반응형
도커 컨테이너를 이용해서 Let's Encrypt 인증서를 DNS-01 챌린지로 발급받고 자동 갱신하는 방법
Cloudflare API Token 생성
Certbot 공식 DNS 플러그인 이미지 사용
작업 디렉토리 생성
sudo mkdir -p /docker-container/certbot
cd /docker-container/certbot1. Cloudflare credentials 정보 파일 생성
letsencrypt 디렉토리 생성
mkdir -p letsencryptCloudflare API Token 설정
cat > letsencrypt/cloudflare.ini << EOF
# Cloudflare API Token
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_HERE
EOF보안을 위해 파일 권한 제한
chmod 600 letsencrypt/cloudflare.ini2. 초기 인증서 발급(docker run으로 한 번 실행)
인증서 발급 테스트(dry-run)
docker run -it --rm \
--name certbot-initial \
-v $(pwd)/letsencrypt:/etc/letsencrypt \
certbot/dns-cloudflare:latest \
certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d scbyun.com \
-d "*.scbyun.com" \
--email your@gmail.com \
--agree-tos \
--non-interactive \
--dry-run # 테스트 모드인증서 발급
docker run -it --rm \
--name certbot-initial \
-v $(pwd)/letsencrypt:/etc/letsencrypt \
certbot/dns-cloudflare:latest \
certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d scbyun.com \
-d "*.scbyun.com" \
--email your@gmail.com \
--agree-tos \
--non-interactive \
--preferred-challenges dns-01발급 성공 메시지
Waiting 60 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/scbyun.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/scbyun.com/privkey.pem
This certificate expires on 2026-05-12.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -인증서 파일 확인
s -l letsencrypt/live/scbyun.comtotal 4
lrwxrwxrwx 1 root root 34 Feb 11 20:10 cert.pem -> ../../archive/scbyun.com/cert1.pem
lrwxrwxrwx 1 root root 35 Feb 11 20:10 chain.pem -> ../../archive/scbyun.com/chain1.pem
lrwxrwxrwx 1 root root 39 Feb 11 20:10 fullchain.pem -> ../../archive/scbyun.com/fullchain1.pem
lrwxrwxrwx 1 root root 37 Feb 11 20:10 privkey.pem -> ../../archive/scbyun.com/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 11 20:10 README3. 자동 갱신용 docker-compose.yml
cat > docker-compose.yml << 'EOF'
services:
certbot:
image: certbot/dns-cloudflare:latest
container_name: certbot-renew
restart: unless-stopped
volumes:
- ./letsencrypt:/etc/letsencrypt
environment:
# 갱신 체크 주기: 12시간마다
- CERTBOT_RENEW_INTERVAL=12h
command: >
sh -c "
while true; do
certbot renew \
--dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
--quiet \
--deploy-hook 'echo Certificate renewed at \$(date)' &&
sleep 43200;
done
"
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
EOF컨테이너 실행(백그라운드 실행)
docker compose up -d컨테이너 상태 확인
docker compose ps로그 확인
docker compose logs -f4. 관리 명령어
인증서 정보 확인
docker run --rm \
-v $(pwd)/letsencrypt:/etc/letsencrypt \
certbot/dns-cloudflare:latest \
certificatesSaving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: scbyun.com
Serial Number: 552ff06aa1188605d2a81b0b1a475fdbb6f
Key Type: ECDSA
Identifiers: scbyun.com *.scbyun.com
Expiry Date: 2026-05-12 10:11:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/scbyun.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/scbyun.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -수동 갱신
docker run --rm \
-v $(pwd)/letsencrypt:/etc/letsencrypt \
certbot/dns-cloudflare:latest \
renew \
--dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
--force-renewal인증서 폐기
docker run --rm \
-v $(pwd)/letsencrypt:/etc/letsencrypt \
certbot/dns-cloudflare:latest \
revoke \
--cert-path /etc/letsencrypt/live/scbyun.com/cert.pem \
--delete-after-revoke인증서 백업
tar -czf certbot-backup-$(date +%Y%m%d).tar.gz letsencrypt/
728x90
반응형
'리눅스' 카테고리의 다른 글
| 우분투 24.04에서 3대의 노드를 사용하여 Consul 백엔드 기반의 Vault HA 클러스터를 구성하는 방법 (0) | 2026.02.10 |
|---|---|
| 우분투 24.04에서 TCP Wrappers를 사용하는 sshd 서비스를 접근 제어하는 방법 (0) | 2026.02.03 |
| Nginx 등록되지 않은 가상호스트를 차단 및 제한하는 방법 (0) | 2026.02.03 |
| CentOS 7에서 sg 드라이버가 로드되지 않았을 때 해결하는 방법 (0) | 2026.01.30 |
| CentOS 7에서 다운로드한 RPM 패키지 설치하는 방법 (0) | 2026.01.22 |
