[Ubuntu] ¾ÆÆÄÄ¡(Apache) OpenSSL Àû¿ë
¾ÆÆÄÄ¡¿¡ º¸¾ÈÀ» À§ÇÑ SSLÀ» Àû¿ëÇÒ °ÍÀÌ´Ù. SSLÀ» Àû¿ëÇÏ¸é ºê¶ó¿ìÀú¿¡¼ http°¡ ¾Æ´Ñ https·Î Á¢¼ÓÇÒ ¼ö ÀÖ°Ô µÈ´Ù. ¿©±â¼´Â OpenSSLÀ» ¾ÆÆÄÄ¡¿¡ Àû¿ëÇÒ °ÍÀÌ´Ù.
¿ìºÐÅõ ¼¹ö¿¡ ¾ÆÆÄÄ¡°¡ ¼³Ä¡µÇ¾î ÀÖÁö ¾Ê´Ù¸é ¾Æ·¡ ¸µÅ©¸¦ ÅëÇØ ¼³Ä¡¸¦ ÇÏ¸é µÈ´Ù.
¡á Âü°í - https¿¡ ´ëÇØ
OpenSSL ¼³Ä¡ ¹× ÀÎÁõ¼ »ý¼º
1. OpenSSL ¼³Ä¡
¸ÕÀú ¿ìºÐÅõ ÆÐÅ°Áö¸¦ ¾÷µ¥ÀÌÆ®ÇÏ°í, OpenSSLÀÌ ¼³Ä¡µÇ¾îÀÖ´ÂÁö È®ÀÎÇØ º¸ÀÚ.
[mgt@localserver: ~$] sudo apt-get update [mgt@localserver: ~$] sudo openssl version OpenSSL 1.0.2g 1 Mar 2016 |
OpenSSLÀÌ ¼³Ä¡µÇ¾î ÀÖ´Ù¸é À§¿Í °°ÀÌ ¹öÀüÀÌ ³ªÅ¸³¯ °ÍÀÌ´Ù. ¼³Ä¡µÇ¾î ÀÖÁö ¾Ê´Ù¸é ¾Æ·¡ ¸í·É¾î¸¦ ÀÔ·ÂÇÏ¿© OpenSSLÀ» ¼³Ä¡ÇÑ´Ù.
[mgt@localserver: ~$] sudo apt-get install openssl |
2. °³ÀÎÅ° »ý¼º
[mgt@localserver: ~$] sudo openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ....................+++ ...............................................................................................+++ e is 65537 (0x10001) Enter pass phrase for server.key: 139937575311000:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:823:You must type in 4 to 1023 characters Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: |
°³ÀÎÅ° »ý¼º ¸í·É¾î¸¦ ÀÔ·ÂÇÏ°í ÀÓÀÇÀÇ °³ÀÎÅ° ¾ÏÈ£¸¦ ÀÔ·ÂÇÏ¸é µÈ´Ù. ±×·¯¸é ¼¹ö °³ÀÎÅ°ÀÎ server.key ÆÄÀÏÀÌ »ý¼ºµÈ´Ù.
ÀÓÀÇÀÇ °³ÀÎÅ° ¾ÏÈ£¸¦ ÀÔ·ÂÇÑ´Ù.
3. CSR(Certificate Sinning Request - ÀÎÁõ¿äû¼) »ý¼º
[mgt@localserver: ~$] sudo openssl req -new -days 365 -key server.key -out server.csr Enter pass phrase for server.key: |
À§¿¡¼ ¸¸µç °³ÀÎÅ°ÀÇ ¾ÏÈ£¸¦ ÀÔ·ÂÇÑ´Ù.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:KR State or Province Name (full name) [Some-State]:Seoul Locality Name (eg, city) []:Yeongdeungpo Organization Name (eg, company) [Internet Widgits Pty Ltd]:myspring Organizational Unit Name (eg, section) []:myspring Common Name (e.g. server FQDN or YOUR name) []:myspring.local Email Address []:web@myspring.local |
±×·¯¸é °¢Á¾ Á¤º¸¸¦ ÀÔ·ÂÇÏ´Â ºÎºÐÀÌ ³ª¿Â´Ù. ¿©±â¿¡´Â ÀÚ½ÅÀÇ °æ¿ì¿¡ ¸Â°Ô ÀûÀýÈ÷ ÀÔ·ÂÇÏ¸é µÈ´Ù.
