Ubuntu 14.04 on AWS에서 SSL ( LetsEncrypt )
13148 단어 letsencryptSSLAWS
환경
우분투 14.04 LTS (이제)
이것을 AWS에서 실행 중입니다.
도메인 이름이 지정된 기존 웹 사이트가 Apache2에서 실행 중입니다.
보안 그룹 설정
TCP 443 포트를 엽니다.
설정
서버에 ssh로 로그인하고 루트 권한으로/etc/apache2를 구성합니다.
ubuntu@www:~$ sudo bash
root@www:/mnt/xvdf/home/ubuntu# cd /etc/apache2
root@www:/etc/apache2# ls
apache2.conf conf-enabled magic ports.conf
conf-available envvars mods-available sites-available
conf.d httpd.conf mods-enabled sites-enabled
어쨌든 이러한 ports.conf를 확인해 보겠습니다.
root@www:/etc/apache2# cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
mod_ssl.c가 필요합니다.
root@www:/etc/apache2# ls mods-enabled/
access_compat.load autoindex.conf mime.conf rewrite.load
alias.conf autoindex.load mime.load setenvif.conf
alias.load cgi.load mpm_prefork.conf setenvif.load
auth_basic.load deflate.conf mpm_prefork.load status.conf
authn_core.load deflate.load negotiation.conf status.load
authn_file.load dir.conf negotiation.load userdir.conf
authz_core.load dir.load php5.conf userdir.load
authz_groupfile.load env.load php5.load
authz_host.load filter.load reqtimeout.conf
authz_user.load include.load reqtimeout.load
root@www:/etc/apache2# ls mods-available/
access_compat.load dialup.load proxy_balancer.conf
actions.conf dir.conf proxy_balancer.load
actions.load dir.load proxy.conf
alias.conf disk_cache.conf proxy_connect.load
alias.load disk_cache.load proxy_express.load
allowmethods.load dump_io.load proxy_fcgi.load
asis.load echo.load proxy_fdpass.load
auth_basic.load env.load proxy_ftp.conf
auth_digest.load expires.load proxy_ftp.load
auth_form.load ext_filter.load proxy_html.load
authn_alias.load file_cache.load proxy_http.load
authn_anon.load filter.load proxy.load
authn_core.load headers.load proxy_scgi.load
authn_dbd.load heartbeat.load proxy_wstunnel.load
authn_dbm.load heartmonitor.load ratelimit.load
authn_default.load ident.load reflector.load
authn_file.load imagemap.load remoteip.load
authn_socache.load include.load reqtimeout.conf
authnz_ldap.load info.conf reqtimeout.load
authz_core.load info.load request.load
authz_dbd.load lbmethod_bybusyness.load rewrite.load
authz_dbm.load lbmethod_byrequests.load sed.load
authz_default.load lbmethod_bytraffic.load session_cookie.load
authz_groupfile.load lbmethod_heartbeat.load session_crypto.load
authz_host.load ldap.conf session_dbd.load
authz_owner.load ldap.load session.load
authz_user.load log_debug.load setenvif.conf
autoindex.conf log_forensic.load setenvif.load
autoindex.load lua.load slotmem_plain.load
buffer.load macro.load slotmem_shm.load
cache_disk.conf mem_cache.conf socache_dbm.load
cache_disk.load mem_cache.load socache_memcache.load
cache.load mime.conf socache_shmcb.load
cache_socache.load mime.load speling.load
cern_meta.load mime_magic.conf ssl.conf
cgid.conf mime_magic.load ssl.load
cgid.load mpm_event.conf status.conf
cgi.load mpm_event.load status.load
charset_lite.load mpm_prefork.conf substitute.load
data.load mpm_prefork.load suexec.load
dav_fs.conf mpm_worker.conf unique_id.load
dav_fs.load mpm_worker.load userdir.conf
dav.load negotiation.conf userdir.load
dav_lock.load negotiation.load usertrack.load
dbd.load php5.conf version.load
deflate.conf php5.load vhost_alias.load
deflate.load proxy_ajp.load xml2enc.load
ssl 모듈은 available로 설정되어 있으므로 활성화합니다.
root@www:/etc/apache2# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
apache2를 다시 시작합니다.
root@www:/etc/apache2# a2enmod ssl2
ERROR: Module ssl2 does not exist!
