cichondev/AWS_Single_LetsEncrypt.yaml

## AWS_Single_LetsEncrypt.yaml
# Dont forget to set the env variable "CERT_DOMAIN", and either fill in your email below or use an env variable for that too.
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!
# @source https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a#file-aws_single_letsencrypt-yaml-L2

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:

  # The Apache config forces https, and is meant as an example only.
  /etc/httpd/conf.d/000_http_redirect_custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      <VirtualHost *:80>
        ServerName ${CERT_DOMAIN}
        ServerAlias www.${CERT_DOMAIN}
        DocumentRoot "/var/www/html/public"
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =${CERT_DOMAIN} [OR]
        RewriteCond %{SERVER_NAME} =www.${CERT_DOMAIN}
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
      </VirtualHost>

  # The Apache config forces https, and is meant as an example only.
  /etc/httpd/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server
      <IfModule mod_ssl.c>
      <VirtualHost *:443>
        ServerName ${CERT_DOMAIN}
        ServerAlias www.${CERT_DOMAIN}
        DocumentRoot "/var/www/html/public"
        RewriteEngine on
        SSLCertificateFile /etc/letsencrypt/live/${CERT_DOMAIN}/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/${CERT_DOMAIN}/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
      </VirtualHost>
      </IfModule>
  /tmp/letsencrypt/options-ssl-apache.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      SSLEngine on
      # Intermediate configuration, tweak to your needs
      SSLProtocol             all -SSLv2 -SSLv3
      SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
      SSLHonorCipherOrder     on

      SSLOptions +StrictRequire

      # Add vhost name to log entries:
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
      LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

      #CustomLog /var/log/apache2/access.log vhost_combined
      #LogLevel warn
      #ErrorLog /var/log/apache2/error.log

      # Always ensure Cookies have "Secure" set (JAH 2012/1)
      #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

packages:
  yum:
    epel-release: []
    mod24_ssl: []

container_commands:
  210_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  220_stop_httpd:
    command: "sudo stop httpd"
    ignoreErrors: true
  230_getcert:
    command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring"
  240_config:
    command: "sudo mv /etc/httpd/conf.d/https_custom.pre /etc/httpd/conf.d/https_custom.conf"
  250_move_options_ssl_le:
    command: "sudo mv /tmp/letsencrypt/options-ssl-apache.conf /etc/letsencrypt/options-ssl-apache.conf"
  260_start_httpd:
      command: "sudo start httpd;sudo restart httpd"
	# Dont forget to set the env variable "CERT_DOMAIN", and either fill in your email below or use an env variable for that too.
	# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!
	# @source https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a#file-aws_single_letsencrypt-yaml-L2

	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0

	files:

	# The Apache config forces https, and is meant as an example only.
	/etc/httpd/conf.d/000_http_redirect_custom.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	<VirtualHost *:80>
	ServerName ${CERT_DOMAIN}
	ServerAlias www.${CERT_DOMAIN}
	DocumentRoot "/var/www/html/public"
	RewriteEngine on
	RewriteCond %{SERVER_NAME} =${CERT_DOMAIN} [OR]
	RewriteCond %{SERVER_NAME} =www.${CERT_DOMAIN}
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
	</VirtualHost>

	# The Apache config forces https, and is meant as an example only.
	/etc/httpd/conf.d/https_custom.pre:
	mode: "000644"
	owner: root
	group: root
	content: \|
	# HTTPS server
	<IfModule mod_ssl.c>
	<VirtualHost *:443>
	ServerName ${CERT_DOMAIN}
	ServerAlias www.${CERT_DOMAIN}
	DocumentRoot "/var/www/html/public"
	RewriteEngine on
	SSLCertificateFile /etc/letsencrypt/live/${CERT_DOMAIN}/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/${CERT_DOMAIN}/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	</VirtualHost>
	</IfModule>
	/tmp/letsencrypt/options-ssl-apache.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	SSLEngine on
	# Intermediate configuration, tweak to your needs
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
	SSLHonorCipherOrder on

	SSLOptions +StrictRequire

	# Add vhost name to log entries:
	LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
	LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

	#CustomLog /var/log/apache2/access.log vhost_combined
	#LogLevel warn
	#ErrorLog /var/log/apache2/error.log

	# Always ensure Cookies have "Secure" set (JAH 2012/1)
	#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s;)?(.)) "$1; Secure$3$4"

	packages:
	yum:
	epel-release: []
	mod24_ssl: []

	container_commands:
	210_installcertbot:
	command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
	220_stop_httpd:
	command: "sudo stop httpd"
	ignoreErrors: true
	230_getcert:
	command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring"
	240_config:
	command: "sudo mv /etc/httpd/conf.d/https_custom.pre /etc/httpd/conf.d/https_custom.conf"
	250_move_options_ssl_le:
	command: "sudo mv /tmp/letsencrypt/options-ssl-apache.conf /etc/letsencrypt/options-ssl-apache.conf"
	260_start_httpd:
	command: "sudo start httpd;sudo restart httpd"