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
´ÙÀ½À¸·Î Ãß°¡·Î Á¤º¸¸¦ ÀÔ·ÂÇÏ´Â ºÎºÐÀÌ ³ª¿À´Âµ¥ ¿£ÅÍÅ°¸¦ µÎ ¹ø ´·¯ ³Ñ¾î°¡¸é µÈ´Ù.
Á¤º¸¸¦ ÀûÀýÈ÷ ÀÔ·ÂÇÏ°í, Ãß°¡ Á¤º¸¸¦ ÀÔ·ÂÇÏ´Â ºÎºÐÀº ¿£ÅÍÅ°¸¦ ´·¯ ³Ñ¾î °£´Ù.
4. °³ÀÎÅ° Æнº¿öµå Á¦°Å
°³ÀÎÅ°¿¡ Æнº¿öµå°¡ ÀÖÀ¸¸é ¾ÆÆÄÄ¡ ±¸µ¿ ½Ã¸¶´Ù ¹°¾îº»´Ù. ÆíÀǸ¦ À§ÇØ °³ÀÎÅ° Æнº¿öµå¸¦ Á¦°ÅÇÑ´Ù. Æнº¿öµå¸¦ Á¦°ÅÇÏ´õ¶óµµ SSL¿¡´Â ¹®Á¦°¡ ¾ø´Ù.
# ±âÁ¸ °³ÀÎÅ° º¹»ç [mgt@localserver: ~$] sudo cp server.key server.key.origin # °³ÀÎÅ° Æнº¿öµå Á¦°Å [mgt@localserver: ~$] sudo openssl rsa -in server.key.origin -out server.key Enter pass phrase for server.key.origin: |
Æнº¿öµå Á¦°ÅµÇ¸é À§¿Í°°ÀÌ ³ªÅ¸³´Ù.
6. ÀÎÁõ¼ »ý¼º
°³ÀÎÅ°¿Í ÀÎÁõ ¿äû¼¸¦ °¡Áö°í ÀÎÁõ¼¸¦ »ý¼ºÇÑ´Ù.
[mgt@localserver: ~$] sudo openssl x509 -req -days 365 -in server.csr -signkey server.key - out server.crt Signature ok subject=/C=KR/ST=Seoul/L=Yeongdeungpo/O=myspring/OU=myspring/CN=myspring.local/email Address=web@myspring.local Getting Private key |
7. »ý¼ºµÈ ÀÎÁõ¼ È®ÀÎÇϱâ
[mgt@localserver: ~$] ls -l server* -rw-r--r-- 1 root root 1070 Nov 9 15:55 server.csr -rw-r--r-- 1 root root 1675 Nov 9 16:00 server.key -rw-r--r-- 1 root root 1743 Nov 9 15:59 server.key.origin |
# °³ÀÎÅ° È®ÀÎ [mgt@localserver: ~$] cat server.key | head -3 # ÀÎÁõ¼ È®ÀÎ [mgt@localserver: ~$] cat server.crt | head -3 |
°³ÀÎÅ° ¹× ÀÎÁõ¼ È®ÀÎ
¾ÆÆÄÄ¡¿¡ SSL Àû¿ë
1. SSL µð·ºÅ丮 »ý¼º ¹× ÀÎÁõ¼ º¹»ç
°ü¸®ÀÇ ÆíÀǸ¦ À§ÇØ ssl ÀÎÁõ¼¸¦ ¸ð¾ÆµÑ µð·ºÅ丮¸¦ »ý¼ºÇÑ´Ù.
[mgt@localserver: ~$] sudo mkdir /etc/apache2/ssl |
»ý¼ºÇÑ µð·ºÅ丮·Î ÀÎÁõ¼¸¦ º¹»çÇÑ´Ù.
[mgt@localserver: ~$] sudo cp server.crt /etc/apache2/ssl/server.crt [mgt@localserver: ~$] sudo cp server.csr /etc/apache2/ssl/server.csr [mgt@localserver: ~$] sudo cp server.key /etc/apache2/ssl/server.key |
»ý¼ºÇÑ µð·ºÅ丮·Î º¹»ç
2. SSL ¸ðµâ È°¼º
ApacheÀÇ SSL ¸ðµâÀ» È°¼ºÈÇÑ´Ù. À̶§ ¾ÆÆÄÄ¡¸¦ Àç½ÃÀÛ Ç϶ó´Â ¸Þ½ÃÁö°¡ ³ª¿À´Âµ¥, ÀÏ´Ü ¹«½ÃÇÑ´Ù.
