인프런 커뮤니티 질문&답변

maliethy님의 프로필 이미지
maliethy

작성한 질문수

[리뉴얼] React로 NodeBird SNS 만들기

https 발급 시 snap과 nginx를 통해서 letsencrypt를 설치하기 질문입니다

해결된 질문

작성

·

347

0

제로초님 블로그에서 snap과 nginx를 통해서 letsencrypt를 설치하기를 따라하던 중 

백서버에서 먼저 도메인주소를 api.ymillonga.xyz 로 https를 발급받았습니다.

그리고 프론트서버에서도 ymillonga.xyz라는 도메인주소로 발급받으려 했더니 api.ymillonga.xyz가 이미 발급된 상태이더군요..

처음부터 와일드카드로 발급받아야했던 것 같은데 혹시 이런 경우 다시 초기화할 수 있는 방법이 있나요?

아니면 nginx의 /etc/nginx/nginx.conf 설정파일에서 server_name을 블로그와 같이 ymillonga.xyz, api.ymillonga.xyz수정하면 자동으로 해결되는 문제인가요?

 1. letsencrypt설치 후 직접 수정한 /etc/nginx/nginx.conf 설정파일 상태

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

 ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

  server {
                server_name ymillonga.xyz www.ymillonga.xyz;
                return 301 https://ymillonga.xyz$request_uri;
        }
        server {
                server_name api.nodebird.com;
                return 301 https://$host$request_uri;
        }
        server {
                listen 443 ssl;
                server_name ymillonga.xyz;
                ssl_certificate /etc/letsencrypt/live/api.ymillonga.xyz/fullchain.pem; # managed by Certbot       
                ssl_certificate_key /etc/letsencrypt/live/api.ymillonga.xyz/privkey.pem; # managed by Certbot     
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
                location / {
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto $scheme;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header X-Real-IP $remote_addr;
 proxy_pass http://127.0.0.1:3050;
                        proxy_redirect off;

               }
       }
       server {
                listen 443 ssl;
                server_name api.ymillonga.xyz;
                ssl_certificate /etc/letsencrypt/live/api.ymillonga.xyz/fullchain.pem; # managed by Certbot       
                ssl_certificate_key /etc/letsencrypt/live/api.ymillonga.xyz/privkey.pem; # managed by Certbot     
               include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
                location / {
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-Proto $scheme;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_pass http://127.0.0.1:3051;
                        proxy_redirect off;
                }
        }
}

2. 프론트 서버 sudo certbot --nginx 입력 시 옵션 창

ubuntu@ip-172-31-44-138:~/ymillonga-sns/front$ sudo certbot -

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: api.ymillonga.xyz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spa

input

blank to select all options shown (Enter 'c' to cancel): 1

Cert not yet due for renewal

You have an existing certificate that has exactly the same doficate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/api.ymillonga.xyz.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (may be subject to CA rate limits

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' t

Renewing an existing certificate for api.ymillonga.xyz

Deploying Certificate to VirtualHost /etc/nginx/sites-enabled

Traffic on port 80 already redirecting to ssl in /etc/nginx/sefault

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your existing certificate has been successfully renewed, and icate

has been installed.

#mail {

#       # See sample authentication script at:

9. To obtain a new or tweaked        

   version of this certificate in the future, simply run certbot again     

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate      

   Donating to EFF:                    https://eff.org/donate-le

3. 설정파일 수정 후 서버 재시작 상태

프론트서버 상태

ubuntu@ip-172-31-44-138:~/ymillonga-sns/front$ sudo lsof -i tcp:3050

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

node    9977 root   18u  IPv6 153759      0t0  TCP *:gds-db (LISTEN)

ubuntu@ip-172-31-44-138:~/ymillonga-sns/front$ sudo lsof -i tcp:80

COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

nginx   10070     root    8u  IPv4 154727      0t0  TCP *:http (LISTEN)

nginx   10070     root    9u  IPv6 154728      0t0  TCP *:http (LISTEN)

nginx   10075 www-data    8u  IPv4 154727      0t0  TCP *:http (LISTEN)

nginx   10075 www-data    9u  IPv6 154728      0t0  TCP *:http 

백서버 상태

ubuntu@ip-172-31-44-138:~/ymillonga-sns/back$  sudo lsof -i tcp:80

COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

nginx   10070     root    8u  IPv4 154727      0t0  TCP *:http (LISTEN)  

nginx   10070     root    9u  IPv6 154728      0t0  TCP *:http (LISTEN)  

nginx   10075 www-data    8u  IPv4 154727      0t0  TCP *:http (LISTEN)  

nginx   10075 www-data    9u  IPv6 154728      0t0  TCP *:http (LISTEN)  

ubuntu@ip-172-31-44-138:~/ymillonga-sns/back$ sudo lsof -i tcp:3051      

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

node    9928 root   20u  IPv6 153760      0t0  TCP *:3051 (LISTEN) 

답변 2

1

제로초(조현영)님의 프로필 이미지
제로초(조현영)
지식공유자

프론트서버랑 백서버가 따로 있으면 와일드카드가 아니라 둘 다 따로 발급받는게 맞습니다.

프론트는 api 없이 백은 api 있이요.

0

maliethy님의 프로필 이미지
maliethy
질문자

git pull했더니 프론트 서버에 설치했던 nginx 파일이 사라져서 새로 설치하고 letsencrypt 발급하니

프론트서버에서 따로 발급이 되네요~

항상 감사합니다

좋은 주말되세요~

maliethy님의 프로필 이미지
maliethy

작성한 질문수

질문하기