Let's Encrypt 웹 루트 인증을 통해 인증서 생성하기

음, .. 전에 올린 DNS 인증이 certbot renew 자동화가 안됨을 파악했습니다.

https://blog.djjproject.com/643

그래서.. web root 인증으로 바꾸었습니다.

root@aml:~# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/djjproject.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):

  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute

    renewal_candidate = storage.RenewableCert(full_path, config)

  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in __init__

    self._check_symlinks()

  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks

    "expected {0} to be a symlink".format(link))

certbot.errors.CertStorageError: expected /etc/letsencrypt/live/djjproject.com/cert.pem to be a symlink

Renewal configuration file /etc/letsencrypt/renewal/djjproject.com.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No renewals were attempted.

Additionally, the following renewal configurations were invalid: 

  /etc/letsencrypt/renewal/djjproject.com.conf (parsefail)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

0 renew failure(s), 1 parse failure(s)

아마도 중간에 이전을 하면서 파일이 깨져서 안될 수도 있습니다만, DNS 인증의 경우 도메인에 반영되기까지 시간이 많이 걸리고 하여, 하기 방법으로 수정하였습니다.

root@aml:~# rm -rf /etc/letsencrypt/

흠 도메인을 와일드 카드랑 두개 등록하려는데 에러가 나더라구요.

root@aml:~# certbot certonly --webroot -w /var/www/html/main/ -d djjproject.com -d *.djjproject.com 

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer None

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): djj9404@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: N

Obtaining a new certificate

Performing the following challenges:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

IMPORTANT NOTES:

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

그래서 일단 하나만 해보았습니다.

root@aml:~# certbot certonly --webroot -w /var/www/html/main/ -d djjproject.com 

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer None

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for djjproject.com

Using the webroot path /var/www/html/main for all unmatched domains.

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/djjproject.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/djjproject.com/privkey.pem

   Your cert will expire on 2020-09-01. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot

   again. To non-interactively renew *all* of your certificates, run

   "certbot renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

root@aml:~# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/djjproject.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:

  /etc/letsencrypt/live/djjproject.com/fullchain.pem expires on 2020-09-01 (skipped)

No renewals were attempted.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

상기처럼 잘 되어서, 일단 와일드 카드로 접근했을 때, 정상적으로 되는지 확인을 해보았습니다.

일단은 문제가 없어 보이네요.

차후에 문제가 생기면 다시 해봐야겠습니다.

감사합니다.