Blog categories

Comments

Uncategorized

[WEB SERVER] Let’s Encrypy Multi DNS

byRony
2025-12-24 5 Views0 Likes
Share

[WEB SERVER] Let’s Encrypy Multi DNS

2025-12-24in Uncategorized 0 Likes
# 생성
aws lightsail create-domain-entry --region us-east-1 \
  --domain-name example.com \
  --domain-entry '{
    "name": "_acme-challenge.example.com",
    "type": "TXT",
    "target": "\"test-value\""
  }'

# 삭제
aws lightsail delete-domain-entry --region us-east-1 \
  --domain-name example.com \
  --domain-entry '{
    "name": "_acme-challenge.example.com",
    "type": "TXT",
    "target": "\"test-value\""
  }'
ubuntu@ip-xxx-xx-xx-xx:/etc/letsencrypt$ sudo certbot certonly -a dns-multi \
>   --dns-multi-credentials /etc/letsencrypt/dns-multi-example.ini \
>   -d example.com -d '*.example.com' --non-interactive \
>   --agree-tos -m example@email.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com and *.example.com
Waiting 60 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2025-xx-xx.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Nginx 서버 설정

/etc/nginx/sites-available/example.conf 내에 nginx 서버 블록 정리

활성화 및 테스트:

sudo ln -s /etc/nginx/sites-available/example.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

오류 해결

다음과 같은 오류로 nginx 블록 테스트 실패 시:

root@ip-172-xx-xx-xx:/etc/letsencrypt# nginx -t
2025/xx/xx xx:xx:xx [emerg] 159990#159990: BIO_new_file("/etc/letsencrypt/ssl-dhparams.pem") failed (SS
L: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/ssl-dhparams
.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
root@ip-172-xx-xx-xx:/etc/letsencrypt# sudo openssl dhparam -out ssl-dhparams.pem 2048

 

2. Missing the file: options-ssl-nginx.conf

ubuntu@ip-172-xx-xx-xx:/etc/nginx$ sudo nginx -t && sudo systemctl reload nginx
2025/09/24 10:50:21 [emerg] 159881#159881: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: 
No such file or directory) in /etc/nginx/sites-enabled/wp-predorable-com:18

Github에서 최신 파일 받아오기

https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

인증서 갱신

우선 –dry-run 옵션을 통해 인증서 갱신에 문제가 없는지 확인

ubuntu@ip-xxx-xx-xx-xx:~$ sudo certbot renew --dry-run

 

이후 실제 인증서 갱신

ubuntu@ip-xxx-xx-xx-xx:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for example.com and *.example.com
Waiting 60 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Nginx 서버나 apache2 서버를 사용중인 경우 해당 서버를 reload 하여 신규 발급받은 인증서를 다시 불러오도록 해야 함.

“–deploy-hook” 옵션은 인증서 갱신이 성공했을 경우 다음 명령을 수행하도록 함.

ubuntu@ip-xxx-xx-xx-xx:~$ sudo certbot renew --force-renewal --deploy-hook "systemctl reload nginx"

만약 apache를 사용하는 경우

sudo certbot renew --force-renewal --deploy-hook "systemctl reload apache2"

명령 사용

 

갱신된 인증서 확인

ubuntu@ip-xxx-xx-xx-xx:~$ sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example.com
    Serial Number: xxxx
    Key Type: ECDSA
    Identifiers: example.com *.example.com
    Expiry Date: 20xx-xx-xx 00:00:00+00:00 (VALID: xx days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 Likes
답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다

div#stuning-header .dfd-stuning-header-bg-container {background-color: #3f3f3f;background-size: cover;background-position: top center;background-attachment: initial;background-repeat: no-repeat;}#stuning-header div.page-title-inner {min-height: 350px;}