[Linux + https] letsencrypt 인증서 갱신(renew) > Linux/Apm

 1. 기존 인증서 갱신(renew) - 권장 

[3줄 요약]

------------------

systemctl stop xampp 

/usr/bin/certbot renew

systemctl start xampp

------------------

----상세----------------------------------

/usr/bin/certbot renew --dry-run      //  --dry-run 옵션으로 인증시뮬레이션(실제 저장 없음)

----------------------------------

Attempting to renew cert (yesman.kr) from /etc/letsencrypt/renewal/yesman.kr.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.   //80 포트가 사용중에 있어 실패

All renewal attempts failed. The following certs could not be renewed:  /etc/letsencrypt/live/yesman.kr/fullchain.pem (failure)

-------------------------

systemctl stop xampp        //80포트를 사용중인 xampp 데몬중지 

/usr/bin/certbot renew --dry-run     //  -dry-run 옵션으로 인증 시뮬레이션, 아래처럼 성공적 결과보임.

** DRY RUN: simulating 'certbot renew' close to cert expiry

**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

  /etc/letsencrypt/live/yesman.kr/fullchain.pem (success)

** DRY RUN: simulating 'certbot renew' close to cert expiry

**          (The test certificates above have not been saved.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

/usr/bin/certbot renew        //실제 갱신

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:

  /etc/letsencrypt/live/yesman.kr/fullchain.pem (success)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

systemctl start xampp        //80포트를 사용중인 xampp 데몬 시작 

 2. 매월(1,15일) 인증서 갱신시도 자동처리(cron) - 검증(정상갱신확인됨) 

certbotrenew.sh  스크립트 생성

------------------

#!/bin/sh

#START

systemctl stop xampp

/usr/bin/certbot renew

systemctl start xampp

#END

-----------------

chmod 100 certbotrenew.sh  실행권한줌 

cd /etc

nano crontab     //매월 1, 15일 새벽 04시 갱신(안전하게 월 2회 갱신시도, 인증만료일이 30일 넘게 남은 경우 자동 무시(거부)됨)

-----------------------------

00 4    1,15 * *   root    /home/sbhome/certbotrenew.sh >> /var/log/cron_certbotrenew.log 2>&1

-----------------------------

service cron restart 

[참고1] //2달 마다 1일 05:00시 실행(cron 옵션순서 : 분 시 일 월 요일 유저ID 실행스크립트)

00 5    1 1-12/2 *   root    /home/sbhome/certbotrenew.sh >> /var/log/cron_certbotrenew.log 2>&1

[참고2] letsencrypt 는 3개월마다 갱신되고, 가능 시점은 인증서 만료일 30일전 부터이므로, 아래 로그처럼 자동으로 무시됨.

※[갱신가능 기간설정 값(30일 이전부터)] /etc/letsencrypt/renewal  -> cat yesman.kr.conf -> # renew_before_expiry = 30 days

/var/log/cron_certbotrenew.log 

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/yesman.kr.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:

  /etc/letsencrypt/live/yesman.kr/fullchain.pem expires on 2022-11-05 (skipped)

No renewals were attempted.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[참고3] 아파치 재시작 로그는 /opt/lampp/logs/error_log 에서 확인가능

[Thu Sep 01 05:00:01.561905 2022] AH00169: caught SIGTERM, shutting down 

[Thu Sep 01 05:00:03.948846 2022] AH00163: ...... resuming normal operations

  3. 인증서 삭제후 새로받는 방식  

cd /usr/bin  

certbot -auto delete

https://tecadmin.net/delete-lets-encrypt-certificates-using-certbot/ 

cd /etc/letsencrypt/renewal  <-   비워있음 

systemctl stop xampp   <- 80포트(xampp) 정지

sudo letsencrypt certonly --webroot-path=/opt/lampp/htdocs -d yesman.kr

How would you like to authenticate with the ACME CA?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Spin up a temporary webserver (standalone)   <-- 여기 선택(자체 임시웹서버에 맡김)

2: Place files in webroot directory (webroot)  <- 설치 아파치서버를 이용하는 방법인데.. DNS문제 발생됨

[결과]

cd /etc/letsencrypt/renewal  <- yesman.kr.conf  생성인증서 renewal 설정정보파일 생성됨 

cd /etc/letsencrypt/archive/yesman.kr     <- 생성된 인증서파일들 확인됨.

drwxr-xr-x 2 root   root 4096  6월  6 23:12 .

drwxr-xr-x 3 sbwind root 4096  6월  6 23:12 ..

-rw-r--r-- 1 root   root 1822  6월  6 23:12 cert1.pem

-rw-r--r-- 1 root   root 3750  6월  6 23:12 chain1.pem

-rw-r--r-- 1 root   root 5572  6월  6 23:12 fullchain1.pem

-rw------- 1 root   root 1704  6월  6 23:12 privkey1.pem

systemctl start xampp <- 80포트(xampp) 시작

[참고] - 아래 미검증 -

(certbot commands)

https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-commands 

갱신에러 

https://lynmp.com/ko/article/sc811c9dc5l7 

https://blog.djjproject.com/658 

letsencrypt certonly --webroot --webroot-path=/var/www/abc.com -d abc.com 

https://extrememanual.net/27348 

webroot 를 수동으로 지정한다. 

$ sudo certbot renew -a webroot -w /somepath/some.domain.com/public_path --dry-run