Last active June 16, 2021 03:37
Let's Encrypt SSL Single Instance PHP Elastic Beanstalk .ebextensions
#Do not include this file until your production certificate is working
#This config Forcing ssl will prevent lets encrypt from verifying your domain
Type: AWS::EC2::SecurityGroupIngress
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
#For this to work you need to update environment variables via EB console for LETSENCRYPT_DOMAIN and LETSENCRYPT_EMAIL.
#see 20_install_certificate for the workflow of getting a staging certificate, then a production certificate.
#based on
#update on 20191012 --need to set ServerName and ServerAlias to fix error "server certificate does NOT include an ID which matches the server name"
# be careful about where the www prefix appears, for servername you need to have it WITHOUT www. i had it in my EB console variable
# so i had to just manually put it in as the ServerName on line 33 and then with www on line 34, it might be easier to not use the console variables
mod24_ssl : []
mode: "000644"
owner: root
group: root
content: |
RewriteEngine On
<If "-n '%{HTTP:X-Forwarded-Proto}' && %{HTTP:X-Forwarded-Proto} != 'https'">
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/ebcert/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/ebcert/privkey.pem"
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
mode: "000644"
owner: root
group: root
content: |
0 0 * * 0 root /opt/certbot/certbot-auto renew --webroot --webroot-path /var/www/html/ --pre-hook "killall httpd" --post-hook "sudo restart supervisord || sudo start supervisord" --force-renew --preferred-challenges http-01 >> /var/log/certificate_renew.log 2>&1
# creates a swapfile to avoid memory errors in small instances
command: "sudo swapoff /tmp/swapfile_certbot ; sudo rm /tmp/swapfile_certbot ; sudo fallocate -l 1G /tmp/swapfile_certbot && sudo chmod 600 /tmp/swapfile_certbot && sudo mkswap /tmp/swapfile_certbot && sudo swapon /tmp/swapfile_certbot"
# installs certbot
command: "mkdir -p /opt/certbot && wget -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto"
# issue the certificate if it does not exist
# after you have verified that the staging certificate is working, switch to the second version that is not staging with the --force-renewal so it doesnt keep your staging cert
# after the production cert is working you can switch to the third version that does not force the renewal.
command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --webroot --webroot-path /var/www/html/ --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring --preferred-challenges http-01 --staging"
#command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --webroot --webroot-path /var/www/html/ --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring --preferred-challenges http-01" --force-renewal
#command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --webroot --webroot-path /var/www/html/ --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring --preferred-challenges http-01"
# create a link so we can use '/etc/letsencrypt/live/ebcert/fullchain.pem'
# in the apache config file
command: "ln -sf /etc/letsencrypt/live/${LETSENCRYPT_DOMAIN} /etc/letsencrypt/live/ebcert"
# move the apache .conf file to the conf.d directory.
# Rename the default .conf file so it won't be used by Apache.
command: "mv /tmp/ssl.conf /etc/httpd/conf.d/ssl.conf && mv /etc/httpd/conf.d/wsgi.conf /etc/httpd/conf.d/wsgi.conf.bkp || true"
# clear the swap files created in 00_enable_swap
command: "sudo swapoff /tmp/swapfile_certbot && sudo rm /tmp/swapfile_certbot"
# kill all httpd processes so Apache will use the new configuration
command: "killall httpd ; sleep 3"
# Add renew cron job to renew the certificate
command: "mv /tmp/certificate_renew /etc/cron.d/certificate_renew"
tuanalumi commented Aug 1, 2018

For anyone having troubles:

  1. Update environment variable via EB console for LETSENCRYPT_DOMAIN and LETSENCRYPT_EMAIL. From original python version:

Note that the file is using these two environment variables. You must set them inside the Elastic Beanstalk console or through other means

  1. If you are using symfony or other framework that you have to change your webroot: update your webroot path to correct one. For symfony 3+: --webroot-path /var/www/html/public/

Hi all, I am getting two errors:

  1. Sorry, you must have a tty to run sudo
  2. If I remove 'sudo' I get: /bin/sh: swapoff: command not found

Can someone help me? Thanks!

In case someone runs into the same issue of getting back an unauthorized error:
make sure you can access the folder where the http-01-challenge file is stored by the browser. I had a laravel application running and hat to modify the --webroot-path (under 20_install_certificate) to /var/www/html/public so it could be accessed.

My browser gives the error "SEC_ERROR_UNKNOWN_ISSUER" when accessing the site.
I followed exactly the instructions of 8trackbattlecat and CodeZeno.


