Translate

2020년 3월 11일 수요일

[Let's Encrypt] 우분투 Tomcat 에 무료 SSL (와일드카드)인증서 설치방법





톰캣에 설치할 무료 SSL인증서를 알아보니 대부분 3개월 기간으로만 제공을 하는데..
Let's Encrypt에서는 Cron을 이용하여 자동연장이 가능하기에 작업을 시작했다.

공식 사이트: https://letsencrypt.org/ko/


실습환경: Ubuntu 18.04


1. certbot 설치


ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ certbot
# certbot이 설치되지 않은상태
Command 'certbot' not found, but can be installed with:

sudo apt install certbot

ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ sudo apt-get update
Hit:1 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Hit:3 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Get:4 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:5 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:6 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [871 kB]
Get:7 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1055 kB]
Get:8 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [326 kB]
Fetched 2505 kB in 3s (798 kB/s)
Reading package lists... Done
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ sudo apt-get install software-properties-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
software-properties-common is already the newest version (0.96.24.32.12).
The following package was automatically installed and is no longer required:
  grub-pc-bin
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 42 not upgraded.
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ sudo add-apt-repository ppa:certbot/certbot
 This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu.

Note: Packages are only provided for currently supported Ubuntu releases.
 More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or Ctrl-c to cancel adding it.

Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:3 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic InRelease
Hit:4 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic-backports InRelease
Reading package lists... Done
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ sudo apt-get install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  python3-acme python3-certbot python3-configargparse python3-future python3-icu python3-josepy python3-mock python3-ndg-httpsclient python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-tz
  python3-zope.component python3-zope.event python3-zope.hookable
Suggested packages:
  python3-certbot-apache python3-certbot-nginx python-certbot-doc python-acme-doc python-future-doc python-mock-doc
The following NEW packages will be installed:
  certbot python3-acme python3-certbot python3-configargparse python3-future python3-icu python3-josepy python3-mock python3-ndg-httpsclient python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-tz
  python3-zope.component python3-zope.event python3-zope.hookable
0 upgraded, 17 newly installed, 0 to remove and 42 not upgraded.
Need to get 1113 kB of archives.
After this operation, 5884 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ap-seoul-1-ad-1.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 python3-pbr all 3.1.1-3ubuntu3 [53.8 kB]
Get:2 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main amd64 python3-josepy all 1.1.0-2+ubuntu18.04.1+certbot+1 [27.8 kB]

  생략...

Setting up python3-josepy (1.1.0-2+ubuntu18.04.1+certbot+1) ...
Setting up python3-tz (2018.3-2) ...
Setting up python3-parsedatetime (2.4-3+ubuntu18.04.1+certbot+3) ...
Setting up python3-rfc3339 (1.0-4) ...
Setting up python3-zope.component (4.3.0-1+ubuntu18.04.1+certbot+3) ...
Setting up python3-acme (0.31.0-2+ubuntu18.04.3+certbot+2) ...
Setting up python3-certbot (0.31.0-1+ubuntu18.04.1+certbot+1) ...
Setting up certbot (0.31.0-1+ubuntu18.04.1+certbot+1) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
certbot.service is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ certbot
#정상적으로 설치완료
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
ubuntu@instance-1004lucifer:~$






2. 인증서 생성


ubuntu@instance-1004lucifer:~$ sudo certbot certonly --manual --preferred-challenges dns -d "1004lucifer.co.kr" -d "*.1004lucifer.co.kr"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for 1004lucifer.co.kr

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.1004lucifer.co.kr with the following value:

