certbot \uc124\uce58<\/h2>\nsudo apt install -y certbot python3-certbot-nginx<\/code><\/pre>\nNginx \uc124\uc815 (80\ud3ec\ud2b8)<\/h2>\nsudo vi \/etc\/nginx\/sites-available\/example.com\n--------------\nserver {\n listen 80; # IPv4 \uc5f0\uacb0\uc744 \uc218\uc2e0\n listen [::]:80; # IPv6 \uc5f0\uacb0\uc744 \uc218\uc2e0\n\n root \/var\/www\/html;\n\n server_name example.com www.example.com;\n}<\/code><\/pre>\n# \ud14c\uc2a4\ud2b8\nsudo nginx -t\nnginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful\n\n## \uc7ac\uc2dc\uc791\nsudo service nginx restart<\/code><\/pre>\n\uc778\uc99d\uc11c \ubc1c\uae09\ubc1b\uae30 (https)<\/h2>\n# sudo certbot --nginx -d example.com -d www.example.com\nsudo certbot --nginx -d example.com<\/code><\/pre>\n\uc544\ub798\uc640 \uac19\uc740 \uba54\uc2dc\uc9c0\uac00 \ub098\uc624\uba74 \uc131\uacf5\uc785\ub2c8\ub2e4.<\/p>\n
Congratulations! You have successfully enabled https:\/\/example.com and https:\/\/www.example.com \n\n-------------------------------------------------------------------------------------\nIMPORTANT NOTES:\n\nCongratulations! Your certificate and chain have been saved at:\n\/etc\/letsencrypt\/live\/example.com\/fullchain.pem \nYour key file has been saved at:\n\/etc\/letsencrypt\/live\/example.com\/\/privkey.pem\nYour cert will expire on 2017-12-12.<\/code><\/pre>\nsudo vi \/etc\/nginx\/sites-available\/example.com<\/code><\/pre>\nserver {\n listen 80; # IPv4 \uc5f0\uacb0\uc744 \uc218\uc2e0\n listen [::]:80; # IPv6 \uc5f0\uacb0\uc744 \uc218\uc2e0\n\n root \/var\/www\/html;\n\n server_name example.com www.example.com;\n\n listen 443 ssl; # managed by Certbot\n\n # RSA certificate\n ssl_certificate \/etc\/letsencrypt\/live\/example.com\/fullchain.pem; # managed by Certbot\n ssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem; # managed by Certbot\n\n include \/etc\/letsencrypt\/options-ssl-nginx.conf; # managed by Certbot\n\n # http \ud1b5\uc2e0\uc744 https \ub85c \ub9ac\ub2e4\uc774\ub809\ud2b8\n if ($scheme != "https") {\n return 301 https:\/\/$host$request_uri;\n } # managed by Certbot\n}<\/code><\/pre>\n\uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0<\/h2>\n
\uc0c8\ub85c \ubc1c\uae09\ubc1b\uc740 \uc778\uc99d\uc11c\ub294 90\uc77c\uc758 \uc720\ud6a8\uae30\uac04\ub9cc \uac00\uc9d1\ub2c8\ub2e4.<\/p>\n
\uc778\uc99d\uc11c\uac00 \ub9cc\ub8cc\ub418\uc9c0 \uc54a\uc73c\ub824\uba74 \uc778\uc99d\uc11c\ub97c \uac31\uc2e0\ud574\uc8fc\uc5b4\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
# \ub8e8\ud2b8\ub85c \uc774\ub3d9\nsudo su -\n\ncrontab -e<\/code><\/pre>\n\uc77c\ubc18\uc801\uc73c\ub85c \uccab\ubc88\uc9f8 \uba85\ub839\uc774 \uc791\ub3d9\ud569\ub2c8\ub2e4.
