# SSL 발급을 위한 디렉토리 생성
sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
# apt 업데이트
sudo apt update
# nginx 설치
sudo apt install nginx-core
# ubuntu 계정에 권한 및 파일 수정 권한을 부여
sudo touch /etc/nginx/snippets/letsencrypt.conf
sudo chown root:ubuntu /etc/nginx/snippets/letsencrypt.conf
sudo chmod 775 /etc/nginx/snippets/letsencrypt.conf
# /etc/nginx/snippets/letsencrypt.conf 열기
sudo vi /etc/nginx/snippets/letsencrypt.conf
# /etc/nginx/snippets/letsencrypt.conf 파일에 아래 텍스트 입력 후 저장
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
# /etc/nginx/sites-available/default 파일 수정
sudo vi /etc/nginx/sites-available/default
# server_name _; # _를 xxxx.com으로 변경, xxxx는 구매한 도매인
# server_name xxxx.com; 추가
# include /etc/nginx/snippets/letsencrypt.conf; 추가
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _; # _를 example.com 처럼 바꿈
include /etc/nginx/snippets/letsencrypt.conf;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# nginx 적용
sudo nginx -t
# nginx 다시시작
sudo service nginx restart
# snap core 설치
sudo snap install core; sudo snap refresh core
# certbot 구버전 제거
sudo apt remove certbot
# snap으로 certbot 신버전 설치
sudo snap install --classic certbot
# /snap/bin/certbot -> /usr/bin/certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# ssl 인증서 받기
sudo certbot certonly --webroot --agree-tos --no-eff-email --email example@example.com -w /var/www/letsencrypt -d example.com -d www.example.com
// example@example.com을 자신의 이메일로 바꾸고, example.com을 자신의 도메인으로 바꾼다
# 인증서 위치 확인 *
sudo ls /etc/letsencrypt/live/
# 인증서 확인 *
sudo ls -al /etc/letsencrypt/live/example.com // 자신의 도메인을 example.com처럼 입력한다
# 자동 업데이트 테스트 *
sudo certbot renew --dry-run
# pem 파일 확인 *
sudo ls -al /etc/letsencrypt/live/example.com
# 인증서 적용
sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
# /etc/nginx/snippets/ssl.conf를 열기
sudo vi /etc/nginx/snippets/ssl.conf
# /etc/nginx/snippets/ssl.conf에 밑에 코드 복사 후 저장
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
# /etc/nginx/snippets/ssl.conf 접근 권한 막기
sudo chmod 644 /etc/nginx/snippets/ssl.conf
# /etc/nginx/sites-available/default 열기
sudo vi /etc/nginx/sites-available/default
# /etc/nginx/sites-available/default에 밑에 내용 복사 후 저장. example.com은 자신의 도메인으로 바꾼다
# Default HTTPS server configuration
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
location / {
#try_files $uri $uri/ =404;
#if (!-e $request_filename) {
# rewrite ^.*$ /index.php last;
#}
proxy_pass http://localhost:8080;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_read_timeout 300;
}
location ~ /\.ht {
deny all;
}
}
# HTTPS www. server configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
location / {
return 301 https://example.com$request_uri;
}
}
# Default server configuration
server {
listen 80;
listen [::]:80 default_server;
server_name example.com;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://example.com$request_uri;
}
}
# HTTP - CNAME Connect www.example.com to example.com
server {
listen 80;
listen [::]:80;
server_name www.example.com;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://www.example.com$request_uri;
}
}
sudo nginx -t
sudo service nginx restart
# 갱신 방법
sudo certbot renew --dry-run
# 갱신 방법 2
sudo certbot certonly --webroot --agree-tos --no-eff-email --email 이메일주소 -w /var/www/letsencrypt -d 도메인주소 -d www.도메인주소
# 자동 갱신
```bash
cd /bin
sudo vim letsencrypt.sh
```
```bash
#!/bin/sh
sudo service nginx stop
sudo certbot renew > ~/server/certbot/le_renew.log
sudo fuser -k 80/tcp
sudo service nginx start
```
```bash
sudo chmod +x letsencrypt.sh
```
```bash
sudo crontab -e
```
```bash
30 4 * * 0 letsencrypt.sh
```
```bash
sudo service cron start
출처 : https://techhans.tistory.com/41
출처 : https://devbono.com/https-%EC%82%AC%EC%9A%A9%ED%95%98%EA%B8%B0lets-encrypt-%EC%9D%B8%EC%A6%9D%EC%84%9C-%EC%82%AC%EC%9A%A9/