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 43 of /etc/apache2/mods-enabled/ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
Action 'configtest' failed.
The Apache error log may have more information.
오류가 발생했습니다. 여기의 설정 파일은 태고의 옛부터부터 힘든 것이므로, 그것도 고쳐야 합니다. mod_socache_shmcb를 넣으려고하므로 그렇게합니다.
root@www:/etc/apache2# a2enmod socache_shmcb
Enabling module socache_shmcb.
To activate the new configuration, you need to run:
service apache2 restart
다시 apache2를 다시 시작.
root@www:/etc/apache2# a2enmod socache_shmcb
Enabling module socache_shmcb.
To activate the new configuration, you need to run:
service apache2 restart
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 49 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLMutex', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
이번에는/etc/apache2/mods-enabled/ssl.conf를 편집하고,
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
의 장소
Mutex default ssl-cache
합니다.
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:8
[ OK ]
움직였습니다. 이제 https://를 사용하여 사이트에 액세스하면 인증서 오류가 발생합니다. 그래서 다음에 인증서를 설치합니다.
letsencrypt
16.04라면 apt-get으로 들어간다고 합니다만, 14.04라면
root@www:/etc/apache2# apt-get install letsencrypt python-letsencrypt-apache
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package letsencrypt
E: Unable to locate package python-letsencrypt-apache
없는 것 같기 때문에
# apt-get install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install python-certbot-apache
로 설치합니다.
실행합니다.
root@www:/etc/apache2# letsencrypt --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.example.net
2: www.example.com
3: www.example.org
4: www.nanbu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.nanbu.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/nanbu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/nanbu-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/nanbu-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.nanbu.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.nanbu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.nanbu.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.nanbu.com/privkey.pem
Your cert will expire on 2019-03-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@www:/etc/apache2#
그 후, https://를 붙여 사이트에 액세스하면 무사히 열람할 수 있었습니다.
덤 ACM (AWS Certificate Manager)
무료로 사용할 수 있다는 것으로 시험해 보았습니다.
DNS 인증을 선택하고 인증서 발급 작업을 합니다.
잠시 다음과 같이되어 있기 때문에 기다립니다.
하룻밤이 지나면 다음과 같습니다.
이것을 서버에로드하고 구성할까요? 라고 생각했습니다만, 파일 출력은 할 수 없는 것 같고, ELB등에서 밖에 사용하는 방법이 있는 것 같습니다. ELB 도입해도 좋지만 더 평범한 설정을 하고 싶고, 표제의 방식으로 변경했습니다.
Reference
이 문제에 관하여(Ubuntu 14.04 on AWS에서 SSL ( LetsEncrypt )), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/nanbuwks/items/39cde1d9f309c2c476fe
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
TCP 443 포트를 엽니다.
설정
서버에 ssh로 로그인하고 루트 권한으로/etc/apache2를 구성합니다.
ubuntu@www:~$ sudo bash
root@www:/mnt/xvdf/home/ubuntu# cd /etc/apache2
root@www:/etc/apache2# ls
apache2.conf conf-enabled magic ports.conf
conf-available envvars mods-available sites-available
conf.d httpd.conf mods-enabled sites-enabled
어쨌든 이러한 ports.conf를 확인해 보겠습니다.
root@www:/etc/apache2# cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
mod_ssl.c가 필요합니다.
