francisrod01/access.log

## access.log
172.31.43.189 - - [13/Jan/2018:03:01:56 +0000] "GET / HTTP/1.1" 404 139 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" "191.37.20.2"
172.31.43.189 - - [13/Jan/2018:03:02:03 +0000] "GET / HTTP/1.1" 404 139 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.58" "191.37.20.2"
172.31.20.92 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "52.29.173.72"
172.31.20.92 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "34.213.106.112"
172.31.43.189 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "66.133.109.36"
172.31.43.189 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "13.58.30.69"


## beanstalk-https_v2.config
###
# Based on https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
# and http://bit.ly/aws-and-lets-encrypt-ssl-2CW5d4e
###

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      SourceSecurityGroupName: {"Fn::GetAtt" : ["AWSEBLoadBalancer" , "SourceSecurityGroup.GroupName"]}

files:

  /etc/letsencrypt/configs/${CERT_DOMAIN}.conf
    mode: "000644"
    owner: root
    group: root
    content: |
      # the domain we want to get the cert for;
      # technically it's possible to have multiple of this lines, but it only worked
      # with one domain for me, another one only got one cert, so I would recommend
      # separate config files per domain.
      domains = ${CERT_DOMAIN}

      # increase key size
      rsa-key-size = 4096 # 2048 or 4096

      # the current closed beta (as of 2015-Nov-07) is using this server
      server = https://acme-v01.api.letsencrypt.org/directory

      # this address will receive renewal reminders
      email = ${CERT_EMAIL}

      # turn off the ncurses UI, we want this to be run as a cronjob
      text = True

      debug = True
      non-interactive = True
      agree-tos = True
      standalone = True
      staging = True

      # Obtain certificates using a DNS TXT record (if you are using Route53 for DNS).
      dns-route53 = True

      # authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
      # and then letting LE fetch it
      authenticator = webroot
      webroot-path = /var/www/letsencrypt/

  /etc/letsencrypt/config/renewal-cert.sh
    mode: "000644"
    owner: root
    group: root
    content: |
      #!/bin/sh

      cd /opt/letsencrypt/
      ./certbot-auto --config /etc/letsencrypt/configs/my-domain.conf certonly

      if [ $? -ne 0 ]
        then
          ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
          echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
          $ERRORLOG
        else
          nginx -s reload
      fi

      exit 0

  /etc/nginx/conf.d/letsencrypt-temp-file.conf.txt
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 80;

        location /.well-know/acme-challenge {
          root /var/www/letsencrypt;
        }
      }

  /var/www/letsencrypt/config/prepare_letsencrypt_nginx.sh
    mode: "0000644"
    owner: root
    group: root
    content: |
      #!/bin/bash

      mkdir /var/www/letsencrypt
      chgrp nginx /var/www/letsencrypt
      cp /etc/nginx/conf.d/letsencrypt-temp-file.conf.txt /etc/nginx/conf.d/letsencrypt-temp-file.conf"

      nginx -s reload

  /etc/nginx/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS Server

      upstream node_upstream {
        server 127.0.0.1:5000;
        keepalive 256;
      }

      server {
        listen 443;

        error_page  497 https://$host$request_uri;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/${CERT_DOMAIN}/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/${CERT_DOMAIN}/privkey.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers on;

        if ($ssl_protocol = "") {
          rewrite ^ https://$host$request_uri? permanent;
        }

        location / {
          proxy_pass http://node_upstream;
          proxy_set_header Connection "";
          proxy_http_version 1.1;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        }
      }

  /etc/nginx/conf.d/http-redirect-custom.conf.pos:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 80;
        return 301 https://$host$request_uri;
      }

  /opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh:
    mode: "000644"
    owner: root
    group: root
    content: |
      #!/bin/bash -xe
      rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
      service nginx stop
      service nginx start

packages:
  yum:
    epel-release: []

container_commands:
  removeconfig:
    command: "sh /opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh"
    owner: root
    group: root
  prepare_letsencrypt_nginx:
    command "sh /var/www/letsencrypt/config/prepare_letsencrypt_nginx.sh"
    owner: root
    group: root
  00_createdir:
    command: "mkdir /opt/certbot || true"
  01_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
  02_permission:
    command: "chmod a+x /opt/certbot/certbot-auto"
  03_getcert:
    ## command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --standalone --email ${CERT_EMAIL} --agree-tos -d ${CERT_DOMAIN} --keep-until-expiring"
    command : "sudo /opt/certbot/certbot-auto --config /etc/letsencrypt/configs/${CERT_DOMAIN}.conf certonly"
  04_link:
    command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/${CERT_DOMAIN}"
  05_cronjob_renew:
    ## command: "cat .ebextensions/certificate_renew.txt > /etc/cron.d/certificate_renew && chmod 644 /etc/cron.d/certificate_renew"
    command: "sudo sh /etc/letsencrypt/config/renewal-cert.sh"

