본문 바로가기

리눅스

우분투에서 Let's Encrypt와 Nginx를 사용하여 SSL 인증서를 설정하는 방법

728x90

우분투에서 Let's Encrypt와 Nginx를 사용하여 SSL 인증서를 설정하는 방법

Let's Encrypt를 사용하여 Nginx를 보호하는 것은 매우 일반적이고 효과적인 방법입니다.

테스트 환경

  • 운영체제 버전 정보
$ lsb_release -d
Description:    Ubuntu 22.04.2 LTS

 

1. Certbot 설치

sudo apt update
sudo apt install certbot python3-certbot-nginx
$ sudo apt install certbot python3-certbot-nginx
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  python3-acme python3-certbot python3-configargparse python3-icu python3-josepy python3-parsedatetime python3-requests-toolbelt
  python3-rfc3339 python3-zope.component python3-zope.event python3-zope.hookable
Suggested packages:
  python-certbot-doc python3-certbot-apache python-acme-doc python-certbot-nginx-doc
The following NEW packages will be installed:
  certbot python3-acme python3-certbot python3-certbot-nginx python3-configargparse python3-icu python3-josepy python3-parsedatetime
  python3-requests-toolbelt python3-rfc3339 python3-zope.component python3-zope.event python3-zope.hookable
0 upgraded, 13 newly installed, 0 to remove and 81 not upgraded.
Need to get 993 kB of archives.
After this operation, 5,077 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y

certbot.timer 서비스 상태 확인

sudo systemctl status certbot.timer
$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2023-11-13 10:39:08 KST; 39min ago
    Trigger: Mon 2023-11-13 19:17:51 KST; 7h left
   Triggers: ● certbot.service

Nov 13 10:39:08 node1 systemd[1]: Started Run certbot twice daily.

 

2. Nginx 설치

sudo apt install nginx

 

3. Nginx 구성 파일 확인

Nginx 구성 파일(/etc/nginx/nginx.conf 또는 /etc/nginx/conf.d/default 등)을 확인하고 기본적으로 80번 포트로 들어오는 HTTP 트래픽을 적절한 위치로 리디렉션하도록 설정하세요.

mkdir -pv /var/www/nginx/w3.sangchul.kr/html/.well-known/acme-challenge
vim /etc/nginx/conf.d/w3.sangchul.kr.conf
server {
    server_name  w3.sangchul.kr;

    access_log  /var/log/nginx/w3.sangchul.kr-access.log  main;

    location / {
        root   /var/www/nginx/w3.sangchul.kr/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        try_files $uri =404;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}
sudo nginx -t
sudo systemctl reload nginx

 

4. 방화벽에서 HTTP, HTTPS 포트 허용

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
$ sudo ufw status | egrep '^80|^443'
80,443/tcp                 ALLOW       211.55.16.0/24            
443/tcp                    ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp (v6)               ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)

 

5. Let's Encrypt 인증서 발급

Let's Encrypt에서 SSL 인증서를 발급받습니다.

sudo certbot --nginx

이 명령을 실행하면 Certbot이 Nginx 설정을 자동으로 찾아서 SSL 인증서 발급을 위한 인터랙티브한 프로세스를 시작합니다.

(또는)

sudo certbot --nginx -d w3.sangchul.kr
$ sudo certbot --nginx -d w3.sangchul.kr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for w3.sangchul.kr

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/w3.sangchul.kr/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/w3.sangchul.kr/privkey.pem
This certificate expires on 2024-02-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for w3.sangchul.kr to /etc/nginx/conf.d/w3.sangchul.kr.conf
Congratulations! You have successfully enabled HTTPS on https://w3.sangchul.kr

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
cat /etc/nginx/conf.d/w3.sangchul.kr.conf
$ cat /etc/nginx/conf.d/w3.sangchul.kr.conf 
server {
    server_name  w3.sangchul.kr;

    access_log  /var/log/nginx/w3.sangchul.kr-access.log  main;

    location / {
        root   /var/www/nginx/w3.sangchul.kr/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        try_files $uri =404;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/w3.sangchul.kr/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/w3.sangchul.kr/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = w3.sangchul.kr) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name  w3.sangchul.kr;
    listen 80;
    return 404; # managed by Certbot
}

 

6. 자동 갱신 설정

Let's Encrypt 인증서는 90일 동안 유효하며, 자동 갱신을 설정하는 것이 좋습니다. Certbot은 이미 설정되어 있을 것이지만 확인하려면 다음과 같이 실행하세요.

sudo certbot renew --dry-run

이 명령을 실행하면 인증서 갱신이 정상적으로 작동하는지 확인합니다.

 

7. Nginx 재시작

Nginx를 재시작하여 변경사항을 적용합니다.

sudo systemctl restart nginx

 

이제 Nginx는 Let's Encrypt에서 발급받은 SSL 인증서를 사용하여 암호화된 트래픽을 처리할 수 있습니다.

728x90

Certbot으로 등록된 인증서를 삭제하는 방법

1. Certbot 설정 파일 확인

sudo certbot certificates
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: w3.sangchul.kr
    Serial Number: 4f7f7974e1519fcd8b51439cd36aee1f921
    Key Type: RSA
    Domains: w3.sangchul.kr
    Expiry Date: 2024-02-11 01:07:53+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/w3.sangchul.kr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/w3.sangchul.kr/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

2. Certbot 인증서 삭제

sudo certbot delete --cert-name w3.sangchul.kr
$ sudo certbot delete --cert-name w3.sangchul.kr
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:

  * w3.sangchul.kr

WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.

Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Deleted all files relating to certificate w3.sangchul.kr.

 

3. 인증서 및 설정 삭제

SSL 설정을 삭제했으므로 Nginx 또는 Apache 구성 파일에서 SSL과 관련된 부분을 수정하고 불필요한 설정을 제거합니다. 이 부분은 Nginx의 가상 호스트 파일이나 Apache의 설정 파일에 해당합니다.

sudo vim /etc/nginx/conf.d/w3.sangchul.kr.conf
sudo rm -r /etc/letsencrypt/live/example.com/
sudo rm -r /etc/letsencrypt/archive/example.com/
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

 

4. 웹 서버 재시작

sudo systemctl restart nginx

ufw 방화벽 정책 삭제

sudo ufw delete allow 80/tcp
sudo ufw delete allow 443/tcp

 

728x90