\n\ud558\uc9c0\ub9cc \uc624\ub958\uac00 \ubc1c\uc0dd\uc2dc --nginx<\/code> \uc635\uc158\uc744 \ucd94\uac00\ud574\uc11c nginx \uc784\uc744 \uba85\uc2dc\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n30 4 * * 0 \/usr\/bin\/certbot renew --renew-hook="systemctl reload nginx"\n# \uc218\ub3d9 \uac31\uc2e0\n# 30 4 * * 0 \/usr\/bin\/certbot --nginx renew --renew-hook="systemctl reload nginx"<\/code><\/pre>\nWildcard \uc778\uc99d\uc11c \ubc1c\uae09\ubc1b\uae30<\/h2>\n
Let’s Encrypt \uc5d0\uc11c\ub294 *.example.com \uacfc \uac19\uc774 \uc640\uc77c\ub4dc\uce74\ub4dc \uc778\uc99d\uc11c\ub3c4 \ubc1c\uae09\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
\uc778\uc99d\uc11c \uc0c1\ud0dc \ud655\uc778<\/h3>\nsudo certbot certificates\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nFound the following certs:\n Certificate Name: test1.example.com\n Domains: test1.example.com\n Expiry Date: 2025-06-02 01:38:23+00:00 (VALID: 89 days)\n Certificate Path: \/etc\/letsencrypt\/live\/test1.example.com\/fullchain.pem\n Private Key Path: \/etc\/letsencrypt\/live\/test1.example.com\/privkey.pem\n Certificate Name: example.com\n Domains: *.example.com example.com\n Expiry Date: 2022-10-27 05:30:32+00:00 (INVALID: EXPIRED)\n Certificate Path: \/etc\/letsencrypt\/live\/example.com\/fullchain.pem\n Private Key Path: \/etc\/letsencrypt\/live\/example.com\/privkey.pem\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/code><\/pre>\n\uae30\uc874 \uc11c\ube0c\ub3c4\uba54\uc778 \uc778\uc99d\uc11c \uc0ad\uc81c \ud6c4 \uc640\uc77c\ub4dc \uc778\uc99d\uc11c \ubc1c\uae09<\/h3>\n# \uae30\uc874 \uc11c\ube0c\ub3c4\uba54\uc778 \uc778\uc99d\uc11c \uc0ad\uc81c\nsudo certbot delete --cert-name test1.example.com\n\n# Then, renew the wildcard certificate\nsudo certbot certonly --manual --preferred-challenges=dns --server https:\/\/acme-v02.api.letsencrypt.org\/directory --domain "*.example.com" --domain "example.com"<\/code><\/pre>\n\uc640\uc77c\ub4dc \uc778\uc99d\uc11c\ub97c \ubc1c\uae09\ubc1b\uae30 \uc704\ud574\uc11c\ub294 \ub3c4\uba54\uc778\uc758 \uc18c\uc720\uc790\uc784\uc744 \uc778\uc99d\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
DNS \uc11c\ubc84\uc5d0 _acme-challenge.example.com \uac19\uc740 \uc11c\ube0c\ub3c4\uba54\uc778\uc744 \uc0dd\uc131\ud558\ub77c\ub294 \ubb38\uad6c\uac00 \ub098\uc624\uba74,
\n_acme-challenge \uc11c\ube0c\ub3c4\uba54\uc778\uc744 TXT \ud0c0\uc785\uc73c\ub85c \uc0dd\uc131\ud558\uace0 \uc544\ub798 \ubb38\uc790\uc5f4\uc744 \uc785\ub825\ud574 \uc90d\ub2c8\ub2e4.
\n\ub3c4\uba54\uc778 \uc815\ubcf4 \ubcc0\uacbd\uc774 \ubc18\uc601\ub418\uae30\ub97c \uae30\ub2e4\ub824(1~10 \ubd84, DNS \uc11c\ubc84\uc124\uc815\uc5d0\uc11c \uacb0\uc815\ub428) \uc5d4\ud130\ub97c \uc785\ub825\ud574 \uc8fc\uba74 \ub429\ub2c8\ub2e4.<\/p>\n
https:\/\/toolbox.googleapps.com\/apps\/dig\/#TXT\/_acme-challenge.example.com<\/a><\/p>\n\ubc18\ub4dc\uc2dc \ub3c4\uba54\uc778\uc815\ubcf4\uac00 \uc0dd\uc131\ub41c \uac83\uc744 \ud655\uc778\ud55c \ud6c4 \uc5d4\ud130\ub97c \uc785\ub825\ud558\uc138\uc694.<\/font><\/p>\nPlease deploy a DNS TXT record under the name\n_acme-challenge.example.com with the following value:\n\n3WLmAnTEXo8v7BXXXXXXXXXXXXXXXXXX\n\nBefore continuing, verify the record is deployed.<\/code><\/pre>\n\uc544\ub798 \uc0ac\uc9c4\uc740 AWS Route53 \uc744 \uc774\uc6a9\ud574 \uc11c\ube0c\ub3c4\uba54\uc778\uc744 \uc0dd\uc131\ud558\ub294 \ubc29\ubc95\uc785\ub2c8\ub2e4.<\/p>\n
