ„์ž…๋‹ˆ๋‹ค.

    standalone.xml ๊ตฌ์„ฑ ํŒŒ์ผ๋กœ ์ด๋™ํ•˜์—ฌ ๊ทœ์น™ ์‚ฌ๋ก€๋ฅผ ๋”ฐ๋ฅด๊ณ  ์ „์†กํ•ฉ๋‹ˆ๋‹ค.

    ์˜ˆ์‹œ:

    <server-identities>
       <ssl>
          <keystore path="NEW_KEYSTORE_FILE.jks" 
                    relative-to="jboss.server.config.dir" 
                    keystore-password="WILDFLY_NEW_STORE_PASS" 
                    alias="KEYSTOREALIAS" 
                    key-password="WILDFLY_NEW_KEY_PASS"/>
       </ssl>
    </server-identities>
    


    ์‹ค์ œ ์˜ˆ:

    <server-identities>
       <ssl>
          <keystore path="mycert.jks" 
                    relative-to="jboss.server.config.dir" 
                    keystore-password="athens" 
                    alias="mycert" 
                    key-password="athens"/>
       </ssl>
    </server-identities>
    


    ๋งˆ์ง€๋ง‰์œผ๋กœ ์‹คํ–‰ ๋ชจ๋“œ์—์„œ WildFly ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ ์„œ๋ฒ„๋ฅผ ์‹œ์ž‘ํ•ฉ๋‹ˆ๋‹ค.

    .\standalone.sh -b 0.0.0.0
    

    ์ข‹์€ ์›นํŽ˜์ด์ง€ ์ฆ๊ฒจ์ฐพ๊ธฐ