/home/ec2-user/certbot 에 관련 파일을 저장한다.
cd certbot
.well-known/acme-challenge 응답하는 서버 만들기
mkdir -p html/.well-known/acme-challenge
mkdir ~/certbot/src/ 로 이동
bun init 으로 기본 프로젝트 생성
bun install express 로 익스 프레스 모듈 추가
node라면
npm init -y
npm install express
vi well-known.js
코드중에 /home/<사용자ID> 반영시킬것..
const express = require('express')
const app = express()
const port = 80
app.get('/', (req, res) => {
res.send('Hello World!')
})
app.get('/.well-known/acme-challenge/:fileid', function(req, res){
res.sendFile("/home/ec2-user/certbot/html/.well-known/acme-challenge/"+req.params.fileid)
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
서버 구동: 80 포트는 root 사용자로 실행해야 listen이 된다.
[ec2-user@ip-172-31-28-80 src]$ sudo /home/ec2-user/.bun/bin/bun run well-known.js &
[1] 3546
[ec2-user@ip-172-31-28-80 src]$ Example app listening on port 80
sudo를 실행시키고 싶지 않다면 아래처럼 node나 bun 실행경로를 설정하면 가능..
sudo setcap 'cap_net_bind_service=+ep' /home/daejeong/.nvm/versions/node/v20.17.0/bin/node
# 노드로 실행하는 경우라면
node well-known.js &
aws.mdiwebma.com 도메인에 EC2 IP 할당 웹 브라우저로 aws.mdiwebma.com를 열여서 Hello World!로 찍히는지 확인
sudo없이 ec2-user로 80 port를 사용하고 싶다면 bun에 권한을 추가한다. 그냥 bun run으로 서버는 ec2-user로 오류 없이 실행된다. https://security-log.tistory.com/30 참고
sudo setcap 'cap_net_bind_service=+ep' /home/ec2-user/.bun/bin/bun
도커 이미지로 인증서 새로 생성하기
-v ' <사용자ID 경로> ' ec2-user 확인
-d <사용자의 도메인>
sudo docker run -it --rm --name certbot -v '/etc/letsencrypt:/etc/letsencrypt' -v '/var/lib/letsencrypt:/var/lib/letsencrypt' -v '/home/ec2-user/certbot/html:/var/www/html' certbot/certbot certonly --webroot -w /var/www/html -d aws.mdiwebma.com
실행 캡처..
[ec2-user@ip-172-31-28-80 certbot]$ sudo docker run -it --rm --name certbot -v '/etc/letsencrypt:/etc/letsencrypt' -v '/var/lib/letsencrypt:/var/lib/letsencrypt' -v '/home/ec2-user/certbot/html:/var/www/html' certbot/certbot certonly --webroot -w /var/www/html -d aws.mdiwebma.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): blabla@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for aws.mdiwebma.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/aws.mdiwebma.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/aws.mdiwebma.com/privkey.pem
This certificate expires on 2024-08-15.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[ec2-user@ip-172-31-28-80 certbot]$ ls -al /etc/letsencrypt/live/aws.mdiwebma.com
ls: cannot access '/etc/letsencrypt/live/aws.mdiwebma.com': Permission denied
[ec2-user@ip-172-31-28-80 certbot]$ sudo ls -al /etc/letsencrypt/live/aws.mdiwebma.com
total 4
drwxr-xr-x. 2 root root 93 May 18 00:02 .
drwx------. 3 root root 44 May 18 00:02 ..
-rw-r--r--. 1 root root 692 May 18 00:02 README
lrwxrwxrwx. 1 root root 40 May 18 00:02 cert.pem -> ../../archive/aws.mdiwebma.com/cert1.pem
lrwxrwxrwx. 1 root root 41 May 18 00:02 chain.pem -> ../../archive/aws.mdiwebma.com/chain1.pem
lrwxrwxrwx. 1 root root 45 May 18 00:02 fullchain.pem -> ../../archive/aws.mdiwebma.com/fullchain1.pem
lrwxrwxrwx. 1 root root 43 May 18 00:02 privkey.pem -> ../../archive/aws.mdiwebma.com/privkey1.pem
fullchain.pem과 privkey.pem이 필요한 파일이다.