개발노트
개인/개발용 Rocky Linux 9 Apache SSL: Let's Encrypt 무료 인증서 설치 및 자동 갱신
RockySSL ApacheSSL LE무료SSL SSL발급 리눅스SSL 무료SSL Certbot Apache설정 SSL갱신 서버보안
Server
2025.05.02 22 회 읽음
Server
25.05.02 22
보안 서버에 SSL을 적용하기 위해 유료 서비스를 고려할 수 있지만, 개인용 또는 개발 환경이라면 무료로 제공되는 Let's Encrypt 서비스를 활용하는 것도 좋은 선택입니다. 자체 서버를 운영 중이라면 Let's Encrypt를 설치하여 여러 도메인에 유연하게 적용할 수 있습니다.
무료로 제공되는 만큼, Let's Encrypt 인증서는 3개월의 유효 기간을 가지며, 2개월마다 갱신하는 것을 권장합니다. 갱신 알림 이메일이 발송되므로, 이를 확인 후 갱신을 진행할 수 있습니다. 자체 서버를 운영한다면 cron 서비스를 이용하여 한 달에 한 번씩 자동 갱신을 설정하여 편리하게 관리할 수 있습니다.
다음은 Rocky Linux 9 버전과 Apache 환경을 기준으로 Let's Encrypt를 사용하여 SSL 인증서를 발급하고 적용하는 방법을 설명합니다.
1. Certbot 설치
Let's Encrypt 인증서를 발급하고 관리하는 데 사용되는 Certbot 클라이언트를 설치합니다.
# sudo dnf install -y epel-release
Last metadata expiration check: 2:33:51 ago on Fri May 2 12:13:47 2025.
Dependencies resolved.
===========================================================================================================
Package Architecture Version Repository Size
===========================================================================================================
Installing:
epel-release noarch 9-7.el9 extras 19 k
Transaction Summary
===========================================================================================================
Install 1 Package
Total download size: 19 k
Installed size: 26 k
Downloading Packages:
epel-release-9-7.el9.noarch.rpm 277 kB/s | 19 kB 00:00
-----------------------------------------------------------------------------------------------------------
Total 271 kB/s | 19 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-9-7.el9.noarch 1/1
Running scriptlet: epel-release-9-7.el9.noarch 1/1
Many EPEL packages require the CodeReady Builder (CRB) repository.
It is recommended that you run /usr/bin/crb enable to enable the CRB repository.
Verifying : epel-release-9-7.el9.noarch 1/1
Installed:
epel-release-9-7.el9.noarch
Complete!
# sudo dnf install -y epel-release
Last metadata expiration check: 2:33:51 ago on Fri May 2 12:13:47 2025.
Dependencies resolved.
===========================================================================================================
Package Architecture Version Repository Size
===========================================================================================================
Installing:
epel-release noarch 9-7.el9 extras 19 k
Transaction Summary
===========================================================================================================
Install 1 Package
Total download size: 19 k
Installed size: 26 k
Downloading Packages:
epel-release-9-7.el9.noarch.rpm 277 kB/s | 19 kB 00:00
-----------------------------------------------------------------------------------------------------------
Total 271 kB/s | 19 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-9-7.el9.noarch 1/1
Running scriptlet: epel-release-9-7.el9.noarch 1/1
Many EPEL packages require the CodeReady Builder (CRB) repository.
It is recommended that you run /usr/bin/crb enable to enable the CRB repository.
Verifying : epel-release-9-7.el9.noarch 1/1
Installed:
epel-release-9-7.el9.noarch
Complete!
[root@dut ~]# sudo dnf update -y
Extra Packages for Enterprise Linux 9 - x86_64 8.2 MB/s | 23 MB 00:02
Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64 1.8 kB/s | 2.5 kB 00:01
Dependencies resolved.
===========================================================================================================
Package Architecture Version Repository Size
===========================================================================================================
Upgrading:
epel-release noarch 9-10.el9 epel 19 k
Transaction Summary
===========================================================================================================
Upgrade 1 Package
Total download size: 19 k
Downloading Packages:
epel-release-9-10.el9.noarch.rpm 470 kB/s | 19 kB 00:00
-----------------------------------------------------------------------------------------------------------
Total 66 kB/s | 19 kB 00:00
Extra Packages for Enterprise Linux 9 - x86_64 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0x3228467C:
Userid : "Fedora (epel9) <epel@fedoraproject.org>"
Fingerprint: FF8A D134 4597 106E CE81 3B91 8A38 72BF 3228 467C
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : epel-release-9-10.el9.noarch 1/2
Running scriptlet: epel-release-9-10.el9.noarch 1/2
Cleanup : epel-release-9-7.el9.noarch 2/2
Running scriptlet: epel-release-9-7.el9.noarch 2/2
Verifying : epel-release-9-10.el9.noarch 1/2
Verifying : epel-release-9-7.el9.noarch 2/2
Upgraded:
epel-release-9-10.el9.noarch
Complete!