![\"\"](\"https:\/\/www.skyer9.pe.kr\/wordpress\/wp-content\/uploads\/2025\/03\/2025-03-04-01.png\")
<\/a><\/p>\nWildcard \uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0 (AWS Route53)<\/h3>\n
Wildcard \uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0\uc740 \uc704 \ud06c\ub860\ud0ed\uc5d0 \ub4f1\ub85d\ud55c \uba85\ub839\uc73c\ub85c \uc790\ub3d9\uac31\uc2e0\uc774 \uc774\ub8e8\uc5b4\uc9c0\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<\/font><\/p>\n\ub9e4 \uac31\uc2e0\uc2dc\ub9c8\ub2e4 \ub3c4\uba54\uc778 \uc18c\uc720\uad8c \ud655\uc778\uc744 \uc704\ud55c \ub2e8\uacc4\ub97c \uac70\uccd0\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
\uc544\ub798 \uc124\uba85\uc740 AWS Route53 \uc744 \uae30\uc900\uc73c\ub85c \uc124\uba85\ud569\ub2c8\ub2e4.<\/p>\n
\uac1c\uc694<\/h4>\n\n- AWS IAM \uc815\ucc45\uc0dd\uc131<\/li>\n
- AWS IAM \uacc4\uc815\uc0dd\uc131<\/li>\n
- \ub9ac\ub205\uc2a4 \uc778\uc99d\uc11c \uac31\uc2e0\uc6a9 \uc0c8 \uc720\uc800 \uc0dd\uc131<\/li>\n
- \ub9ac\ub205\uc2a4 \uc11c\ube44\uc2a4 \ub4f1\ub85d<\/li>\n<\/ul>\n
AWS IAM \uc815\ucc45\uc0dd\uc131<\/h4>\n
![\"\"](\"https:\/\/www.skyer9.pe.kr\/wordpress\/wp-content\/uploads\/2025\/03\/2025-03-04-02.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.skyer9.pe.kr\/wordpress\/wp-content\/uploads\/2025\/03\/2025-03-04-03.png\")
<\/a><\/p>\nJSON \uc744 \uc120\ud0dd\ud558\uace0 \uc544\ub798 \ub0b4\uc6a9\uc744 \uc785\ub825\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
![\"\"](\"https:\/\/www.skyer9.pe.kr\/wordpress\/wp-content\/uploads\/2025\/03\/2025-03-04-04.png\")
<\/a><\/p>\n{ \n "Version": "2012-10-17", \n "Id": "certbot-dns-route53 sample policy", \n "Statement": [ \n { \n "Effect": "Allow", \n "Action": [ \n "route53:ListHostedZones", \n "route53:GetChange" \n ], \n "Resource": [ \n "*" \n ] \n }, \n { \n "Effect" : "Allow", \n "Action" : [ \n "route53:ChangeResourceRecordSets" \n ], \n "Resource" : [ \n "arn:aws:route53:::hostedzone\/YOURHOSTEDZONEID" \n ] \n } \n ] \n} <\/code><\/pre>\n\ud654\uba74 \ub9e8 \uc544\ub798 \ub2e4\uc74c<\/code> \uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc815\ucc45 \uc774\ub984\uc744 \uc785\ub825\ud558\uace0 \uc815\ucc45\uc0dd\uc131 \ubc84\ud2bc\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.<\/p>\nAWS IAM \uacc4\uc815\uc0dd\uc131<\/h4>\n
\uc67c\ucabd \uba54\ub274\uc5d0\uc11c \uc0ac\uc6a9\uc790<\/code>\ub97c \ud074\ub9ad\ud558\uace0 \uc0ac\uc6a9\uc790 \uc0dd\uc131<\/code> \ubc84\ud2bc\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc0ac\uc6a9\uc790 \uc774\ub984\uc744 \uc785\ub825\ud558\uace0 \ub2e4\uc74c<\/code>\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc815\ucc45 \uc9c1\uc811 \uc124\uc815<\/code>\uc744 \uc120\ud0dd\ud558\uace0 \uc704\uc5d0\uc11c \uc0dd\uc131\ud55c \uc815\ucc45\uc744 \uac80\uc0c9\ud574\uc11c \uc120\ud0dd\ud558\uace0 \ub2e4\uc74c<\/code>\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc0ac\uc6a9\uc790 \uc0dd\uc131<\/code> \ubc84\ud2bc\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.<\/p>\n\uc67c\ucabd \uba54\ub274\uc5d0\uc11c \uc0ac\uc6a9\uc790<\/code>\ub97c \ud074\ub9ad\ud558\uace0 \ubc29\uae08 \uc0dd\uc131\ud55c \uc0ac\uc6a9\uc790\ub97c \uac80\uc0c9\ud574\uc11c \uc870\ud68c\ud569\ub2c8\ub2e4.
\n\uc561\uc138\uc2a4 \ud0a4 \ub9cc\ub4e4\uae30<\/code> \ub97c \ud074\ub9ad\ud569\ub2c8\ub2e4.
