AWS Beanstalk SSL Lets Encrypt certbot - Single Web Instance - Updated 2021

https_instance_new.yaml

packages:
  yum:
    mod24_ssl : []

files:
  "/etc/httpd/conf.d/ssl_rewrite.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
        RewriteEngine On
        RewriteCond %{HTTP:X-Forwarded-Proto} !https
        RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      ServerName LETSENCRYPT_DOMAIN
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        ServerAlias www.LETSENCRYPT_DOMAIN
        SSLEngine             on
        SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem"
        SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early

      </VirtualHost>
  "/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
    mode: "000755"
    owner: root
    group: root
    content: |
      /var/log/letsencrypt/letsencrypt.log
container_commands:
  # installs certbot
  10_stop_apache:
    command: "sudo service httpd stop; sleep 3"
  12_replace_placeholders:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g'
      echo $SED_EXPRESSION
      sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf
  20_install_certbot:
    command: |
      sudo rm -rf /opt/eff.org/*
      sudo yum -q -y install python36 python36-pip python36-libs python36-tools python36-virtualenv
      sudo /usr/bin/pip-3.6 install certbot
  30_install_certificate:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      sudo /usr/local/bin/certbot certonly --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring
  40_start_apache:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      sudo service httpd start

Your system is not supported by certbot-auto anymore. Certbot cannot be installed.

I received this message after updating my single web instance AWS Beanstalk platform that does not use a load balance. I found a simple HTTPS solution using Lets Encrypt and that worked for a while until certbot-auto was deprecated.

This is the complete ebextension config file that is working for me currently as of 1/27/2021 using the current supported platform for a PHP single instance web environment.

You must create two environment variables inside Beanstalk for:

• LETSENCRYPT_DOMAIN
• LETSENCRYPT_EMAIL

GOOD LUCK!

I was able to get this working, and I even manually entered the above commands and examined ssl.conf for correctness, yet https still isn't working.
Are there additional steps I should be aware of? I'm on Amazon Linux Python 3.6 and this is a flask project.
(I should note that I had to comment out source /opt/elasticbeanstalk/support/envvars)
(I should note that I had the following at the top of my file:)

  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

Also

$ sudo /usr/local/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: dogames.us-west-2.elasticbeanstalk.com
    Serial Number: 42c7b7c6cfd873ffa90c1af34c0f9322a56
    Key Type: RSA
    Domains: dogames.us-west-2.elasticbeanstalk.com
    Expiry Date: 2021-05-04 00:45:50+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/dogames.us-west-2.elasticbeanstalk.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/dogames.us-west-2.elasticbeanstalk.com/privkey.pem

If I were to troubleshoot that, it seems the SSL certificate was generated and is valid. However; the site is not reachable using port 443. I would tinker with the VPC security groups to see if there is something preventing that port from being open. I would also examine the access logs to see if httpd is even attempting to process those web requests. I would make sure that httpd is listening on port 443 as well.