# sudo dnf install -y certbot python3-certbot-apache
Last metadata expiration check: 0:00:35 ago on Fri May 2 14:48:18 2025.
Dependencies resolved.
===========================================================================================================
Package Architecture Version Repository Size
===========================================================================================================
Installing:
certbot noarch 3.1.0-1.el9 epel 49 k
python3-certbot-apache noarch 3.1.0-1.el9 epel 284 k
Installing dependencies:
augeas-libs x86_64 1.13.0-6.el9_4 appstream 404 k
fontawesome-fonts noarch 1:4.7.0-13.el9 appstream 204 k
mod_ssl x86_64 1:2.4.62-1.el9_5.2 appstream 109 k
python3-acme noarch 3.1.0-1.el9 epel 159 k
python3-augeas noarch 0.5.0-25.el9 appstream 27 k
python3-certbot noarch 3.1.0-1.el9 epel 683 k
python3-cffi x86_64 1.14.5-5.el9 baseos 241 k
python3-configargparse noarch 1.7-1.el9 epel 45 k
python3-cryptography x86_64 36.0.1-4.el9 baseos 1.2 M
python3-importlib-metadata noarch 4.12.0-2.el9 epel 43 k
python3-josepy noarch 1.14.0-1.el9 epel 59 k
python3-parsedatetime noarch 2.6-5.el9 epel 79 k
python3-ply noarch 3.11-14.el9.0.1 baseos 103 k
python3-pyOpenSSL noarch 21.0.0-1.el9 epel 90 k
python3-pycparser noarch 2.20-6.el9 baseos 124 k
python3-pyrfc3339 noarch 1.1-11.el9 epel 18 k
python3-zipp noarch 3.20.1-2.el9 epel 26 k
Installing weak dependencies:
python-josepy-doc noarch 1.14.0-1.el9 epel 14 k
Transaction Summary
===========================================================================================================
Install 20 Packages
Total download size: 3.9 M
Installed size: 15 M
Downloading Packages:
[MIRROR] python-josepy-doc-1.14.0-1.el9.noarch.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirror-icn.yuki.net.uk/fedora-epel/9/Everything/x86_64/Packages/p/python-josepy-doc-1.14.0-1.el9.noarch.rpm [SSL certificate problem: certificate has expired]
[MIRROR] python3-acme-3.1.0-1.el9.noarch.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirror-icn.yuki.net.uk/fedora-epel/9/Everything/x86_64/Packages/p/python3-acme-3.1.0-1.el9.noarch.rpm [SSL certificate problem: certificate has expired]
[MIRROR] certbot-3.1.0-1.el9.noarch.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirror-icn.yuki.net.uk/fedora-epel/9/Everything/x86_64/Packages/c/certbot-3.1.0-1.el9.noarch.rpm [SSL certificate problem: certificate has expired]
(1/20): python-josepy-doc-1.14.0-1.el9.noarch.rpm 53 kB/s | 14 kB 00:00
(2/20): certbot-3.1.0-1.el9.noarch.rpm 183 kB/s | 49 kB 00:00
(3/20): python3-acme-3.1.0-1.el9.noarch.rpm 574 kB/s | 159 kB 00:00
(4/20): python3-certbot-3.1.0-1.el9.noarch.rpm 1.9 MB/s | 683 kB 00:00