root@www:/etc/apache2# ls mods-enabled/
access_compat.load autoindex.conf mime.conf rewrite.load
alias.conf autoindex.load mime.load setenvif.conf
alias.load cgi.load mpm_prefork.conf setenvif.load
auth_basic.load deflate.conf mpm_prefork.load status.conf
authn_core.load deflate.load negotiation.conf status.load
authn_file.load dir.conf negotiation.load userdir.conf
authz_core.load dir.load php5.conf userdir.load
authz_groupfile.load env.load php5.load
authz_host.load filter.load reqtimeout.conf
authz_user.load include.load reqtimeout.load
root@www:/etc/apache2# ls mods-available/
access_compat.load dialup.load proxy_balancer.conf
actions.conf dir.conf proxy_balancer.load
actions.load dir.load proxy.conf
alias.conf disk_cache.conf proxy_connect.load
alias.load disk_cache.load proxy_express.load
allowmethods.load dump_io.load proxy_fcgi.load
asis.load echo.load proxy_fdpass.load
auth_basic.load env.load proxy_ftp.conf
auth_digest.load expires.load proxy_ftp.load
auth_form.load ext_filter.load proxy_html.load
authn_alias.load file_cache.load proxy_http.load
authn_anon.load filter.load proxy.load
authn_core.load headers.load proxy_scgi.load
authn_dbd.load heartbeat.load proxy_wstunnel.load
authn_dbm.load heartmonitor.load ratelimit.load
authn_default.load ident.load reflector.load
authn_file.load imagemap.load remoteip.load
authn_socache.load include.load reqtimeout.conf
authnz_ldap.load info.conf reqtimeout.load
authz_core.load info.load request.load
authz_dbd.load lbmethod_bybusyness.load rewrite.load
authz_dbm.load lbmethod_byrequests.load sed.load
authz_default.load lbmethod_bytraffic.load session_cookie.load
authz_groupfile.load lbmethod_heartbeat.load session_crypto.load
authz_host.load ldap.conf session_dbd.load
authz_owner.load ldap.load session.load
authz_user.load log_debug.load setenvif.conf
autoindex.conf log_forensic.load setenvif.load
autoindex.load lua.load slotmem_plain.load
buffer.load macro.load slotmem_shm.load
cache_disk.conf mem_cache.conf socache_dbm.load
cache_disk.load mem_cache.load socache_memcache.load
cache.load mime.conf socache_shmcb.load
cache_socache.load mime.load speling.load
cern_meta.load mime_magic.conf ssl.conf
cgid.conf mime_magic.load ssl.load
cgid.load mpm_event.conf status.conf
cgi.load mpm_event.load status.load
charset_lite.load mpm_prefork.conf substitute.load
data.load mpm_prefork.load suexec.load
dav_fs.conf mpm_worker.conf unique_id.load
dav_fs.load mpm_worker.load userdir.conf
dav.load negotiation.conf userdir.load
dav_lock.load negotiation.load usertrack.load
dbd.load php5.conf version.load
deflate.conf php5.load vhost_alias.load
deflate.load proxy_ajp.load xml2enc.load
ssl 모듈은 available로 설정되어 있으므로 활성화합니다.
root@www:/etc/apache2# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
apache2를 다시 시작합니다.
root@www:/etc/apache2# a2enmod ssl2
ERROR: Module ssl2 does not exist!
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 43 of /etc/apache2/mods-enabled/ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
Action 'configtest' failed.
The Apache error log may have more information.
오류가 발생했습니다. 여기의 설정 파일은 태고의 옛부터부터 힘든 것이므로, 그것도 고쳐야 합니다. mod_socache_shmcb를 넣으려고하므로 그렇게합니다.
root@www:/etc/apache2# a2enmod socache_shmcb
Enabling module socache_shmcb.
To activate the new configuration, you need to run:
service apache2 restart
다시 apache2를 다시 시작.
root@www:/etc/apache2# a2enmod socache_shmcb
Enabling module socache_shmcb.
To activate the new configuration, you need to run:
service apache2 restart
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 49 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLMutex', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
이번에는/etc/apache2/mods-enabled/ssl.conf를 편집하고,
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
의 장소
Mutex default ssl-cache
합니다.
