Last active
February 12, 2023 07:59
-
-
Save caseypage/3f59f29f1fb4d6590c9193340a38ea03 to your computer and use it in GitHub Desktop.
AWS Beanstalk SSL Lets Encrypt certbot - Single Web Instance - Updated 2021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| packages: | |
| yum: | |
| mod24_ssl : [] | |
| files: | |
| "/etc/httpd/conf.d/ssl_rewrite.conf": | |
| mode: "000644" | |
| owner: root | |
| group: root | |
| content: | | |
| RewriteEngine On | |
| RewriteCond %{HTTP:X-Forwarded-Proto} !https | |
| RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301] | |
| /etc/httpd/conf.d/ssl.conf: | |
| mode: "000644" | |
| owner: root | |
| group: root | |
| content: | | |
| ServerName LETSENCRYPT_DOMAIN | |
| LoadModule ssl_module modules/mod_ssl.so | |
| Listen 443 | |
| <VirtualHost *:443> | |
| <Proxy *> | |
| Order deny,allow | |
| Allow from all | |
| </Proxy> | |
| ServerAlias www.LETSENCRYPT_DOMAIN | |
| SSLEngine on | |
| SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem" | |
| SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem" | |
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
| SSLProtocol All -SSLv2 -SSLv3 | |
| SSLHonorCipherOrder On | |
| SSLSessionTickets Off | |
| Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" | |
| Header always set X-Frame-Options DENY | |
| Header always set X-Content-Type-Options nosniff | |
| ProxyPass / http://localhost:80/ retry=0 | |
| ProxyPassReverse / http://localhost:80/ | |
| ProxyPreserveHost on | |
| RequestHeader set X-Forwarded-Proto "https" early | |
| </VirtualHost> | |
| "/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf": | |
| mode: "000755" | |
| owner: root | |
| group: root | |
| content: | | |
| /var/log/letsencrypt/letsencrypt.log | |
| container_commands: | |
| # installs certbot | |
| 10_stop_apache: | |
| command: "sudo service httpd stop; sleep 3" | |
| 12_replace_placeholders: | |
| command: | | |
| source /opt/elasticbeanstalk/support/envvars | |
| SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g' | |
| echo $SED_EXPRESSION | |
| sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf | |
| 20_install_certbot: | |
| command: | | |
| sudo rm -rf /opt/eff.org/* | |
| sudo yum -q -y install python36 python36-pip python36-libs python36-tools python36-virtualenv | |
| sudo /usr/bin/pip-3.6 install certbot | |
| 30_install_certificate: | |
| command: | | |
| source /opt/elasticbeanstalk/support/envvars | |
| sudo /usr/local/bin/certbot certonly --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring | |
| 40_start_apache: | |
| command: | | |
| source /opt/elasticbeanstalk/support/envvars | |
| sudo service httpd start |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If I were to troubleshoot that, it seems the SSL certificate was generated and is valid. However; the site is not reachable using port 443. I would tinker with the VPC security groups to see if there is something preventing that port from being open. I would also examine the access logs to see if httpd is even attempting to process those web requests. I would make sure that httpd is listening on port 443 as well.