\nCommand Line interface(CLI)<\/code> \ub97c \uc120\ud0dd\ud558\uace0 \ub2e4\uc74c\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc5d1\uc138\uc2a4 \ud0a4<\/code>\uc640 \ube44\ubc00 \uc5d1\uc138\uc2a4\ud0a4<\/code>\ub97c \uba54\ubaa8\uc7a5\uc5d0 \ubcf5\uc0ac \ubd99\uc5ec\ub123\uae30\ud569\ub2c8\ub2e4.<\/p>\n\ub9ac\ub205\uc2a4 \uc778\uc99d\uc11c \uac31\uc2e0\uc6a9 \uc0c8 \uc720\uc800 \uc0dd\uc131<\/h4>\nsudo apt-get update\nsudo apt-get install python3-pip\npip3 install certbot-dns-route53<\/code><\/pre>\nrenewhttps<\/code> \uc720\uc800\ub97c \uc0dd\uc131\ud558\uace0 sudo \uad8c\ud55c\uc744 \ubd80\uc5ec\ud569\ub2c8\ub2e4.<\/p>\nsudo adduser renewhttps\nsudo usermod -aG sudo renewhttps\n\nsudo vi \/etc\/sudoers\n# \ub9e8 \uc544\ub798\uc5d0 \ub2e4\uc74c \ub77c\uc778\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4.\nrenewhttps ALL=NOPASSWD: ALL<\/code><\/pre>\nrenewhttps \uc640 ALL \uc0ac\uc774\ub294 \ubc18\ub4dc\uc2dc \ud0ed\ubb38\uc790\ub85c \uc785\ub825\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
\uc0c8\ub85c \uc0dd\uc131\ud55c \uacc4\uc815\uc73c\ub85c \ub85c\uadf8\uc778\ud569\ub2c8\ub2e4.<\/p>\n
sudo su - renewhttps\n\npip3 install awscli\n\naws configure\nAWS Access Key ID [None]: AKIA3V2XXXXXXXXXXXX\nAWS Secret Access Key [None]: VD2v1vcPmGiYyRWXXXXXXXXXXX\nDefault region name [None]: ap-northeast-2\nDefault output format [None]: json<\/code><\/pre>\nsudo certbot certonly --dns-route53 \\\n -d example.com \\\n -d *.example.com \\\n --preferred-challenges dns-01\n\n......\nWhat would you like to do?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: Keep the existing certificate for now\n2: Renew & replace the cert (limit ~5 per 7 days)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n......<\/code><\/pre>\n\uc9c0\uae08\uc740 \uac31\uc2e0\uc774 \ud544\uc694\ud558\uc9c0 \uc54a\uc73c\ubbc0\ub85c 1 \ubc88\uc744 \uc785\ub825\ud558\uace0 \uc5d4\ud130\ub97c \uc785\ub825\ud569\ub2c8\ub2e4.<\/p>\n
\ub9ac\ub205\uc2a4 \uc11c\ube44\uc2a4 \ub4f1\ub85d<\/h4>\n
\uc704 \uba85\ub839\uc744 \uc2e4\ud589\ud558\ub294 \uac83\uc73c\ub85c \uc778\uc99d\uc11c \uac31\uc2e0 \uc11c\ube44\uc2a4\uac00 \ub4f1\ub85d\ub429\ub2c8\ub2e4.<\/p>\n
sudo systemctl status certbot.timer<\/code><\/pre>\n\ud558\uc9c0\ub9cc \uc11c\ube44\uc2a4\uac00 \uc2e4\ud589\uc911\uc774 \uc544\ub2c8\uba74 \uc544\ub798 \uba85\ub839\uc73c\ub85c \uc11c\ube44\uc2a4\ub97c \ub4f1\ub85d\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
sudo systemctl enable certbot.timer\nsudo systemctl start certbot.timer<\/code><\/pre>\n\ubcf8\ub798\uc758 \uacc4\uc815\uc73c\ub85c \ub3cc\uc544\uc640 \uae30\uc874\uc5d0 \ub4f1\ub85d\ub418\uc5b4 \uc788\ub358 \ud06c\ub860\ud0ed \uba85\ub839\uc744 \uc81c\uac70\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
exit\ncrontab -e<\/code><\/pre>\n\uc778\uc99d\uc11c \uac31\uc2e0 \ud6c4 nginx \uc7ac\uc2dc\uc791\uc774 \ud544\uc694\ud569\ub2c8\ub2e4.
\n\uc544\ub798 \uba85\ub839\uc73c\ub85c certbot \uc774 \uc790\ub3d9\uc73c\ub85c nginx \ub97c \uc7ac\uc2dc\uc791\ud569\ub2c8\ub2e4.<\/p>\n
sudo mkdir -p \/etc\/letsencrypt\/renewal-hooks\/post\/\n\nsudo vi \/etc\/letsencrypt\/renewal-hooks\/post\/reload-nginx.sh\n#!\/bin\/bash\nsystemctl reload nginx\n\nsudo chmod +x \/etc\/letsencrypt\/renewal-hooks\/post\/reload-nginx.sh<\/code><\/pre>\n\uc8fc\uc694 \uba85\ub839\uc5b4<\/h4>\n# \uac31\uc2e0 \ub85c\uadf8 \ud655\uc778\nsudo tail -200 \/var\/log\/letsencrypt\/letsencrypt.log\n\n# \ud604\uc7ac \uc778\uc99d\uc11c \uc0c1\ud0dc \ud655\uc778\nsudo certbot certificates\n\n# \uac15\uc81c \uac31\uc2e0\nsudo certbot renew --force-renewal<\/code><\/pre>\nWildcard \uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0 (AWS Route53 \uc774\uc678)<\/h3>\n
