[Linux] Apache to nginx => ssl > Linux/Apm

[표준설치 + ssl + auto ssl renew 설정은 아래 링크사용]

http://sebom.com/gb/bbs/board.php?bo_table=tech&wr_id=110 

 Apache to nginx  with  ssl(letsencrypt) 

※기존 Apache웹서버에서 사용중인 letsencrypt 키들을.. 그대로 새로운 nginx 웹서버로 복제하여 옮김.

※새로운 nginx웹서버는 nginx 컴파일 설치한 환경 조건 임(apt install nginx 설치아님)

※인증서 자동 갱신을 기존 방식(웹서버 중지/인증서 갱신/재시작)을 그대로 사용함.

/etc/letsencrypt/renewal/mysite.kr.conf   <===  authenticator = standalone 방식

[최신 Let’s Encrypt SSL 인증서 발급 방법]

https://happist.com/573990/%EC%B5%9C%EC%8B%A0-lets-encrypt-ssl-%EC%9D%B8%EC%A6%9D%EC%84%9C-%EB%B0%9C%EA%B8%89-%EB%B0%A9%EB%B2%95-3%EA%B0%80%EC%A7%80-%EC%A0%95%EB%A6%AC 

https://gist.github.com/woorim960/dda0bc85599f61a025bb8ac471dfaf7a 

https://twpower.github.io/44-set-free-https-by-using-letsencrypt

------------------------------------------

# apt update

# apt install certbot

# apt install python3-certbot-nginx      <- nginx 웹서버 인증 방식을 사용 할때, certbot --nginx

---------------------

# ufw enable

# ufw app list

-------------

  Apache

  Apache Full

  Apache Secure

  CUPS

  Nginx Full

  Nginx HTTP

  Nginx HTTPS

-------------

# ufw allow 'Nginx Full'  <-- # ufw allow 80  # ufw allow 443

# ufw status

------------           

Nginx Full (v6)            ALLOW       Anywhere (v6) 

------------

[오리진서버] - apache 에서 letsencrypt 폴더 압축하여 새로운서버로 전송.

# cd /etc

# tar -cvf letsencrypt.tar letsencrypt

[새로운서버] - nginx  에서 압축해제 

# cd /etc

# tar -xvf letsencrypt.tar

아래 링크 options-ssl-nginx.conf 파일내용으로 

https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf

nano /etc/letsencrypt/options-ssl-nginx.conf  <---  파일생성(아래 녹색 TEXT 그대로 입력)

-----------------------------------------------------------------

# This file contains important security parameters. If you modify this file

# manually, Certbot will be unable to automatically provide future security

# updates. Instead, Certbot will print and log an error message with a path to

# the up-to-date file that you will need to refer to when manually updating

# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;

ssl_session_timeout 1440m;

ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

-----------------------------------------------------

#nano /usr/local/nginx/conf/nginx.conf

--------------------------------------------------------------

user  nginx;

worker_processes  auto;

pid     /usr/local/nginx/logs/nginx.pid;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    #tcp_nopush     on;

    #gzip  on;

    server {

        listen       80;

        server_name  *.mysite.kr;

        # managed by Certbot ------------------------

        listen 443 ssl;

        # RSA certificate

       ssl_certificate /etc/letsencrypt/live/mysite.kr/fullchain.pem;

       ssl_certificate_key /etc/letsencrypt/live/mysite.kr/privkey.pem;

       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        include /etc/letsencrypt/options-ssl-nginx.conf; 

        #Redirect non-https traffic to https

        if ($scheme != "https") {

                return 301 https://$host$request_uri;     <-------------   $host$request_uri

      }

        #--------------------------------------------

      #업로드 파일 가능 용량(phpmyadmin 에서 sql파일 업로드 등) 
     client_max_body_size 120M;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {

            root   html;

            index  index.html index.htm index.php;

        }

        # redirect server error pages to the static page /epage/***.html   

        error_page  404              /epage/404.html;

        error_page  403              /epage/403.html;

        error_page  500 502 503 504  /epage/50x.html;

        #*.php-fpm

        location ~ \.php$ {

                try_files $uri =404;

                include fastcgi.conf;

                include fastcgi_params;

                fastcgi_index index.php;

                fastcgi_pass unix:/run/php/php8.1-fpm.sock;

          }      

    }     

}

------------------------------------------------------------------

# systemctl restart nginx

# netstat -tnlp | grep 80

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1800/nginx: master

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1800/nginx: master

[certbot 실행] - renew 옵션 없이 실행

#/usr/bin/certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

/etc/letsencrypt/options-ssl-nginx.conf has been manually modified; 

updated file saved to /usr/lib/python3/dist-packages/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf. 

We recommend updating /etc/letsencrypt/options-ssl-nginx.conf for security purposes.

Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): mysite.kr

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/mysite.kr.conf) ※같은 도메인으로 인증된 + 만료 안된 인증서가 있는데 어떻게 할것인가?

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits) ※새로 갱신

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate for mysite.kr

Encountered exception during recovery: certbot.errors.MisconfigurationError: nginx restart failed:

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)   <== 80 포트가 사용중인 이유로 실패 

nginx: [emerg] still could not bind() 

nginx restart failed:

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)

nginx: [emerg] still could not bind() 

# systemctl stop nginx

# /usr/bin/certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): mysite.kr

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/mysite.kr.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate for mysite.kr

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/mysite.kr/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/mysite.kr/privkey.pem

This certificate expires on 2023-09-15.

These files will be updated when the certificate renews.

Deploying certificate

Successfully deployed certificate for mysite.kr to /etc/nginx/sites-enabled/default

※  /etc/nginx/sites-enabled/default 파일을 자동 생성한 설정들로 채웠다는 의미(default 파일 참조하여 nginx.conf 구성)

Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[자동갱신 등록]

nano /home/mywind/certbotrenew.sh  <- chmod 755 certbotrenew.sh 

--------------------

systemctl stop nginx

/usr/bin/certbot renew

systemctl start nginx

---------------------

[로그 자동삭제]

# cd /usr/local/nginx/logs

nano clear_logs.sh   <- chmod 755 clear_logs.sh 

-------------------

cat /dev/null > access.log

cat /dev/null > error.log

-------------------

[crontab 등록]

# nano /etc/nano crontab

-------------------------

00 4    1,15 * *   root    /home/mywind/certbotrenew.sh >> /var/log/cron_certbotrenew.log 2>&1

00 6    1 * *   root    /usr/local/nginx/logs/clear_logs.sh

-------------------------

# service cron restart

# systemctl start nginx

Job for nginx.service failed because the control process exited with error code.

See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.

# tail /usr/local/nginx/logs/error.log

[emerg] 5970#0: bind() to 0.0.0.0:80 failed (98: Address already in use)

[emerg] 5970#0: bind() to 0.0.0.0:443 failed (98: Address already in use)

# netstat -tnlp | grep 80 

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1800/nginx: master

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1800/nginx: master

※ kill -9 1800 로 프로세스를 종료하거나, systemctl stop nginx 으로 nginx 중지 후 systemctl start nginx

그래도 안되면 # reboot 

[과제]

Encountered exception during recovery: certbot.errors.MisconfigurationError: nginx restart failed:

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)