(5/20): python3-importlib-metadata-4.12.0-2.el9.noarch.rpm 623 kB/s | 43 kB 00:00
(6/20): python3-configargparse-1.7-1.el9.noarch.rpm 78 kB/s | 45 kB 00:00
(7/20): python3-certbot-apache-3.1.0-1.el9.noarch.rpm 318 kB/s | 284 kB 00:00
(8/20): python3-josepy-1.14.0-1.el9.noarch.rpm 84 kB/s | 59 kB 00:00
(9/20): python3-pyOpenSSL-21.0.0-1.el9.noarch.rpm 382 kB/s | 90 kB 00:00
(10/20): python3-parsedatetime-2.6-5.el9.noarch.rpm 140 kB/s | 79 kB 00:00
(11/20): python3-cryptography-36.0.1-4.el9.x86_64.rpm 5.3 MB/s | 1.2 MB 00:00
(12/20): python3-cffi-1.14.5-5.el9.x86_64.rpm 5.0 MB/s | 241 kB 00:00
(13/20): python3-ply-3.11-14.el9.0.1.noarch.rpm 3.4 MB/s | 103 kB 00:00
(14/20): python3-pycparser-2.20-6.el9.noarch.rpm 3.3 MB/s | 124 kB 00:00
(15/20): fontawesome-fonts-4.7.0-13.el9.noarch.rpm 3.4 MB/s | 204 kB 00:00
(16/20): augeas-libs-1.13.0-6.el9_4.x86_64.rpm 4.3 MB/s | 404 kB 00:00
(17/20): python3-augeas-0.5.0-25.el9.noarch.rpm 1.2 MB/s | 27 kB 00:00
(18/20): mod_ssl-2.4.62-1.el9_5.2.x86_64.rpm 2.6 MB/s | 109 kB 00:00
(19/20): python3-pyrfc3339-1.1-11.el9.noarch.rpm 29 kB/s | 18 kB 00:00
(20/20): python3-zipp-3.20.1-2.el9.noarch.rpm 37 kB/s | 26 kB 00:00
-----------------------------------------------------------------------------------------------------------
Total 1.6 MB/s | 3.9 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-pyrfc3339-1.1-11.el9.noarch 1/20
Installing : mod_ssl-1:2.4.62-1.el9_5.2.x86_64 2/20
Installing : augeas-libs-1.13.0-6.el9_4.x86_64 3/20
Installing : python3-augeas-0.5.0-25.el9.noarch 4/20
Installing : fontawesome-fonts-1:4.7.0-13.el9.noarch 5/20
Installing : python3-ply-3.11-14.el9.0.1.noarch 6/20
Installing : python3-pycparser-2.20-6.el9.noarch 7/20
Installing : python3-cffi-1.14.5-5.el9.x86_64 8/20
Installing : python3-cryptography-36.0.1-4.el9.x86_64 9/20
Installing : python3-pyOpenSSL-21.0.0-1.el9.noarch 10/20
Installing : python3-zipp-3.20.1-2.el9.noarch 11/20
Installing : python3-importlib-metadata-4.12.0-2.el9.noarch 12/20
Installing : python3-parsedatetime-2.6-5.el9.noarch 13/20
Installing : python3-configargparse-1.7-1.el9.noarch 14/20
Installing : python-josepy-doc-1.14.0-1.el9.noarch 15/20
Installing : python3-josepy-1.14.0-1.el9.noarch 16/20
Installing : python3-acme-3.1.0-1.el9.noarch 17/20
Installing : python3-certbot-3.1.0-1.el9.noarch 18/20
Installing : certbot-3.1.0-1.el9.noarch 19/20
Running scriptlet: certbot-3.1.0-1.el9.noarch 19/20
Created symlink /etc/systemd/system/timers.target.wants/certbot-renew.timer → /usr/lib/systemd/system/certbot-renew.timer.
Certbot auto renewal timer is not started by default.
Run 'systemctl start certbot-renew.timer' to enable automatic renewals.
