다가오는 다음을 향해
[VPS Hostinger] Let's Encrypt SSL 인증서 발급 및 Certbot 자동갱신 방법 안내 본문
Server/VPS(hostinger)
[VPS Hostinger] Let's Encrypt SSL 인증서 발급 및 Certbot 자동갱신 방법 안내
hyeseo 2024. 1. 2. 17:30
VPS 환경에서 Let's Encrypt SSL 인증서 발급 및 Certbot 자동갱신 방법 (프로젝트 배포 완료 후 적용)
사전준비
- hostinger 방화벽 443 포트번호 설정
- 443 포트번호 설정화면
1. Docker volume 생성
발급 받은 인증서 와 설정파일을 저장할 Docker Volume 생성
# /etc/letsencrypt 관리 볼륨
docker volume create certbot_etc
# /var/lib/letsencrypt 관리 볼륨
docker volume create certbot_var2. 인증서 발급
실행중인 Nginx 컨테이너 중지 : 80포트번호가 겹치기 때문
docker stop nginx
Certbot 컨테이너 실행 및 인증서 발급
# 운영서버
docker run -it --rm --name certbot-container \
-v certbot_etc:/etc/letsencrypt \
-v certbot_var:/var/lib/letsencrypt \
-p 80:80 certbot/certbot certonly --standalone -d 도메인.com -d www.도메인.com
인증서 발급 과정 및 성공로그
# 이메일 주소 입력
If you really want to skip this, you can run the client with
--register-unsafely-without-email but you will then be unable to receive notice
about impending expiration or revocation of your certificates or problems with
your Certbot installation that will lead to failure to renew.
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):
# 약관 동의
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
# 암호화 정보제공 동의 여부
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
# 인증서 발급 성공 로그
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/****.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/****.com/privkey.pem
This certificate expires on 2024-01-08.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3. app.conf, ssl.conf, docker-compose.yml
app.conf
events {
worker_connections 1024;
}
http {
server {
listen 80;
listen [::]:80;
server_name ****.com;
server_tokens off;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_tokens off;
server_name 도메인.com;
# ssl
include /etc/nginx/ssl.conf;
location / {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /index.html;
}
if ($host !~* ^(****.com)$) {
return 444;
}
location /api/ {
proxy_pass http://django-dev:8001;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /static/ {
alias /app/****/client/static/;
}
location /media/ {
alias /app/****/media/;
}
}
include /etc/nginx/mime.types;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
}
ssl.conf
# Enable SSL
listen 443 ssl;
listen [::]:443 ssl;
# Specify the path to your SSL certificate
ssl_certificate /etc/letsencrypt/live/도메인.com/fullchain.pem;
# Specify the path to your SSL certificate key
ssl_certificate_key /etc/letsencrypt/live/도메인.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Enable modern SSL/TLS protocols and ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers '***SHA256';
# Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Enable HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000" always;
docker-compose.yml : certbot 추가
version: '3'
services:
certbot:
image: certbot/certbot
container_name: certbot
restart: unless-stopped
volumes:
- certbot_etc:/etc/letsencrypt
- certbot_var:/var/lib/letsencrypt
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
networks:
- dev_network4. ssl-dhparams.pem 위치 변경
Certbot 컨테이너 접속
docker exec -u 0 -it certbot /bin/sh
ssl-dhparams.pem 위치 수정
mv /opt/certbot/src/certbot/certbot/ssl-dhparams.pem /etc/letsencrypt/ssl-dhparams.pem5. 자동갱신 설정 확인
설정파일을 조회해 자동갱신 설정 적용 여부를 확인
cat /etc/letsencrypt/renewal/stage-clear.com.conf
조회 화면
renew_before_expiry = 30 days : 인증서의 만료 일자로부터 30일 이전에 자동갱신
6. 웹브라우저 SSL 적용 확인
Jenkins 배포 후 웹브라우저에 자물쇠가 표기되어 있는지 확인 한다.
성공 화면 : 자물쇠가 표기되는걸 확인 할 수 있다.
'Server > VPS(hostinger)' 카테고리의 다른 글
| [VPS ] PostgresSQL DB 자동 Backup - cron (1) | 2024.01.03 |
|---|---|
| [VPS Docker] 불필요한 Docker file 삭제 (0) | 2024.01.03 |
| [VPS Docker] Docker PostgreSQL (0) | 2024.01.02 |
| [VPS Docker] Docker, Docker Compose 설치, Docker Networt 생성 방법 안내 (1) | 2024.01.02 |
| [VPS Hostinger] Timezone 설정 (KST) (1) | 2024.01.02 |
'Server/VPS(hostinger)' Related Articles
more