DNS \ud638\ucd9c API \ub97c \uc81c\uacf5\ud558\uc9c0 \uc54a\ub294 \ud638\uc2a4\ud305\uc5c5\uccb4\uc5d0 \ub3c4\uba54\uc778\uc744 \uad00\ub9ac\ud558\uace0 \uc788\ub2e4\uba74 \uc790\ub3d9\uac31\uc2e0\uc740 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n
\uc544\ub798\uc5d0\ub294 DNS \ud638\ucd9c API \ub97c \uc81c\uacf5\ud558\ub294 \uc5c5\uccb4\uc640 \ud50c\ub7ec\uadf8\uc778\ubaa9\ub85d\uc785\ub2c8\ub2e4.<\/p>\n
sudo apt install -y certbot python3-certbot-nginx<\/code><\/pre>\nNginx \uc124\uc815 (80\ud3ec\ud2b8)<\/h2>\nsudo vi \/etc\/nginx\/sites-available\/example.com\n--------------\nserver {\n listen 80; # IPv4 \uc5f0\uacb0\uc744 \uc218\uc2e0\n listen [::]:80; # IPv6 \uc5f0\uacb0\uc744 \uc218\uc2e0\n\n root \/var\/www\/html;\n\n server_name example.com www.example.com;\n}<\/code><\/pre>\n# \ud14c\uc2a4\ud2b8\nsudo nginx -t\nnginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful\n\n## \uc7ac\uc2dc\uc791\nsudo service nginx restart<\/code><\/pre>\n\uc778\uc99d\uc11c \ubc1c\uae09\ubc1b\uae30 (https)<\/h2>\n# sudo certbot --nginx -d example.com -d www.example.com\nsudo certbot --nginx -d example.com<\/code><\/pre>\n\uc544\ub798\uc640 \uac19\uc740 \uba54\uc2dc\uc9c0\uac00 \ub098\uc624\uba74 \uc131\uacf5\uc785\ub2c8\ub2e4.<\/p>\n
Congratulations! You have successfully enabled https:\/\/example.com and https:\/\/www.example.com \n\n-------------------------------------------------------------------------------------\nIMPORTANT NOTES:\n\nCongratulations! Your certificate and chain have been saved at:\n\/etc\/letsencrypt\/live\/example.com\/fullchain.pem \nYour key file has been saved at:\n\/etc\/letsencrypt\/live\/example.com\/\/privkey.pem\nYour cert will expire on 2017-12-12.<\/code><\/pre>\nsudo vi \/etc\/nginx\/sites-available\/example.com<\/code><\/pre>\nserver {\n listen 80; # IPv4 \uc5f0\uacb0\uc744 \uc218\uc2e0\n listen [::]:80; # IPv6 \uc5f0\uacb0\uc744 \uc218\uc2e0\n\n root \/var\/www\/html;\n\n server_name example.com www.example.com;\n\n listen 443 ssl; # managed by Certbot\n\n # RSA certificate\n ssl_certificate \/etc\/letsencrypt\/live\/example.com\/fullchain.pem; # managed by Certbot\n ssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem; # managed by Certbot\n\n include \/etc\/letsencrypt\/options-ssl-nginx.conf; # managed by Certbot\n\n # http \ud1b5\uc2e0\uc744 https \ub85c \ub9ac\ub2e4\uc774\ub809\ud2b8\n if ($scheme != "https") {\n return 301 https:\/\/$host$request_uri;\n } # managed by Certbot\n}<\/code><\/pre>\n\uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0<\/h2>\n
\uc0c8\ub85c \ubc1c\uae09\ubc1b\uc740 \uc778\uc99d\uc11c\ub294 90\uc77c\uc758 \uc720\ud6a8\uae30\uac04\ub9cc \uac00\uc9d1\ub2c8\ub2e4.<\/p>\n
\uc778\uc99d\uc11c\uac00 \ub9cc\ub8cc\ub418\uc9c0 \uc54a\uc73c\ub824\uba74 \uc778\uc99d\uc11c\ub97c \uac31\uc2e0\ud574\uc8fc\uc5b4\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
# \ub8e8\ud2b8\ub85c \uc774\ub3d9\nsudo su -\n\ncrontab -e<\/code><\/pre>\n\uc77c\ubc18\uc801\uc73c\ub85c \uccab\ubc88\uc9f8 \uba85\ub839\uc774 \uc791\ub3d9\ud569\ub2c8\ub2e4.
