728x90
우분투에 Nginx를 설치하고 Let's Encrypt를 사용하여 SSL 인증서를 설정하는 방법
Nginx 설치
우분투 패키지 관리자를 사용하여 Nginx를 설치합니다.
sudo apt-get update
sudo apt-get install -y curl gnupg2 ca-certificates lsb-release
sudo apt-get install -y ubuntu-keyring apt-transport-https
curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
sudo apt-get update
sudo apt-get install -y nginx
Certbot 설치
Let's Encrypt 인증서를 발급하기 위해 Certbot을 설치합니다.
sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx
Let's Encrypt를 사용하기 위한 Nginx 구성
Nginx의 기본 구성 파일을 열고 도메인을 추가합니다.
sudo cp /etc/nginx/nginx.conf /etc/nginx/original/nginx.conf_$(date +"%Y%m%d-%H%M%S")
sudo cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/webserver1.conf
mkdir -pv /usr/share/nginx/html/.well-known/acme-challenge
vim /etc/nginx/conf.d/webserver1.conf
더보기
---
$ vim /etc/nginx/conf.d/webserver1.conf
server {
...
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
...
# acme-challenge
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
try_files $uri =404;
}
...
}
---
nginx -t
sudo systemctl reload nginx
SSL 인증서 발급 및 설정
Certbot을 사용하여 SSL 인증서를 발급하고 Nginx에 설정합니다.
sudo certbot --nginx -d t4gm.sangchul.kr
더보기
---
$ sudo certbot --nginx -d t4gm.sangchul.kr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): t4gm@sangchul.kr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for t4gm.sangchul.kr
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/t4gm.sangchul.kr/fullchain.pem
Key is saved at: /etc/letsencrypt/live/t4gm.sangchul.kr/privkey.pem
This certificate expires on 2024-08-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for t4gm.sangchul.kr to /etc/nginx/conf.d/t4gm.sangchul.kr.conf
Congratulations! You have successfully enabled HTTPS on https://t4gm.sangchul.kr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---
Nginx 구성 파일 확인
cat /etc/nginx/conf.d/webserver1.conf
더보기
---
$ cat /etc/nginx/conf.d/webserver1.conf
server {
server_name t4gm.sangchul.kr;
access_log /var/log/nginx/t4gm.sangchul.kr-access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# acme-challenge
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
try_files $uri =404;
}
# nginx status
location /nginx_status {
# Nginx status 페이지 설정
stub_status;
access_log off;
allow 127.0.0.1;
allow 0.0.0.0/0;
deny all;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/t4gm.sangchul.kr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/t4gm.sangchul.kr/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = t4gm.sangchul.kr) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name t4gm.sangchul.kr;
return 404; # managed by Certbot
}
---
SSL 인증서 확인
sudo certbot certificates
더보기
---
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: t4gm.sangchul.kr
Serial Number: 3b6516a3b5c5bae696273aa0c094464bd2e
Key Type: ECDSA
Domains: t4gm.sangchul.kr
Expiry Date: 2024-08-01 02:55:26+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/t4gm.sangchul.kr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/t4gm.sangchul.kr/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---
인증서 자동 갱신 설정
자동 갱신을 설정하여 인증서의 유효기간이 만료되지 않도록 합니다.
sudo certbot renew --dry-run
우분투에 Nginx를 설치하고 Let's Encrypt를 사용하여 SSL 인증서를 설정하는 과정이 완료되었습니다. 웹 서버는 이제 HTTPS를 통해 안전하게 통신할 수 있습니다.
728x90
'리눅스' 카테고리의 다른 글
[draft] 우분투에 Apache2를 컴파일하여 설치하는 방법 (0) | 2024.05.09 |
---|---|
[draft] Nginx에서 Gzip 압축을 설정하는 방법 (0) | 2024.05.03 |
[draft] 샘플 데이터베이스와 테이블을 생성하는 방법 (0) | 2024.04.29 |
[draft] fping 명령어 (0) | 2024.04.25 |
Git 경고 메시지 "LF will be replaced by CRLF the next time Git touches it" 해결 방법 (0) | 2024.04.01 |