Installing : python3-certbot-apache-3.1.0-1.el9.noarch 20/20
Running scriptlet: python3-certbot-apache-3.1.0-1.el9.noarch 20/20
Verifying : certbot-3.1.0-1.el9.noarch 1/20
Verifying : python-josepy-doc-1.14.0-1.el9.noarch 2/20
Verifying : python3-acme-3.1.0-1.el9.noarch 3/20
Verifying : python3-certbot-3.1.0-1.el9.noarch 4/20
Verifying : python3-certbot-apache-3.1.0-1.el9.noarch 5/20
Verifying : python3-configargparse-1.7-1.el9.noarch 6/20
Verifying : python3-importlib-metadata-4.12.0-2.el9.noarch 7/20
Verifying : python3-josepy-1.14.0-1.el9.noarch 8/20
Verifying : python3-parsedatetime-2.6-5.el9.noarch 9/20
Verifying : python3-pyOpenSSL-21.0.0-1.el9.noarch 10/20
Verifying : python3-pyrfc3339-1.1-11.el9.noarch 11/20
Verifying : python3-zipp-3.20.1-2.el9.noarch 12/20
Verifying : python3-cryptography-36.0.1-4.el9.x86_64 13/20
Verifying : python3-cffi-1.14.5-5.el9.x86_64 14/20
Verifying : python3-ply-3.11-14.el9.0.1.noarch 15/20
Verifying : python3-pycparser-2.20-6.el9.noarch 16/20
Verifying : fontawesome-fonts-1:4.7.0-13.el9.noarch 17/20
Verifying : augeas-libs-1.13.0-6.el9_4.x86_64 18/20
Verifying : python3-augeas-0.5.0-25.el9.noarch 19/20
Verifying : mod_ssl-1:2.4.62-1.el9_5.2.x86_64 20/20
Installed:
augeas-libs-1.13.0-6.el9_4.x86_64 certbot-3.1.0-1.el9.noarch
fontawesome-fonts-1:4.7.0-13.el9.noarch mod_ssl-1:2.4.62-1.el9_5.2.x86_64
python-josepy-doc-1.14.0-1.el9.noarch python3-acme-3.1.0-1.el9.noarch
python3-augeas-0.5.0-25.el9.noarch python3-certbot-3.1.0-1.el9.noarch
python3-certbot-apache-3.1.0-1.el9.noarch python3-cffi-1.14.5-5.el9.x86_64
python3-configargparse-1.7-1.el9.noarch python3-cryptography-36.0.1-4.el9.x86_64
python3-importlib-metadata-4.12.0-2.el9.noarch python3-josepy-1.14.0-1.el9.noarch
python3-parsedatetime-2.6-5.el9.noarch python3-ply-3.11-14.el9.0.1.noarch
python3-pyOpenSSL-21.0.0-1.el9.noarch python3-pycparser-2.20-6.el9.noarch
python3-pyrfc3339-1.1-11.el9.noarch python3-zipp-3.20.1-2.el9.noarch
Complete!
2. Apache 웹 서버 설정 확인
Certbot이 Apache 설정을 자동으로 감지하고 SSL 설정을 적용하기 위해서는 웹 서버에 도메인 설정이 되어 있어야 합니다. 아래와 같이 가상 호스트 설정을 확인하고 필요에 따라 수정합니다.
sudo vi /etc/httpd/conf/httpd.conf
도메인 설정 파일이 있는 경우
sudo vi /etc/httpd/conf.d/dev.dut.kr.conf # 도메인별 설정 파일이 있는 경우
다음과 유사한 <VirtualHost *:80> 블록이 있는지 확인하고, DocumentRoot, ServerName, ServerAlias 등이 올바르게 설정되어 있는지 확인합니다.
<VirtualHost *:80>
DocumentRoot /home/dev/public_html
ServerName dev.dut.kr
ServerAlias www.dev.dut.kr
</VirtualHost>
3. Let's Encrypt 인증서 발급
Certbot을 사용하여 SSL 인증서를 발급합니다. --apache 플러그인을 사용하면 Certbot이 Apache 설정을 자동으로 업데이트하여 SSL을 적용합니다.
# sudo certbot --apache -d dev.dut.kr Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): etocat@naver.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Requesting a certificate for dev.dut.kr Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/dev.dut.kr/fullchain.pem Key is saved at: /etc/letsencrypt/live/dev.dut.kr/privkey.pem This certificate expires on 2025-07-31. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for dev.dut.kr to /etc/httpd/conf/httpd-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https://dev.dut.kr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
여러 개의 도메인 또는 서브 도메인에 대해 인증서를 발급하려면 -d 옵션을 추가하여 지정할 수 있습니다.
인증서 발급 과정에서 이메일 주소를 입력하고 Let's Encrypt 약관에 동의해야 합니다.
인증서 발급이 완료되면 다음과 유사한 메시지가 표시됩니다.
참고 사항
SSL 모듈 활성화가 되어 있는지 확인 합니다.
# sudo httpd -M | grep ssl
ssl_module (shared)
SSL 모듈이 보이지 않으면 다음 명령어로 활성화 합니다.
# sudo systemctl enable --now httpd
방화벽: 443 포트(HTTPS)가 방화벽에서 열려 있는지 확인해야 합니다. Firewalld를 사용하는 경우
# sudo firewall-cmd --permanent --add-service=https
# sudo firewall-cmd --reload인기글 목록
![[Linux] 록키 리눅스 MySQL 삭제 후 MariaDB 설치하기 : Rocky Linux](/thumb/story/2025/1706681921-3496.png/200)
![[파이썬예제] 패키지 설치와 윈도우11에서 알림 띄우기](/thumb/story/2025/1745908580-3780.png/200)
25.04.29