M7dc7nmfVKAXWdDZ5b2H1vIw8iAD82FKdfPGAi0YOCA

Before continuing, verify the record is deployed.
# 이부분에서 DNS의 TXT에 해당 도메인과 문자열을 넣어주고 잠시 후 엔터를 입력한다.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/1004lucifer.co.kr/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/1004lucifer.co.kr/privkey.pem
   Your cert will expire on 2020-06-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ ll /etc/letsencrypt/
total 40
drwxr-xr-x  9 root root 4096 Mar 11 17:12 ./
drwxr-xr-x 97 root root 4096 Mar 11 19:57 ../
drwx------  3 root root 4096 Mar  9 20:16 accounts/
drwx------  3 root root 4096 Mar 10 13:47 archive/
-rw-r--r--  1 root root  121 Feb 10  2019 cli.ini
drwxr-xr-x  2 root root 4096 Mar 11 16:36 csr/
drwx------  2 root root 4096 Mar 11 16:36 keys/
drwx------  3 root root 4096 Mar 10 13:47 live/
drwxr-xr-x  2 root root 4096 Mar 11 16:36 renewal/
drwxr-xr-x  5 root root 4096 Mar  9 20:16 renewal-hooks/
ubuntu@instance-1004lucifer:~$
# 인증서 디렉토리 root 외 사용자에게 읽기권한 부여
ubuntu@instance-1004lucifer:~$ sudo chmod 755 /etc/letsencrypt/live/
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ ll /etc/letsencrypt/
total 40
drwxr-xr-x  9 root root 4096 Mar 11 17:12 ./
drwxr-xr-x 97 root root 4096 Mar 11 19:57 ../
drwx------  3 root root 4096 Mar  9 20:16 accounts/
drwx------  3 root root 4096 Mar 10 13:47 archive/
-rw-r--r--  1 root root  121 Feb 10  2019 cli.ini
drwxr-xr-x  2 root root 4096 Mar 11 16:36 csr/
drwx------  2 root root 4096 Mar 11 16:36 keys/
drwx--x--x  3  711 root 4096 Mar 10 13:47 live/
drwxr-xr-x  2 root root 4096 Mar 11 16:36 renewal/
drwxr-xr-x  5 root root 4096 Mar  9 20:16 renewal-hooks/
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ ll /etc/letsencrypt/live/1004lucifer.co.kr/
total 28
drwxr-xr-x 2 root root 4096 Mar 11 16:36 ./
drwxr-xr-x 3  755 root 4096 Mar 10 13:47 ../
-rw-r--r-- 1 root root  692 Mar 10 13:47 README
lrwxrwxrwx 1 root root   41 Mar 11 16:36 cert.pem -> ../../archive/1004lucifer.co.kr/cert2.pem
lrwxrwxrwx 1 root root   42 Mar 11 16:36 chain.pem -> ../../archive/1004lucifer.co.kr/chain2.pem
lrwxrwxrwx 1 root root   46 Mar 11 16:36 fullchain.pem -> ../../archive/1004lucifer.co.kr/fullchain2.pem
lrwxrwxrwx 1 root root   44 Mar 11 16:36 privkey.pem -> ../../archive/1004lucifer.co.kr/privkey2.pem

ubuntu@instance-1004lucifer:~$



Cafe24에서 다음과 같이 작업을 했다.
(PS. 처음에 호스트명에 입력란이 보여지지 않아 Cafe24에 문의를 해보니 첫 등록 시 상담게시판을 이용하여 등록요청을 후 한번 등록이 되면 그 이후에 입력란이 보여진다.)






