Hendrikv1990/AWS_Single_LetsEncrypt.yaml

## AWS_Single_LetsEncrypt.yaml
# Dont forget to set the env variable "certdomain", and either fill in your email below or use an env variable for that too.
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!

files:

  # The Nginx config forces https, and is meant as an example only.
  /etc/nginx/conf.d/000_http_redirect_custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        return 301 https://$host$request_uri;
      }

  # The Nginx config forces https, and is meant as an example only.
  /etc/nginx/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server
      server {
        listen       443 default ssl;
        server_name  localhost;
        error_page  497 https://$host$request_uri;

        ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;

        ssl_session_timeout  5m;
        ssl_protocols  TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers   on;

        location / {
            proxy_pass  http://nodejs;
            proxy_set_header   Connection "";
            proxy_http_version 1.1;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Upgrade         $http_upgrade;
            proxy_set_header        Connection      "upgrade";
        }
      }

packages:
  yum:
    epel-release: []

container_commands:
  00_createdir:
    command: "mkdir /opt/certbot || true"
  10_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
  20_permission:
    command: "chmod a+x /opt/certbot/certbot-auto"
  30_getcert:
    command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${CERT_EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring"
  40_link:
    command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/ebcert"
  50_config:
    command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"
  90_cronjob_renew:
    command: "cat .ebextensions/certificate_renew.txt > /etc/cron.d/certificate_renew && chmod 644 /etc/cron.d/certificate_renew"

## certificate_renew.txt
# The newline at the end of this file is extremely important.  Cron won't run without it.
0 3 1 * * root /opt/certbot/certbot-auto renew --standalone --pre-hook "sudo initctl stop nginx" --post-hook "sudo initctl start nginx" --force-renew
	# Dont forget to set the env variable "certdomain", and either fill in your email below or use an env variable for that too.
	# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!

	files:

	# The Nginx config forces https, and is meant as an example only.
	/etc/nginx/conf.d/000_http_redirect_custom.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	server {
	listen 8080;
	return 301 https://$host$request_uri;
	}

	# The Nginx config forces https, and is meant as an example only.
	/etc/nginx/conf.d/https_custom.pre:
	mode: "000644"
	owner: root
	group: root
	content: \|
	# HTTPS server
	server {
	listen 443 default ssl;
	server_name localhost;
	error_page 497 https://$host$request_uri;

	ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;

	ssl_session_timeout 5m;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;

	location / {
	proxy_pass http://nodejs;
	proxy_set_header Connection "";
	proxy_http_version 1.1;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}
	}

	packages:
	yum:
	epel-release: []

	container_commands:
	00_createdir:
	command: "mkdir /opt/certbot \|\| true"
	10_installcertbot:
	command: "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
	20_permission:
	command: "chmod a+x /opt/certbot/certbot-auto"
	30_getcert:
	command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${CERT_EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring"
	40_link:
	command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/ebcert"
	50_config:
	command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"
	90_cronjob_renew:
	command: "cat .ebextensions/certificate_renew.txt > /etc/cron.d/certificate_renew && chmod 644 /etc/cron.d/certificate_renew"
	# The newline at the end of this file is extremely important. Cron won't run without it.
	0 3 1 * * root /opt/certbot/certbot-auto renew --standalone --pre-hook "sudo initctl stop nginx" --post-hook "sudo initctl start nginx" --force-renew