IIS Server SSL 인증 (Let's Encrypt)홍사훈 0건 293회 23-11-11 19:51 |
관련링크
본문
관리자 권한으로 wacs.exe실행,
A simple Windows ACMEv2 client (WACS)
Software version 2.1.6.773 (RELEASE, PLUGGABLE)
ACME server https://acme-v02.api.letsencrypt.org/
IIS version 10.0
Running with administrator credentials
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme
N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
Please choose from the menu: m
Running in mode: Interactive, Advanced
Please specify how the list of domain names that will be included in the certificate should be determined. If you choose for one of the "all bindings" options, the list will automatically be updated for future renewals to reflect the bindings at that time.
1: IIS
2: Manual input
3: CSR created by another program
C: Abort
How shall we determine the domain(s) to include in the certificate?: 2
* - * - * - * 단일 서브 도메인 경우 * - * - * - *
Enter comma-separated list of host names, starting with the common name: file.sahoon.com
Target generated using plugin Manual: file.sahoon.com
Suggested friendly name '[Manual] file.sahoon.com', press <ENTER> to accept or type an alternative: <Enter>
The ACME server will need to verify that you are the owner of the domain names that you are requesting the certificate for. This happens both during initial setup *and* for every future renewal. There are two main methods of doing so: answering specific http requests (http-01) or create specific dns records (dns-01). For wildcard domains the latter is the only option. Various additional plugins are available from https://github.com/win-acme/win-acme/.
1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort
How would you like prove ownership for the domain(s) in the certificate?: 2
* - * - * - * 모든 서브 도메인 경우 * - * - * - *
Enter comma-separated list of host names, starting with the common name: *.sahoon.com
Target generated using plugin Manual: *.sahoon.com
Suggested friendly name '[Manual] *.sahoon.com', press <ENTER> to accept or type an alternative: <Enter>
The ACME server will need to verify that you are the owner of the domain names that you are requesting the certificate for. This happens both during initial setup *and* for every future renewal. There are two main methods of doing so: answering specific http requests (http-01) or create specific dns records (dns-01). For wildcard domains the latter is the only option. Various additional plugins are available from https://github.com/win-acme/win-acme/.
1: [dns-01] Create verification records manually (auto-renew not possible)
2: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
3: [dns-01] Create verification records with your own script
<Enter>: Abort
How would you like prove ownership for the domain(s) in the certificate?: 1
* - * - * - * - * - * - *
After ownership of the domain(s) has been proven, we will create a Certificate Signing Request (CSR) to obtain the actual certificate. The CSR determines properties of the certificate like which (type of) key to use. If you are not sure what to pick here, RSA is the safe default.
1: Elliptic Curve key
2: RSA key
What kind of private key should be used for the certificate?: 2
When we have the certificate, you can store in one or more ways to make it accessible to your applications. The Windows Certificate Store is the default location for IIS (unless you are managing a cluster of them).
1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: Windows Certificate Store
4: No (additional) store steps
C: Abort
How would you like to store the certificate?: 3
1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: No (additional) store steps
C: Abort
Would you like to store it in another way too?: 3
With the certificate saved to the store(s) of your choice, you may choose one or more steps to update your applications, e.g. to configure the new thumbprint, or to update bindings.
1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps
Which installation step should run first?: 4
Cached order available but not used with the --force switch.
Authorize identifier file.sahoon.com
Authorizing file.sahoon.com using http-01 validation (SelfHosting)
Authorization result: valid
Requesting certificate [Manual] file.sahoon.com
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] file.sahoon.com @ 2023-11-11 19:46:37 to store WebHosting
Installing with None...
Adding Task Scheduler entry with the following settings
- Name win-acme renew (acme-v02.api.letsencrypt.org)
- Path C:\win-acme
- Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
- Start at 09:00:00
- Time limit 02:00:00
Do you want to specify the user the task will run as? (y/n*) <Enter>
Adding renewal for [Manual] file.sahoon.com
Next renewal scheduled at 2024-1-5 19:46:44
N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Please choose from the menu:
정상적으로 인증서가 생성되었다면,
C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org 폴더에 인증서 파일이 저장됨
보통 IIS에서 자동으로 찾지만, 수동으로 넣어야 할경우. 참고.
등록된 댓글이 없습니다.