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:8
[ OK ]
움직였습니다. 이제 https://를 사용하여 사이트에 액세스하면 인증서 오류가 발생합니다. 그래서 다음에 인증서를 설치합니다.
letsencrypt
16.04라면 apt-get으로 들어간다고 합니다만, 14.04라면
root@www:/etc/apache2# apt-get install letsencrypt python-letsencrypt-apache
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package letsencrypt
E: Unable to locate package python-letsencrypt-apache
없는 것 같기 때문에
# apt-get install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install python-certbot-apache
로 설치합니다.
실행합니다.
root@www:/etc/apache2# letsencrypt --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.example.net
2: www.example.com
3: www.example.org
4: www.nanbu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.nanbu.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/nanbu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/nanbu-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/nanbu-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.nanbu.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.nanbu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.nanbu.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.nanbu.com/privkey.pem
Your cert will expire on 2019-03-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@www:/etc/apache2#
그 후, https://를 붙여 사이트에 액세스하면 무사히 열람할 수 있었습니다.
덤 ACM (AWS Certificate Manager)
무료로 사용할 수 있다는 것으로 시험해 보았습니다.
DNS 인증을 선택하고 인증서 발급 작업을 합니다.
잠시 다음과 같이되어 있기 때문에 기다립니다.
하룻밤이 지나면 다음과 같습니다.
이것을 서버에로드하고 구성할까요? 라고 생각했습니다만, 파일 출력은 할 수 없는 것 같고, ELB등에서 밖에 사용하는 방법이 있는 것 같습니다. ELB 도입해도 좋지만 더 평범한 설정을 하고 싶고, 표제의 방식으로 변경했습니다.
Reference
이 문제에 관하여(Ubuntu 14.04 on AWS에서 SSL ( LetsEncrypt )), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/nanbuwks/items/39cde1d9f309c2c476fe
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
ubuntu@www:~$ sudo bash
root@www:/mnt/xvdf/home/ubuntu# cd /etc/apache2
root@www:/etc/apache2# ls
apache2.conf conf-enabled magic ports.conf
conf-available envvars mods-available sites-available
conf.d httpd.conf mods-enabled sites-enabled
root@www:/etc/apache2# cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
root@www:/etc/apache2# ls mods-enabled/
access_compat.load autoindex.conf mime.conf rewrite.load
alias.conf autoindex.load mime.load setenvif.conf
alias.load cgi.load mpm_prefork.conf setenvif.load
auth_basic.load deflate.conf mpm_prefork.load status.conf
authn_core.load deflate.load negotiation.conf status.load
authn_file.load dir.conf negotiation.load userdir.conf
authz_core.load dir.load php5.conf userdir.load
authz_groupfile.load env.load php5.load
authz_host.load filter.load reqtimeout.conf
authz_user.load include.load reqtimeout.load
root@www:/etc/apache2# ls mods-available/
access_compat.load dialup.load proxy_balancer.conf
actions.conf dir.conf proxy_balancer.load
actions.load dir.load proxy.conf
alias.conf disk_cache.conf proxy_connect.load
alias.load disk_cache.load proxy_express.load
allowmethods.load dump_io.load proxy_fcgi.load
asis.load echo.load proxy_fdpass.load
auth_basic.load env.load proxy_ftp.conf
auth_digest.load expires.load proxy_ftp.load
auth_form.load ext_filter.load proxy_html.load
authn_alias.load file_cache.load proxy_http.load
authn_anon.load filter.load proxy.load
authn_core.load headers.load proxy_scgi.load
authn_dbd.load heartbeat.load proxy_wstunnel.load
authn_dbm.load heartmonitor.load ratelimit.load
authn_default.load ident.load reflector.load
authn_file.load imagemap.load remoteip.load
authn_socache.load include.load reqtimeout.conf
authnz_ldap.load info.conf reqtimeout.load
authz_core.load info.load request.load
authz_dbd.load lbmethod_bybusyness.load rewrite.load
authz_dbm.load lbmethod_byrequests.load sed.load
authz_default.load lbmethod_bytraffic.load session_cookie.load
authz_groupfile.load lbmethod_heartbeat.load session_crypto.load
