Table of Content
Ubuntu 18.04 Nginx 에 SSL 적용하기
Let’s Encrypt 에서 제공하는 무료 SSL 인증서를 이용해, Nginx 에 SSL 을 적용합니다.
Certbot 설치
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx
nginx 설정 확인
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/skyer9.pe.kr
sudo vi /etc/nginx/sites-available/skyer9.pe.kr
server {
listen 80;
listen [::]:80;
root /var/www/skyer9.pe.kr/html;
index index.html index.htm index.nginx-debian.html index.php;
server_name skyer9.pe.kr www.skyer9.pe.kr m.skyer9.pe.kr;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
}
sudo ln -s /etc/nginx/sites-available/skyer9.pe.kr /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
SSL 인증서 가져오기
sudo certbot --nginx -d skyer9.pe.kr -d www.skyer9.pe.kr -d m.skyer9.pe.kr
......
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): test@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
......
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
......
설정이 자동으로 추가되어 있습니다.
vi /etc/nginx/sites-enabled/skyer9.pe.kr
sudo nginx -t
sudo systemctl reload nginx
브라우저에서 https://www.skyer9.pe.kr 로 접속되는 것을 확인할 수 있습니다.
SSL 자동 갱신
아래 명령으로 인증서 갱신을 시뮬레이션할 수 있습니다.
sudo certbot renew --dry-run
아래 명령으로 실제 인증서 갱신을 크론탭에 등록합니다.
sudo crontab -e
# ┌───────────── min (0 - 59)
# │ ┌────────────── hour (0 - 23)
# │ │ ┌─────────────── day of month (1 - 31)
# │ │ │ ┌──────────────── month (1 - 12)
# │ │ │ │ ┌───────────────── day of week (0 - 6) (0 to 6 are Sunday to
# │ │ │ │ │ Saturday, or use names; 7 is also Sunday)
# │ │ │ │ │
# │ │ │ │ │
# * * * * * command to execute
30 4 13 * * /usr/bin/certbot renew --renew-hook="sudo systemctl reload nginx"
아래 명령으로 잔여 인증기간을 확인할 수 있습니다.
sudo certbot certificates