[mgt@localserver: ~$] sudo a2enmod ssl |
¸í·É¾î¸¦ ½ÇÇàÇϸé À§¿Í °°ÀÌ ³ªÅ¸³´Ù.
3. /etc/apache2/ports.conf ÆÄÀÏ ¼öÁ¤
¾Æ·¡ ³»¿ëÀ» ports.conf ÆÄÀÏ¿¡ Ãß°¡ÇÑ´Ù.
[mgt@localserver: ~$] sudo nano /etc/apache2/ports.conf # ³»¿ëÃß°¡ <IfModule mod_ssl.c> Listen 443 </IfModule> |
ports.conf ÆÄÀÏ¿¡ ³»¿ë Ãß°¡
4. default-ssl.conf ÆÄÀÏÀ» º¹»ç
default-ssl.conf ÆÄÀÏÀ» º¹»çÇؼ board-ssl.conf·Î À̸§À» º¯°æÇÏ¿´´Ù. º¹»çÇÑ ÆÄÀϸíÀº º»ÀÎÀÌ ¾Ë±â ½±°Ô Á¤ÇÏ¸é µÈ´Ù. (ex, µµ¸ÞÀθíÀ¸·Î)
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/board-ssl.conf |
ÇØ´ç °æ·Î·Î À̵¿ÇØ º¹»çÇÑ ÆÄÀÏ È®ÀÎ
5. º¹»çÇÑ ÆÄÀÏ ¼öÁ¤
À§¿¡¼ º¹»çÇÑ ÆÄÀÏÀ» ¼öÁ¤ÇÑ´Ù.
[mgt@localserver: ~$] sudo nano /etc/apache2/sites-available/board-ssl.conf # ÇØ´ç ºÎºÐ ¼öÁ¤ SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key |
Ç¥½ÃµÈ ºÎºÐÀ» ¼öÁ¤ÇÑ ¸ð½À
´ÙÀ½À¸·Î ¾Æ·¡ »çÁø¿¡ Ç¥½ÃÇÑ ºÎºÐÀÇ ÁÖ¼®(#)À» Á¦°ÅÇÑ´Ù.
6. board-ssl È°¼ºÈ
[mgt@localserver: ~$] sudo a2ensite board-ssl |
board-ssl È°¼ºÈ
7. ¹æȺ® ¼³Á¤
¹æȺ®¿¡ OpenSSLÀÇ Æ÷Æ®ÀÎ 443 Æ÷Æ®·Î Á¢¼ÓÀ» Çã¿ëÇϵµ·Ï º¯°æÇÑ´Ù.
[mgt@localserver: ~$] sudo ufw allow 443/tcp Rule added Rule added (v6) |
¹æȺ® ¼³Á¤À» ÇÏ°í 443Æ÷Æ®¸¦ È®ÀÎÇغ¸ÀÚ.
[mgt@localserver: ~$] netstat -anp | grep LISTEN | grep 443 |
443 Æ÷Æ®°¡ Á¤»óÀûÀ¸·Î µ¿ÀÛÇϸé À§¿Í°°ÀÌ ³ªÅ¸³´Ù.
8. ¾ÆÆÄÄ¡ Àç½ÃÀÛ
[mgt@localserver: ~$] sudo /etc/init.d/apache2 restart [ ok ] Restarting apache2 (via systemctl): apache2.service. |
9. SSL Àû¿ëÈ®ÀÎ
¾ÆÆÄÄ¡¸¦ Àç½ÃÀÛÇßÀ¸¸é ºê¶ó¿ìÀú¿¡ https://¾ÆÀÌÇÇ ÁÖ¼Ò ¶Ç´Â https://127.0.0.1( = https://localhost ¿Í µ¿ÀÏÇÏ´Ù.)À» ÀÔ·ÂÇÑ´Ù.
°³ÀÎ ¼¸íÀ̶ó ½Å·ÚÇÒ ¼ö ¾ø´Ù°í ³ª¿Â´Ù. ÇÏÁö¸¸ º¸¾È Á¢¼ÓÀº Á¤»óÀûÀ¸·Î Àß µÈ´Ù.
¡á Âü°í
Ãâó: https://all-record.tistory.com/189?category=733055 [¼¼»óÀÇ ¸ðµç ±â·Ï]