Seize the day

POST : Backend study

Certbot 도커로 SSL 인증서 설치하기..

/home/ec2-user/certbot 에 관련 파일을 저장한다. 

cd certbot

.well-known/acme-challenge 응답하는 서버 만들기

mkdir -p html/.well-known/acme-challenge

mkdir ~/certbot/src/ 로 이동

bun init 으로 기본 프로젝트 생성
bun install express  로 익스 프레스 모듈 추가

node라면 
npm init -y
npm install express

vi well-known.js
코드중에 /home/<사용자ID> 반영시킬것..

const express = require('express')
const app = express()
const port = 80

app.get('/', (req, res) => {
  res.send('Hello World!')
})

app.get('/.well-known/acme-challenge/:fileid', function(req, res){
    res.sendFile("/home/ec2-user/certbot/html/.well-known/acme-challenge/"+req.params.fileid)
})

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`)
})

서버 구동: 80 포트는 root 사용자로 실행해야 listen이 된다. 

[ec2-user@ip-172-31-28-80 src]$ sudo /home/ec2-user/.bun/bin/bun run well-known.js &
[1] 3546
[ec2-user@ip-172-31-28-80 src]$ Example app listening on port 80

sudo를 실행시키고 싶지 않다면 아래처럼 node나 bun 실행경로를 설정하면 가능..

sudo setcap 'cap_net_bind_service=+ep' /home/daejeong/.nvm/versions/node/v20.17.0/bin/node

# 노드로 실행하는 경우라면
node well-known.js &


aws.mdiwebma.com 도메인에 EC2 IP 할당 웹 브라우저로 aws.mdiwebma.com를 열여서 Hello World!로 찍히는지 확인

sudo없이 ec2-user로 80 port를 사용하고 싶다면 bun에 권한을 추가한다. 그냥 bun run으로 서버는 ec2-user로 오류 없이 실행된다.   https://security-log.tistory.com/30 참고

sudo setcap 'cap_net_bind_service=+ep' /home/ec2-user/.bun/bin/bun

 

 

 

도커 이미지로 인증서 새로 생성하기

-v '  <사용자ID 경로> ' ec2-user 확인
-d <사용자의 도메인>

sudo docker run -it --rm --name certbot -v '/etc/letsencrypt:/etc/letsencrypt' -v '/var/lib/letsencrypt:/var/lib/letsencrypt' -v '/home/ec2-user/certbot/html:/var/www/html' certbot/certbot certonly --webroot -w /var/www/html -d aws.mdiwebma.com

실행 캡처..

[ec2-user@ip-172-31-28-80 certbot]$ sudo docker run -it --rm --name certbot -v '/etc/letsencrypt:/etc/letsencrypt' -v '/var/lib/letsencrypt:/var/lib/letsencrypt' -v '/home/ec2-user/certbot/html:/var/www/html' certbot/certbot certonly --webroot -w /var/www/html -d aws.mdiwebma.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): blabla@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for aws.mdiwebma.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/aws.mdiwebma.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/aws.mdiwebma.com/privkey.pem
This certificate expires on 2024-08-15.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[ec2-user@ip-172-31-28-80 certbot]$ ls -al /etc/letsencrypt/live/aws.mdiwebma.com
ls: cannot access '/etc/letsencrypt/live/aws.mdiwebma.com': Permission denied
[ec2-user@ip-172-31-28-80 certbot]$ sudo ls -al /etc/letsencrypt/live/aws.mdiwebma.com
total 4
drwxr-xr-x. 2 root root  93 May 18 00:02 .
drwx------. 3 root root  44 May 18 00:02 ..
-rw-r--r--. 1 root root 692 May 18 00:02 README
lrwxrwxrwx. 1 root root  40 May 18 00:02 cert.pem -> ../../archive/aws.mdiwebma.com/cert1.pem
lrwxrwxrwx. 1 root root  41 May 18 00:02 chain.pem -> ../../archive/aws.mdiwebma.com/chain1.pem
lrwxrwxrwx. 1 root root  45 May 18 00:02 fullchain.pem -> ../../archive/aws.mdiwebma.com/fullchain1.pem
lrwxrwxrwx. 1 root root  43 May 18 00:02 privkey.pem -> ../../archive/aws.mdiwebma.com/privkey1.pem

fullchain.pem과 privkey.pem이 필요한 파일이다. 

top

posted at

2024. 5. 18. 08:44


CONTENTS

Seize the day
BLOG main image
김대정의 앱 개발 노트와 사는 이야기
RSS 2.0Tattertools
공지
아카이브
최근 글 최근 댓글
카테고리 태그 구름사이트 링크