Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.
아래와 같이 letsencrypt를 사용해도 되고 sudo certbot를 사용해도됨. 그리고 인증서 갱신후 반드시 sudo service apache2 reload를 수행하여 변경사항을 반영시켜주어야함.
1. 인증서 발급하기
letsencrypt certonly --webroot --webroot-path=/home/gooper/www -d gooper.com -d www.gooper.com
letsencrypt certonly --webroot --webroot-path=/home/gdime/www -d gdime.com -d www.gdime.com
2. 인증서 갱신시 이전 버전인 ACMEv1를 사용하는 경우 오류메세지
gooper@gsda4:~/$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gooper.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Attempting to renew cert (gooper.com) from /etc/letsencrypt/renewal/gooper.com.conf produced an unexpected error: urn:acme:error:serverInternal :: The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27 for more information.. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gdime.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Attempting to renew cert (gdime.com) from /etc/letsencrypt/renewal/gdime.com.conf produced an unexpected error: urn:acme:error:serverInternal :: The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27 for more information.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gooper.com/fullchain.pem (failure)
/etc/letsencrypt/live/gdime.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gooper.com/fullchain.pem (failure)
/etc/letsencrypt/live/gdime.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)
*버전에 따른 오류가 발생하면 아래 파일의 server = https://acme-v01.api.letsencrypt.org/directory부분을 server = https://acme-v02.api.letsencrypt.org/directory로 바꿔준다.
(이전 버전의 renewal정보가 설정된 모습
renewal/gooper.com.conf :server = https://acme-v01.api.letsencrypt.org/directory
renewal/gdime.com.conf :server = https://acme-v01.api.letsencrypt.org/directory
)
3. 1개도메인만 버전 정보를 수정후 다시 renew를 수행한 메세지는 아래와 같음(1개는 정상 1개는 실패)
gooper@gsda4:/etc/letsencrypt$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gooper.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gooper.com
http-01 challenge for www.gooper.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/gooper.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gdime.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Attempting to renew cert (gdime.com) from /etc/letsencrypt/renewal/gdime.com.conf produced an unexpected error: urn:acme:error:serverInternal :: The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27 for more information.. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/gdime.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs were successfully renewed:
/etc/letsencrypt/live/gooper.com/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/gdime.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)