3. 톰캣용 인증서 생성


ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ sudo bash
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
root@instance-1004lucifer:~# cd /etc/letsencrypt/live/1004lucifer.co.kr/
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr# openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile chain.pem -caname root -passout pass:password -name root
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr# ll
total 20
drwxr-xr-x 2 root root 4096 Mar 11 21:42 ./
drwxr-xr-x 3  755 root 4096 Mar 10 13:47 ../
-rw-r--r-- 1 root root  692 Mar 10 13:47 README
lrwxrwxrwx 1 root root   41 Mar 11 16:36 cert.pem -> ../../archive/1004lucifer.co.kr/cert2.pem
-rw------- 1 root root 4294 Mar 11 21:42 cert_and_key.p12
lrwxrwxrwx 1 root root   42 Mar 11 16:36 chain.pem -> ../../archive/1004lucifer.co.kr/chain2.pem
lrwxrwxrwx 1 root root   46 Mar 11 16:36 fullchain.pem -> ../../archive/1004lucifer.co.kr/fullchain2.pem
lrwxrwxrwx 1 root root   44 Mar 11 16:36 privkey.pem -> ../../archive/1004lucifer.co.kr/privkey2.pem
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr# keytool -delete -alias root -keystore keyStore.jks -importkeystore -srcstorepass password -destkeystore keyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -storepass password
Importing keystore cert_and_key.p12 to keyStore.jks...
Entry for alias root successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keyStore.jks -destkeystore keyStore.jks -deststoretype pkcs12".
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr# ll
total 24
drwxr-xr-x 2 root root 4096 Mar 11 21:42 ./
drwxr-xr-x 3  755 root 4096 Mar 10 13:47 ../
-rw-r--r-- 1 root root  692 Mar 10 13:47 README
lrwxrwxrwx 1 root root   41 Mar 11 16:36 cert.pem -> ../../archive/1004lucifer.co.kr/cert2.pem
-rw------- 1 root root 4294 Mar 11 21:42 cert_and_key.p12
lrwxrwxrwx 1 root root   42 Mar 11 16:36 chain.pem -> ../../archive/1004lucifer.co.kr/chain2.pem
lrwxrwxrwx 1 root root   46 Mar 11 16:36 fullchain.pem -> ../../archive/1004lucifer.co.kr/fullchain2.pem
-rw-r--r-- 1 root root 3932 Mar 11 21:42 keyStore.jks
lrwxrwxrwx 1 root root   44 Mar 11 16:36 privkey.pem -> ../../archive/1004lucifer.co.kr/privkey2.pem
root@instance-1004lucifer:/etc/letsencrypt/live/1004lucifer.co.kr#






4. 톰캣에 인증서 연동


ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ cat apps/apache-tomcat-8.5.51/conf/server.xml
<?xml version="1.0" encoding="UTF-8"?>

    생략...

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
        <Certificate certificateKeystoreFile="/etc/letsencrypt/live/1004lucifer.co.kr/keyStore.jks"
                 certificateKeystorePassword="password"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

    생략...

</Server>
ubuntu@instance-1004lucifer:~$


여기까지 작업 후 톰캣을 재구동하면 HTTPS 접속이 될 것이다.


아래와 같이 사이트 접속 후 인증서가 적용됨을 확인 할 수 있다.












4. 인증서 자동갱신 셋팅

Let's Encrypt 의 인증서는 3달마다 갱신을 해줘야 한다.
리눅스 명령어를 이용해 인증서를 발급받았으니..
쉘을 만들어서 주기적으로 자동갱신을 하도록 만들어 주자.

정상적으로 갱신되는지 여부 확인해보지 못함.
추후 확인예정


ubuntu@instance-1004lucifer:~$
ubuntu@instance-1004lucifer:~$ sudo bash
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
# 스크립트를 생성한다.
root@instance-1004lucifer:~# cat > /etc/letsencrypt/live/1004lucifer.co.kr/extend.sh
#!/bin/bash

cd /etc/letsencrypt/live/1004lucifer.co.kr/

certbot renew --quiet

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile chain.pem -caname root -passout pass:password -name root

keytool -delete -alias root -storepass password -keystore keyStore.jks

keytool -importkeystore -srcstorepass password -destkeystore keyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -storepass password

^C  (Ctrl + C)
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
root@instance-1004lucifer:~# cat /etc/letsencrypt/live/1004lucifer.co.kr/extend.sh
#!/bin/bash

cd /etc/letsencrypt/live/1004lucifer.co.kr/

certbot renew --quiet

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile chain.pem -caname root -passout pass:password -name root

keytool -delete -alias root -storepass password -keystore keyStore.jks


keytool -importkeystore -srcstorepass password -destkeystore keyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -storepass password

root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
# 크론에 스크립트를 등록해 준다.
root@instance-1004lucifer:~# crontab -e
crontab: installing new crontab
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#
root@instance-1004lucifer:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command

# 1004lucifer
# LetsEncrypt SSL
0 0 1 * * /etc/letsencrypt/live/1004lucifer.co.kr/extend.sh
root@instance-1004lucifer:~#
root@instance-1004lucifer:~#



Ubuntu, 우분투, Tomcat, 톰캣, SSL, https, 인증서, 와일드카드, wildcard, 생성, 설치


참고
 - https://hiseon.me/server/letsencrypt-wildcard-certificate/
 - https://partnerjun.tistory.com/60


댓글 없음 :

댓글 쓰기