\n\ud558\uc9c0\ub9cc \uc624\ub958\uac00 \ubc1c\uc0dd\uc2dc --nginx<\/code> \uc635\uc158\uc744 \ucd94\uac00\ud574\uc11c nginx \uc784\uc744 \uba85\uc2dc\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n30 4 * * 0 \/usr\/bin\/certbot renew --renew-hook="systemctl reload nginx"\n# \uc218\ub3d9 \uac31\uc2e0\n# 30 4 * * 0 \/usr\/bin\/certbot --nginx renew --renew-hook="systemctl reload nginx"<\/code><\/pre>\nWildcard \uc778\uc99d\uc11c \ubc1c\uae09\ubc1b\uae30<\/h2>\n
Let’s Encrypt \uc5d0\uc11c\ub294 *.example.com \uacfc \uac19\uc774 \uc640\uc77c\ub4dc\uce74\ub4dc \uc778\uc99d\uc11c\ub3c4 \ubc1c\uae09\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
\uc778\uc99d\uc11c \uc0c1\ud0dc \ud655\uc778<\/h3>\nsudo certbot certificates\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nFound the following certs:\n Certificate Name: test1.example.com\n Domains: test1.example.com\n Expiry Date: 2025-06-02 01:38:23+00:00 (VALID: 89 days)\n Certificate Path: \/etc\/letsencrypt\/live\/test1.example.com\/fullchain.pem\n Private Key Path: \/etc\/letsencrypt\/live\/test1.example.com\/privkey.pem\n Certificate Name: example.com\n Domains: *.example.com example.com\n Expiry Date: 2022-10-27 05:30:32+00:00 (INVALID: EXPIRED)\n Certificate Path: \/etc\/letsencrypt\/live\/example.com\/fullchain.pem\n Private Key Path: \/etc\/letsencrypt\/live\/example.com\/privkey.pem\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/code><\/pre>\n\uae30\uc874 \uc11c\ube0c\ub3c4\uba54\uc778 \uc778\uc99d\uc11c \uc0ad\uc81c \ud6c4 \uc640\uc77c\ub4dc \uc778\uc99d\uc11c \ubc1c\uae09<\/h3>\n# \uae30\uc874 \uc11c\ube0c\ub3c4\uba54\uc778 \uc778\uc99d\uc11c \uc0ad\uc81c\nsudo certbot delete --cert-name test1.example.com\n\n# Then, renew the wildcard certificate\nsudo certbot certonly --manual --preferred-challenges=dns --server https:\/\/acme-v02.api.letsencrypt.org\/directory --domain "*.example.com" --domain "example.com"<\/code><\/pre>\n\uc640\uc77c\ub4dc \uc778\uc99d\uc11c\ub97c \ubc1c\uae09\ubc1b\uae30 \uc704\ud574\uc11c\ub294 \ub3c4\uba54\uc778\uc758 \uc18c\uc720\uc790\uc784\uc744 \uc778\uc99d\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
DNS \uc11c\ubc84\uc5d0 _acme-challenge.example.com \uac19\uc740 \uc11c\ube0c\ub3c4\uba54\uc778\uc744 \uc0dd\uc131\ud558\ub77c\ub294 \ubb38\uad6c\uac00 \ub098\uc624\uba74,
\n_acme-challenge \uc11c\ube0c\ub3c4\uba54\uc778\uc744 TXT \ud0c0\uc785\uc73c\ub85c \uc0dd\uc131\ud558\uace0 \uc544\ub798 \ubb38\uc790\uc5f4\uc744 \uc785\ub825\ud574 \uc90d\ub2c8\ub2e4.
\n\ub3c4\uba54\uc778 \uc815\ubcf4 \ubcc0\uacbd\uc774 \ubc18\uc601\ub418\uae30\ub97c \uae30\ub2e4\ub824(1~10 \ubd84, DNS \uc11c\ubc84\uc124\uc815\uc5d0\uc11c \uacb0\uc815\ub428) \uc5d4\ud130\ub97c \uc785\ub825\ud574 \uc8fc\uba74 \ub429\ub2c8\ub2e4.<\/p>\n
https:\/\/toolbox.googleapps.com\/apps\/dig\/#TXT\/_acme-challenge.example.com<\/a><\/p>\n\ubc18\ub4dc\uc2dc \ub3c4\uba54\uc778\uc815\ubcf4\uac00 \uc0dd\uc131\ub41c \uac83\uc744 \ud655\uc778\ud55c \ud6c4 \uc5d4\ud130\ub97c \uc785\ub825\ud558\uc138\uc694.<\/font><\/p>\nPlease deploy a DNS TXT record under the name\n_acme-challenge.example.com with the following value:\n\n3WLmAnTEXo8v7BXXXXXXXXXXXXXXXXXX\n\nBefore continuing, verify the record is deployed.<\/code><\/pre>\n\uc544\ub798 \uc0ac\uc9c4\uc740 AWS Route53 \uc744 \uc774\uc6a9\ud574 \uc11c\ube0c\ub3c4\uba54\uc778\uc744 \uc0dd\uc131\ud558\ub294 \ubc29\ubc95\uc785\ub2c8\ub2e4.<\/p>\n
