[draft] 우분투에 Nginx를 설치하고 Certbot을 사용하여 SSL 인증서를 설정하는 방법

우분투에 Nginx를 설치하고 Let's Encrypt를 사용하여 SSL 인증서를 설정하는 방법

Nginx 설치

우분투 패키지 관리자를 사용하여 Nginx를 설치합니다.

sudo apt-get update

sudo apt-get install -y curl gnupg2 ca-certificates lsb-release

sudo apt-get install -y ubuntu-keyring apt-transport-https

curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

sudo apt-get update

sudo apt-get install -y nginx

Certbot 설치

Let's Encrypt 인증서를 발급하기 위해 Certbot을 설치합니다.

sudo apt-get update

sudo apt-get install -y certbot python3-certbot-nginx

Let's Encrypt를 사용하기 위한 Nginx 구성

Nginx의 기본 구성 파일을 열고 도메인을 추가합니다.

sudo cp /etc/nginx/nginx.conf /etc/nginx/original/nginx.conf_$(date +"%Y%m%d-%H%M%S")

sudo cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/webserver1.conf

mkdir -pv /usr/share/nginx/html/.well-known/acme-challenge

vim /etc/nginx/conf.d/webserver1.conf

---

$ vim /etc/nginx/conf.d/webserver1.conf

server {
...
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
...
    # acme-challenge
    location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        try_files $uri =404;
    }
...
}

---

nginx -t

sudo systemctl reload nginx

SSL 인증서 발급 및 설정

Certbot을 사용하여 SSL 인증서를 발급하고 Nginx에 설정합니다.

sudo certbot --nginx -d t4gm.sangchul.kr

---

$ sudo certbot --nginx -d t4gm.sangchul.kr

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): t4gm@sangchul.kr

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for t4gm.sangchul.kr

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/t4gm.sangchul.kr/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/t4gm.sangchul.kr/privkey.pem
This certificate expires on 2024-08-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for t4gm.sangchul.kr to /etc/nginx/conf.d/t4gm.sangchul.kr.conf
Congratulations! You have successfully enabled HTTPS on https://t4gm.sangchul.kr

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

---

Nginx 구성 파일 확인

cat /etc/nginx/conf.d/webserver1.conf

---

$ cat /etc/nginx/conf.d/webserver1.conf

server {
    server_name  t4gm.sangchul.kr;

    access_log  /var/log/nginx/t4gm.sangchul.kr-access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # acme-challenge
    location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        try_files $uri =404;
    }

    # nginx status
    location /nginx_status {
        # Nginx status 페이지 설정
        stub_status;
        access_log off;
        allow 127.0.0.1;
        allow 0.0.0.0/0;
        deny all;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/t4gm.sangchul.kr/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/t4gm.sangchul.kr/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = t4gm.sangchul.kr) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80;
    server_name  t4gm.sangchul.kr;
    return 404; # managed by Certbot
}

---

SSL 인증서 확인

sudo certbot certificates

---

$ sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: t4gm.sangchul.kr
    Serial Number: 3b6516a3b5c5bae696273aa0c094464bd2e
    Key Type: ECDSA
    Domains: t4gm.sangchul.kr
    Expiry Date: 2024-08-01 02:55:26+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/t4gm.sangchul.kr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/t4gm.sangchul.kr/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

---

인증서 자동 갱신 설정

자동 갱신을 설정하여 인증서의 유효기간이 만료되지 않도록 합니다.

sudo certbot renew --dry-run

 

우분투에 Nginx를 설치하고 Let's Encrypt를 사용하여 SSL 인증서를 설정하는 과정이 완료되었습니다. 웹 서버는 이제 HTTPS를 통해 안전하게 통신할 수 있습니다.