OKdevTV
LetsEncrypt SSL
Outdated see /mib/letsencrypt
- SSL ๋ฌด๋ฃ ์๋น์ค
- Secure Socket Layer
- ์ธ๊ณ์ ์ธ ๋ฃจํธ ์ธ์ฆ๊ธฐ๊ด์ด ๋๋ฉ์ธ์ ์์ ํ๋ค๊ณ ๋ณด์ฆํ๋ ์๋น์ค
- DigiCert, VeriSign, Thawte, ...
- ๊ณ ๋น์ฉ, ๋๋ฉ์ธ๊ฐ * 10, ๋๋ต 20๋ง์/1๋
- https://letsencrypt.org/
- https ํ๋กํ ์ฝ์ ๋ฌด๋ฃ๋ก ์๋น์ค
- ๋คํธ์ํฌ ํจํท์ ์ํธํ
- ์ค๊ฐ์ ํจํท์ ๊ฐ๋ก์ฑ์ ๋ณผ ์ ์์
- ๋ณด์์ฑ์ด ์ข์์ง
- 2016.01.02 ํ์ฌ ๋ฒ ํ ์๋น์ค ์ค
- 90์ผ๋ง๋ค ๊ฐฑ์ ์ด ํ์ํจ
ํ์์ฌํญ
- ๋๋ฉ์ธ (์ okdevtest.net)
- ์๋ฒ (์ digitalocean.com ์๋)
- CentOS 7.1(python 2.7 built-in)๋ก ์์ ์คํ
nginx ์ค์น
letencrypt ์ค์น
certbot ๊ฐ์ด๋ ์ด์ฉํ ์ค์น ๊ฐ์ด๋ ์ถ์ฒ
AWS Linux์ผ ๊ฒฝ์ฐ
curl -O https://dl.eff.org/certbot-auto
chmod +x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo service nginx stop
sudo su -
certbot-auto certonly --standalone --debug -d okdevtest.net
dhparams.pem
cd /etc/letsencrypt/archive/okdevtest.net
openssl dhparam -out dhparams.pem 2048
์ธ์ฆ์ ํ์ธ
# ls /etc/letsencrypt/live/okdevtest.net/
cert.pem chain.pem fullchain.pem privkey.pem
90์ผ ๊ธฐํ ์๋ ์ฐ์ฅ
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null
nginx ์ค์
vi /etc/nginx/nginx.conf
# ๋๋
vi /etc/nginx/conf.d/default.conf
WebSocket ์ถ๊ฐ
proxy_set_header Upgrade $http_upgrade; # ws
proxy_set_header Connection "upgrade"; # ws
- nginx.conf ๊ต์ฒด, domain ๋ณ๊ฒฝ ํ์
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.fedora.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
server {
listen 80;
listen [::]:80;
server_name okdevtest.net;
# return 301 https://$host$request_uri;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
sendfile off;
proxy_pass http://127.0.0.1:8080;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_max_temp_file_size 0;
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl;
server_name okdevtest.net;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/letsencrypt/live/okdevtest.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/okdevtest.net/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/okdevtest.net/fullchain.pem;
#ssl_dhparam /etc/letsencrypt/live/okdevtest.net/dhparams.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#charset koi8-r;
access_log /var/log/nginx/access.log main;
location / {
sendfile off;
proxy_pass http://127.0.0.1:9090;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_max_temp_file_size 0;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
nginx ์ค์ ํ ์คํธ
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
HTTP to HTTPS redirect
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 307 https://$host$request_uri;
}
update alert email
Hello,
Your certificate (or certificates) for the names listed below will expire in 20 days (on 31 Oct 16 03:55 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
okdevtv.com
www.okdevtv.com
For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.
nginx update expiry
service nginx stop && certbot-auto renew && service nginx start
- ๋ฌด์ค๋จ ๊ฐฑ์ ๊ฐ๋ฅ : http://www.phpschool.com/gnuboard4/bbs/board.php?bo_table=tipntech&wr_id=80590
- thanks to @shjxenoside
when stuck
- error "ImportError: No module named cryptography"
- solution
cd /opt/eff.org/certbot/venv/lib64/python2.7
rmdir site-packages
ln -s dist-packages site-packages
from: https://github.com/certbot/certbot/issues/2544#issuecomment-405954031
do it first
rm -rf ~/.local/share/letsencrypt
rm -rf /opt/eff.org/certbot/
certbot-auto renew --debug
unset PYTHON_INSTALL_LAYOUT
/opt/eff.org/certbot/venv/local/bin/pip install --upgrade certbot
certbot-auto renew --debug
service nginx stop
certbot-auto renew --debug
service nginx start
- such as zope.interface no module named interface
unset PYTHON_INSTALL_LAYOUT
/root/.local/share/letsencrypt/bin/pip install --upgrade certbot
/opt/eff.org/certbot/venv/local/bin/pip install --upgrade certbot
when stuck 2
from cryptography.hazmat.bindings.openssl.binding import Binding ImportError: No module named cryptography.hazmat.bindings.openssl.binding
solution 1
$ echo -e "import site\nsite.addsitedir('/opt/eff.org/certbot/venv/lib64/python2.7/dist-packages')" > /opt/eff.org/certbot/venv/lib64/python2.7/site-packages/sitecustomize.py
solution 2
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography-2.0.2.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography-2.0.2.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi-1.10.0.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi-1.10.0.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/_cffi_backend.so /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/_cffi_backend.so
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/.libs_cffi_backend /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/.libs_cffi_backend
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope/interface /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/interface
apache2.2.15 on CentOS 6.8
yum update -y
yum install git
yum install httpd
vi /etc/httpd/conf/httpd.conf
service httpd restart
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt/
yum install epel-release
yum install -y python-pip
pip install virtualenv
./letsencrypt-auto --apache -d www.okdevtest.net
wireshark ํจํท ํ ์คํธ
- http vs https
- http://www.wireshark.org
ํฌ๋กฌ https ๋๋ฉ์ธ ์บ์ฌ ์ญ์ ๋ฐฉ๋ฒ
- ์ฃผ์์ฐฝ์์
chrome://net-internals/#hsts์ ๋ ฅ - delete domain ์์ ๋๋ฉ์ธ ์ ๋ ฅ ํ delete ํ๋ฉด http๋ก ์ ์ ๊ฐ๋ฅ
์ฐธ๊ณ
- SSL Test
- for windows
- ์ค์น ๋์์
- Let's Encrypt๋ฅผ ์ ์ฉ์์ผ ๋ณด์๋ค
- Lets' Encrypt๋ก ๋ฌด๋ฃ๋ก HTTPS ์ง์ํ๊ธฐ - by Outsider
- https://danpalmer.me/blog/ssl-labs-grade-a
- https://www.gypthecat.com/how-to-install-a-ssl-certificate-on-nginx
- https://community.letsencrypt.org/t/getting-certbot-auto-to-include-the-x3-public-key/18472
- zope.interface issue
- ํด๋ํฐ์ผ๋ก 5๋ถ๋ง์ letsencrypt ์ ์ฉ
- ์๋ฌ ๋ฉ์์ง์ ์ฒ๋ฆฌ
-50% ํ ์ธ์ฟ ํฐ: 15108-f2af1e086101