<\/a><\/p>\nWildcard \uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0 (AWS Route53)<\/h3>\n
Wildcard \uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0\uc740 \uc704 \ud06c\ub860\ud0ed\uc5d0 \ub4f1\ub85d\ud55c \uba85\ub839\uc73c\ub85c \uc790\ub3d9\uac31\uc2e0\uc774 \uc774\ub8e8\uc5b4\uc9c0\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<\/font><\/p>\n\ub9e4 \uac31\uc2e0\uc2dc\ub9c8\ub2e4 \ub3c4\uba54\uc778 \uc18c\uc720\uad8c \ud655\uc778\uc744 \uc704\ud55c \ub2e8\uacc4\ub97c \uac70\uccd0\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
\uc544\ub798 \uc124\uba85\uc740 AWS Route53 \uc744 \uae30\uc900\uc73c\ub85c \uc124\uba85\ud569\ub2c8\ub2e4.<\/p>\n
\uac1c\uc694<\/h4>\n\n- AWS IAM \uc815\ucc45\uc0dd\uc131<\/li>\n
- AWS IAM \uacc4\uc815\uc0dd\uc131<\/li>\n
- \ub9ac\ub205\uc2a4 \uc778\uc99d\uc11c \uac31\uc2e0\uc6a9 \uc0c8 \uc720\uc800 \uc0dd\uc131<\/li>\n
- \ub9ac\ub205\uc2a4 \uc11c\ube44\uc2a4 \ub4f1\ub85d<\/li>\n<\/ul>\n
AWS IAM \uc815\ucc45\uc0dd\uc131<\/h4>\n
<\/a><\/p>\n<\/a><\/p>\nJSON \uc744 \uc120\ud0dd\ud558\uace0 \uc544\ub798 \ub0b4\uc6a9\uc744 \uc785\ub825\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
<\/a><\/p>\n{ \n "Version": "2012-10-17", \n "Id": "certbot-dns-route53 sample policy", \n "Statement": [ \n { \n "Effect": "Allow", \n "Action": [ \n "route53:ListHostedZones", \n "route53:GetChange" \n ], \n "Resource": [ \n "*" \n ] \n }, \n { \n "Effect" : "Allow", \n "Action" : [ \n "route53:ChangeResourceRecordSets" \n ], \n "Resource" : [ \n "arn:aws:route53:::hostedzone\/YOURHOSTEDZONEID" \n ] \n } \n ] \n} <\/code><\/pre>\n\ud654\uba74 \ub9e8 \uc544\ub798 \ub2e4\uc74c<\/code> \uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc815\ucc45 \uc774\ub984\uc744 \uc785\ub825\ud558\uace0 \uc815\ucc45\uc0dd\uc131 \ubc84\ud2bc\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.<\/p>\nAWS IAM \uacc4\uc815\uc0dd\uc131<\/h4>\n
\uc67c\ucabd \uba54\ub274\uc5d0\uc11c \uc0ac\uc6a9\uc790<\/code>\ub97c \ud074\ub9ad\ud558\uace0 \uc0ac\uc6a9\uc790 \uc0dd\uc131<\/code> \ubc84\ud2bc\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc0ac\uc6a9\uc790 \uc774\ub984\uc744 \uc785\ub825\ud558\uace0 \ub2e4\uc74c<\/code>\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc815\ucc45 \uc9c1\uc811 \uc124\uc815<\/code>\uc744 \uc120\ud0dd\ud558\uace0 \uc704\uc5d0\uc11c \uc0dd\uc131\ud55c \uc815\ucc45\uc744 \uac80\uc0c9\ud574\uc11c \uc120\ud0dd\ud558\uace0 \ub2e4\uc74c<\/code>\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc0ac\uc6a9\uc790 \uc0dd\uc131<\/code> \ubc84\ud2bc\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.<\/p>\n\uc67c\ucabd \uba54\ub274\uc5d0\uc11c \uc0ac\uc6a9\uc790<\/code>\ub97c \ud074\ub9ad\ud558\uace0 \ubc29\uae08 \uc0dd\uc131\ud55c \uc0ac\uc6a9\uc790\ub97c \uac80\uc0c9\ud574\uc11c \uc870\ud68c\ud569\ub2c8\ub2e4.
\n\uc561\uc138\uc2a4 \ud0a4 \ub9cc\ub4e4\uae30<\/code> \ub97c \ud074\ub9ad\ud569\ub2c8\ub2e4.
\nCommand Line interface(CLI)<\/code> \ub97c \uc120\ud0dd\ud558\uace0 \ub2e4\uc74c\uc744 \ud074\ub9ad\ud569\ub2c8\ub2e4.
