[CentOS] 18. Nginx 기준, SSL/TLS 구성 (도메인 등록(Duck DNS) + SSL 인증서 발급(Let’s Encrypt))
카테고리: CENTOS
01) 도메인 등록(Duck DNS) + SSL 인증서 발급(Let’s Encrypt)
■ Duck DNS에서 도메인 등록
Duck DNS는 Amazon의 Dynamic DNS(DDNS) 서비스으로 Duck DNS는 무료로 제공되며, 누구나 사용할 수 있다.
1) 원하는 계정으로 로그인(예제에서는 구글 계정으로함)
2) 도메인 항목에 원하는 도메인을 넣고 “add domain”을 클릭하면 등록되며, 외부 IP 주소를 입력하고 업데이트
■ SSL 인증서 발급
Let’s Encrypt라는 비영리 기관을 통해 무료로 TLS인증서를 발급받을수 있으며, 인증서의 만료 날짜는 90일이다.
1) Let’s Encrypt에서 인증서를 가져오는 도구인 Certbot Client를 설치
$ dnf -y install epel-release; dnf -y install certbot
2) 인증서 발급
- “[1]” 명령은 Apache 또는 Nginx 등과 같은 웹 서버가 실행 중이어야 하며, 실행 중이지 않은 경우에 사용하려면 “[2]” 명령
# [1]
$ certbot certonly --webroot -w /usr/share/nginx/html -d chsrv4.duckdns.org
# [2]
$ certbot certonly --standalone -d chsrv4.duckdns.org
# [1] 명령 사용
$ certbot certonly --webroot -w /usr/share/nginx/html -d chsrv4.duckdns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): root@test3.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for chsrv4.duckdns.org
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/chsrv4.duckdns.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/chsrv4.duckdns.org/privkey.pem
This certificate expires on 2024-01-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3) SSL/TLS 설정을 활성화
# create new
$ vi /etc/nginx/conf.d/ssl.conf
# 서버 이름과 인증서 경로를 변경
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name chsrv4.duckdns.org;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/chsrv4.duckdns.org/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/chsrv4.duckdns.org/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
$ systemctl restart nginx
4) HTTP 연결이 HTTPS로 리디렉션되도록 설정
$ vi /etc/nginx/nginx.conf
server {
listen 80;
listen [::]:80;
# 추가
return 301 https://$host$request_uri;
server_name chsrv4.duckdns.org;
root /usr/share/nginx/html;
$ systemctl restart nginx
$ firewall-cmd --add-service=https
$ firewall-cmd --runtime-to-permanent
5) 결과 확인
댓글 남기기