Nginx + certbot 으로 SSL 세팅 (Amazon Linux 2023)

Nginx + certbot 으로 SSL 세팅 (Amazon Linux 2023)

- 서브 도메인 사용하려면 먼저 서브 도메인 세팅이 필요

cafe24 : 도메인 > DNS관리 > 호스트IP(A 레코드) 관리 > A 레코드 추가 > 서브도메인명/퍼블릭아이피 입력

AWS Route 53 : 호스팅 > 도메인 선택 > A 레코드 추가

 

1. EC2 내 nginx 설치 및 ssl 세팅 작업

## nginx 설치
# root 접속
$ sudo su

# nginx 설치
$ yum install nginx

# nginx 구동
$ systemctl start nginx

# nginx 상태 확인
$ systemctl status nginx

# nginx config 폴더 위치 이동
$ cd /etc/nginx/conf.d/

# 세팅 할 도메인 config 초기 세팅 (도메인명 conf) 무조건 있어야함 ssl 세팅 전에
$ vi xxx.xxx.co.kr.conf

----------------------------------------------------------------------
#내부 프록싱할 주소
upstream umsapi {
        server 127.0.0.1:8080;
}

server {
        
        #요청 받는 도메인
        server_name xxx.xxx.co.kr;

        location / {
                rewrite ^/(.*)$ /$1 break;
                proxy_pass http://127.0.0.1:3000/;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }


        #특정 패턴의 URI 로 들어올경우 위에서 설정한 umsapi upstream으로 프록싱
        location /api/ {
                rewrite ^/api/(.*)$ /api/$1 break;
                proxy_pass http://127.0.0.1:8080/;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }


}

----------------------------------------------------------------------

## certbot을 이용한 ssl 세팅 (도메인 등록이 선행되어야 함)
# 파이선 환경 pip 설치
$ sudo dnf install -y python3 augeas-libs pip

# 가상환경 설정 (nginx에서 https 세팅 활성화 위함)
$ sudo python3 -m venv /opt/certbot/

# 설치 위치 파일 확인
$ ls /opt/certbot
$ ls /opt/certbot/bin

# pip 설치
$ sudo /opt/certbot/bin/pip install --upgrade pip

# certbot 설치
$ sudo /opt/certbot/bin/pip install certbot

# certbot-nginx 설치
$ sudo /opt/certbot/bin/pip install certbot certbot-nginx

# certbot 명령어 등록 작업 (/usr/bin/certbot not find 여도 됨)
$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

# 인증서를 자동으로 nginx에 자동으로 등록 및 구성되도록 https ssl 인증서 등록 작업
$ certbot certificates
or 
$ sudo certbot --nginx -d xxx.xxx.co.kr

----------------------------------------------------------------------
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): dev@xxx.co.kr #자기 이메일 쓰기

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxx.xxx.co.kr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ums.uniwear.kr

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: xxx.xxx.co.kr
  Type:   unauthorized
  Detail: xxx: Invalid response from http://xxx.xxx.co.kr/.well-known/acme-challenge/1t18: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
----------------------------------------------------------------------

# 현재 인증서 목록 확인
certbot certificates

# 엔진엑스 설정 반영을 위한 재구동
service nginx restart

 

2. 인증서가 만료되었을 경우 

certbot renew

# 결과 내용
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xxx.xxx.co.kr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for ums.uniwear.kr
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/xxx.xxx.co.kr/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

3. 인증서 재발급 스케줄러 EC2 세팅

# CronTab 설치
$ sudo yum install cronie -y
$ sudo systemctl enable crond.service
$ sudo systemctl start crond.service
$ sudo systemctl status crond | grep Active
 Active: active (running) since ago
 
 
 # 스케줄러 등록
 # 스케줄러 조회
$ crontab -l
no crontab for root
 # 스케줄러 수정
$ crontab -e

# 추가 매월 0시 0분에 인증서 재발급 후 엔진엑스 재구동 스크립트
0 0 1 * * /usr/bin/certbot renew --renew-hook="sudo systemctl restart nginx.service"
  
 # 스케줄러 등록확인
 $ crontab -l
0 0 1 * * /usr/bin/certbot renew --renew-hook="sudo systemctl restart nginx.service"

 

 

끗!@#!#%!#$%!@#$!