\n\uc5d1\uc138\uc2a4 \ud0a4<\/code>\uc640 \ube44\ubc00 \uc5d1\uc138\uc2a4\ud0a4<\/code>\ub97c \uba54\ubaa8\uc7a5\uc5d0 \ubcf5\uc0ac \ubd99\uc5ec\ub123\uae30\ud569\ub2c8\ub2e4.<\/p>\n\ub9ac\ub205\uc2a4 \uc778\uc99d\uc11c \uac31\uc2e0\uc6a9 \uc0c8 \uc720\uc800 \uc0dd\uc131<\/h4>\nsudo apt-get update\nsudo apt-get install python3-pip\npip3 install certbot-dns-route53<\/code><\/pre>\nrenewhttps<\/code> \uc720\uc800\ub97c \uc0dd\uc131\ud558\uace0 sudo \uad8c\ud55c\uc744 \ubd80\uc5ec\ud569\ub2c8\ub2e4.<\/p>\nsudo adduser renewhttps\nsudo usermod -aG sudo renewhttps\n\nsudo vi \/etc\/sudoers\n# \ub9e8 \uc544\ub798\uc5d0 \ub2e4\uc74c \ub77c\uc778\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4.\nrenewhttps ALL=NOPASSWD: ALL<\/code><\/pre>\nrenewhttps \uc640 ALL \uc0ac\uc774\ub294 \ubc18\ub4dc\uc2dc \ud0ed\ubb38\uc790\ub85c \uc785\ub825\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n
\uc0c8\ub85c \uc0dd\uc131\ud55c \uacc4\uc815\uc73c\ub85c \ub85c\uadf8\uc778\ud569\ub2c8\ub2e4.<\/p>\n
sudo su - renewhttps\n\npip3 install awscli\n\naws configure\nAWS Access Key ID [None]: AKIA3V2XXXXXXXXXXXX\nAWS Secret Access Key [None]: VD2v1vcPmGiYyRWXXXXXXXXXXX\nDefault region name [None]: ap-northeast-2\nDefault output format [None]: json<\/code><\/pre>\nsudo certbot certonly --dns-route53 \\\n -d example.com \\\n -d *.example.com \\\n --preferred-challenges dns-01\n\n......\nWhat would you like to do?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: Keep the existing certificate for now\n2: Renew & replace the cert (limit ~5 per 7 days)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n......<\/code><\/pre>\n\uc9c0\uae08\uc740 \uac31\uc2e0\uc774 \ud544\uc694\ud558\uc9c0 \uc54a\uc73c\ubbc0\ub85c 1 \ubc88\uc744 \uc785\ub825\ud558\uace0 \uc5d4\ud130\ub97c \uc785\ub825\ud569\ub2c8\ub2e4.<\/p>\n
\ub9ac\ub205\uc2a4 \uc11c\ube44\uc2a4 \ub4f1\ub85d<\/h4>\n
\uc704 \uba85\ub839\uc744 \uc2e4\ud589\ud558\ub294 \uac83\uc73c\ub85c \uc778\uc99d\uc11c \uac31\uc2e0 \uc11c\ube44\uc2a4\uac00 \ub4f1\ub85d\ub429\ub2c8\ub2e4.<\/p>\n
sudo systemctl status certbot.timer<\/code><\/pre>\n\ud558\uc9c0\ub9cc \uc11c\ube44\uc2a4\uac00 \uc2e4\ud589\uc911\uc774 \uc544\ub2c8\uba74 \uc544\ub798 \uba85\ub839\uc73c\ub85c \uc11c\ube44\uc2a4\ub97c \ub4f1\ub85d\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
sudo systemctl enable certbot.timer\nsudo systemctl start certbot.timer<\/code><\/pre>\n\ubcf8\ub798\uc758 \uacc4\uc815\uc73c\ub85c \ub3cc\uc544\uc640 \uae30\uc874\uc5d0 \ub4f1\ub85d\ub418\uc5b4 \uc788\ub358 \ud06c\ub860\ud0ed \uba85\ub839\uc744 \uc81c\uac70\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n
exit\ncrontab -e<\/code><\/pre>\n\uc778\uc99d\uc11c \uac31\uc2e0 \ud6c4 nginx \uc7ac\uc2dc\uc791\uc774 \ud544\uc694\ud569\ub2c8\ub2e4.
\n\uc544\ub798 \uba85\ub839\uc73c\ub85c certbot \uc774 \uc790\ub3d9\uc73c\ub85c nginx \ub97c \uc7ac\uc2dc\uc791\ud569\ub2c8\ub2e4.<\/p>\n
sudo mkdir -p \/etc\/letsencrypt\/renewal-hooks\/post\/\n\nsudo vi \/etc\/letsencrypt\/renewal-hooks\/post\/reload-nginx.sh\n#!\/bin\/bash\nsystemctl reload nginx\n\nsudo chmod +x \/etc\/letsencrypt\/renewal-hooks\/post\/reload-nginx.sh<\/code><\/pre>\n\uc8fc\uc694 \uba85\ub839\uc5b4<\/h4>\n# \uac31\uc2e0 \ub85c\uadf8 \ud655\uc778\nsudo tail -200 \/var\/log\/letsencrypt\/letsencrypt.log\n\n# \ud604\uc7ac \uc778\uc99d\uc11c \uc0c1\ud0dc \ud655\uc778\nsudo certbot certificates\n\n# \uac15\uc81c \uac31\uc2e0\nsudo certbot renew --force-renewal<\/code><\/pre>\nWildcard \uc778\uc99d\uc11c \uc790\ub3d9\uac31\uc2e0 (AWS Route53 \uc774\uc678)<\/h3>\n
DNS \ud638\ucd9c API \ub97c \uc81c\uacf5\ud558\uc9c0 \uc54a\ub294 \ud638\uc2a4\ud305\uc5c5\uccb4\uc5d0 \ub3c4\uba54\uc778\uc744 \uad00\ub9ac\ud558\uace0 \uc788\ub2e4\uba74 \uc790\ub3d9\uac31\uc2e0\uc740 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n
\uc544\ub798\uc5d0\ub294 DNS \ud638\ucd9c API \ub97c \uc81c\uacf5\ud558\ub294 \uc5c5\uccb4\uc640 \ud50c\ub7ec\uadf8\uc778\ubaa9\ub85d\uc785\ub2c8\ub2e4.<\/p>\n