authz_host.load ldap.conf session_dbd.load
authz_owner.load ldap.load session.load
authz_user.load log_debug.load setenvif.conf
autoindex.conf log_forensic.load setenvif.load
autoindex.load lua.load slotmem_plain.load
buffer.load macro.load slotmem_shm.load
cache_disk.conf mem_cache.conf socache_dbm.load
cache_disk.load mem_cache.load socache_memcache.load
cache.load mime.conf socache_shmcb.load
cache_socache.load mime.load speling.load
cern_meta.load mime_magic.conf ssl.conf
cgid.conf mime_magic.load ssl.load
cgid.load mpm_event.conf status.conf
cgi.load mpm_event.load status.load
charset_lite.load mpm_prefork.conf substitute.load
data.load mpm_prefork.load suexec.load
dav_fs.conf mpm_worker.conf unique_id.load
dav_fs.load mpm_worker.load userdir.conf
dav.load negotiation.conf userdir.load
dav_lock.load negotiation.load usertrack.load
dbd.load php5.conf version.load
deflate.conf php5.load vhost_alias.load
deflate.load proxy_ajp.load xml2enc.load
root@www:/etc/apache2# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
root@www:/etc/apache2# a2enmod ssl2
ERROR: Module ssl2 does not exist!
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 43 of /etc/apache2/mods-enabled/ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
Action 'configtest' failed.
The Apache error log may have more information.
root@www:/etc/apache2# a2enmod socache_shmcb
Enabling module socache_shmcb.
To activate the new configuration, you need to run:
service apache2 restart
root@www:/etc/apache2# a2enmod socache_shmcb
Enabling module socache_shmcb.
To activate the new configuration, you need to run:
service apache2 restart
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 49 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLMutex', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
Mutex default ssl-cache
root@www:/etc/apache2# service apache2 restart
* Restarting web server apache2
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:8
[ OK ]
16.04라면 apt-get으로 들어간다고 합니다만, 14.04라면
root@www:/etc/apache2# apt-get install letsencrypt python-letsencrypt-apache
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package letsencrypt
E: Unable to locate package python-letsencrypt-apache
없는 것 같기 때문에
# apt-get install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install python-certbot-apache
로 설치합니다.
실행합니다.
root@www:/etc/apache2# letsencrypt --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.example.net
2: www.example.com
3: www.example.org
4: www.nanbu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.nanbu.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/nanbu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/nanbu-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/nanbu-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.nanbu.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.nanbu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.nanbu.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.nanbu.com/privkey.pem
Your cert will expire on 2019-03-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@www:/etc/apache2#
그 후, https://를 붙여 사이트에 액세스하면 무사히 열람할 수 있었습니다.
덤 ACM (AWS Certificate Manager)
무료로 사용할 수 있다는 것으로 시험해 보았습니다.
DNS 인증을 선택하고 인증서 발급 작업을 합니다.
잠시 다음과 같이되어 있기 때문에 기다립니다.
하룻밤이 지나면 다음과 같습니다.
이것을 서버에로드하고 구성할까요? 라고 생각했습니다만, 파일 출력은 할 수 없는 것 같고, ELB등에서 밖에 사용하는 방법이 있는 것 같습니다. ELB 도입해도 좋지만 더 평범한 설정을 하고 싶고, 표제의 방식으로 변경했습니다.
Reference
이 문제에 관하여(Ubuntu 14.04 on AWS에서 SSL ( LetsEncrypt )), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/nanbuwks/items/39cde1d9f309c2c476fe
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
Reference
이 문제에 관하여(Ubuntu 14.04 on AWS에서 SSL ( LetsEncrypt )), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/nanbuwks/items/39cde1d9f309c2c476fe텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)