Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS Elastic Beanstalk .ebextensions config for single instance free SSL using letsencrypt certbot and Apache.
# Dont forget to set the env variable "CERT_DOMAIN", and either fill in your email below or use an env variable for that too.
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!
# @source https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a#file-aws_single_letsencrypt-yaml-L2
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
# The Apache config forces https, and is meant as an example only.
/etc/httpd/conf.d/000_http_redirect_custom.conf:
mode: "000644"
owner: root
group: root
content: |
<VirtualHost *:80>
ServerName ${CERT_DOMAIN}
ServerAlias www.${CERT_DOMAIN}
DocumentRoot "/var/www/html/public"
RewriteEngine on
RewriteCond %{SERVER_NAME} =${CERT_DOMAIN} [OR]
RewriteCond %{SERVER_NAME} =www.${CERT_DOMAIN}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# The Apache config forces https, and is meant as an example only.
/etc/httpd/conf.d/https_custom.pre:
mode: "000644"
owner: root
group: root
content: |
# HTTPS server
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ${CERT_DOMAIN}
ServerAlias www.${CERT_DOMAIN}
DocumentRoot "/var/www/html/public"
RewriteEngine on
SSLCertificateFile /etc/letsencrypt/live/${CERT_DOMAIN}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${CERT_DOMAIN}/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
/tmp/letsencrypt/options-ssl-apache.conf:
mode: "000644"
owner: root
group: root
content: |
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
packages:
yum:
epel-release: []
mod24_ssl: []
container_commands:
210_installcertbot:
command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
220_stop_httpd:
command: "sudo stop httpd"
ignoreErrors: true
230_getcert:
command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring"
240_config:
command: "sudo mv /etc/httpd/conf.d/https_custom.pre /etc/httpd/conf.d/https_custom.conf"
250_move_options_ssl_le:
command: "sudo mv /tmp/letsencrypt/options-ssl-apache.conf /etc/letsencrypt/options-ssl-apache.conf"
260_start_httpd:
command: "sudo start httpd;sudo restart httpd"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.