## beanstslk-https_v1.config
# Dont forget to set the env variable "certdomain", and either fill in your email below or use an env variable for that too.
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!
#
# Based on http://bit.ly/aws-and-lets-encrypt-ssl-2EEMn25
###
Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:

  # The Nginx config forces https, and is meant as an example only.
  /etc/nginx/conf.d/000_http_redirect_custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        return 301 https://$host$request_uri;
      }
  # The Nginx config forces https, and is meant as an example only.
  /etc/nginx/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server
      server {
        listen       443 default ssl;
        server_name  localhost;
        error_page  497 https://$host$request_uri;

        ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;
        ssl_session_timeout  5m;
        ssl_protocols  TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers   on;

        if ($ssl_protocol = "") {
          rewrite ^ https://$host$request_uri? permanent;
        }

        location / {
            proxy_pass  http://nodejs;
            proxy_set_header   Connection "";
            proxy_http_version 1.1;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Upgrade         $http_upgrade;
            proxy_set_header        Connection      "upgrade";
        }
      }
packages:
  yum:
    epel-release: []

container_commands:
  10_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  20_getcert:
    command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${CERT_EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring --pre-hook \"service nginx stop\" --staging"
  30_link:
    command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/ebcert"
  40_config:
    command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"

## eb-activity.log
-------------------------------------
/var/log/eb-activity.log
-------------------------------------
  Verifying  : libverto-devel-0.2.5-4.9.amzn1.x86_64                       8/13
  Verifying  : krb5-devel-1.15.1-8.43.amzn1.x86_64                         9/13
  Verifying  : libsepol-devel-2.1.7-3.12.amzn1.x86_64                     10/13
  Verifying  : system-rpm-config-9.0.3-42.28.amzn1.noarch                 11/13
  Verifying  : libffi-devel-3.0.13-16.5.amzn1.x86_64                      12/13
  Verifying  : libselinux-devel-2.1.10-3.22.amzn1.x86_64                  13/13

  Installed:
  augeas-libs.x86_64 0:1.0.0-5.7.amzn1
  libffi-devel.x86_64 0:3.0.13-16.5.amzn1
  openssl-devel.x86_64 1:1.0.2k-8.106.amzn1
  python27-tools.x86_64 0:2.7.12-2.121.amzn1
  system-rpm-config.noarch 0:9.0.3-42.28.amzn1

  Dependency Installed:
  keyutils-libs-devel.x86_64 0:1.5.8-3.12.amzn1
  krb5-devel.x86_64 0:1.15.1-8.43.amzn1
  libcom_err-devel.x86_64 0:1.42.12-4.40.amzn1
  libkadm5.x86_64 0:1.15.1-8.43.amzn1
  libselinux-devel.x86_64 0:2.1.10-3.22.amzn1
  libsepol-devel.x86_64 0:2.1.7-3.12.amzn1
  libverto-devel.x86_64 0:0.2.5-4.9.amzn1
  zlib-devel.x86_64 0:1.2.8-7.18.amzn1

  Complete!
  Creating virtual environment...
  Installing Python packages...
  Installation succeeded.
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator standalone, Installer None
  Running pre-hook command: service nginx stop
  Output from service:
  Stopping nginx:
  Hook command "service nginx stop" returned error code 137
  Error output from service:
  /sbin/service: line 66:  3905 Killed                  env -i PATH="$PATH" TERM="$TERM" "${SERVICEDIR}/${SERVICE}" ${OPTIONS}

  Obtaining a new certificate
  Performing the following challenges:
  http-01 challenge for my-site.domain.com
  Waiting for verification...
  Cleaning up challenges
  Exiting abnormally:
  Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
  sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 861, in main
  return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 786, in certonly
  lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 85, in _get_and_save_cert
  lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
  certr, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate
  self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
  self._respond(resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
  self._poll_challenges(chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
  raise errors.FailedChallenges(all_failed_achalls)
  FailedChallenges: Failed authorization procedure. my-site.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://my-site.domain.com/.well-known/acme-challenge/<my-key-here>: Timeout
  Please see the logfiles in /var/log/letsencrypt for more details.
  IMPORTANT NOTES:
  - The following errors were reported by the server:

  Domain: my-site.domain.com
  Type:   connection
  Detail: Fetching
  https://my-site.domain.com/.well-known/acme-challenge/<my-key-here>:
  Timeout

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
  - Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.
   (ElasticBeanstalk::ExternalInvocationError)


[2018-01-13T03:07:23.754Z] INFO  [3220]  - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_stack_SampleApplication_W4FJ8W83X64B/Command 20_getcert] : Activity failed.
[2018-01-13T03:07:23.754Z] INFO  [3220]  - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_stack_SampleApplication_W4FJ8W83X64B] : Activity failed.
[2018-01-13T03:07:23.754Z] INFO  [3220]  - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild] : Activity failed.
[2018-01-13T03:07:23.872Z] INFO  [3220]  - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild] : Activity failed.
[2018-01-13T03:07:23.872Z] INFO  [3220]  - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0] : Activity failed.
[2018-01-13T03:07:23.873Z] INFO  [3220]  - [Application update app-6f42-xxxxxxxxxx@32] : Completed activity. Result:
  Application update - Command CMD-AppDeploy failed
[2018-01-13T03:09:56.885Z] INFO  [4009]  - [CMD-TailLogs] : Starting activity...
[2018-01-13T03:09:56.886Z] INFO  [4009]  - [CMD-TailLogs/AddonsBefore] : Starting activity...
[2018-01-13T03:09:56.886Z] INFO  [4009]  - [CMD-TailLogs/AddonsBefore] : Completed activity.
[2018-01-13T03:09:56.886Z] INFO  [4009]  - [CMD-TailLogs/TailLogs] : Starting activity...
[2018-01-13T03:09:56.886Z] INFO  [4009]  - [CMD-TailLogs/TailLogs/TailLogs] : Starting activity...


## eb-commandprocessor.log
  libcom_err-devel.x86_64 0:1.42.12-4.40.amzn1
  libkadm5.x86_64 0:1.15.1-8.43.amzn1
  libselinux-devel.x86_64 0:2.1.10-3.22.amzn1
  libsepol-devel.x86_64 0:2.1.7-3.12.amzn1
  libverto-devel.x86_64 0:0.2.5-4.9.amzn1
  zlib-devel.x86_64 0:1.2.8-7.18.amzn1

  Complete!
  Creating virtual environment...
  Installing Python packages...
  Installation succeeded.
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator standalone, Installer None
  Running pre-hook command: service nginx stop
  Output from service:
  Stopping nginx:
  Hook command "service nginx stop" returned error code 137
  Error output from service:
  /sbin/service: line 66:  3905 Killed                  env -i PATH="$PATH" TERM="$TERM" "${SERVICEDIR}/${SERVICE}" ${OPTIONS}

  Obtaining a new certificate
  Performing the following challenges:
  http-01 challenge for my-website.domain.com
  Waiting for verification...
  Cleaning up challenges
  Exiting abnormally:
  Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
  sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 861, in main
  return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 786, in certonly
  lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 85, in _get_and_save_cert
  lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
  certr, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate
  self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
  self._respond(resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
  self._poll_challenges(chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
  raise errors.FailedChallenges(all_failed_achalls)
  FailedChallenges: Failed authorization procedure. my-website.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://my-website.domain.com/.well-known/acme-challenge/<my-key-here>: Timeout
  Please see the logfiles in /var/log/letsencrypt for more details.
  IMPORTANT NOTES:
  - The following errors were reported by the server:

  Domain: my-website.domain.com
  Type:   connection
  Detail: Fetching
  https://my-website.domain.com/.well-known/acme-challenge/<my-key-here>:
  Timeout

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
  - Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.
   (ElasticBeanstalk::ExternalInvocationError)


[2018-01-13T03:07:23.873Z] ERROR [3220]  : Command CMD-AppDeploy failed!
[2018-01-13T03:07:23.895Z] INFO  [3220]  : Command processor returning results:
{"status":"FAILURE","api_version":"1.0","results":[{"status":"FAILURE","msg":"(TRUNCATED)...our Certbot\nconfiguration directory at /etc/letsencrypt. You should make a\nsecure backup of this folder now. This configuration directory will\nalso contain certificates and private keys obtained by Certbot so\nmaking regular backups of this folder is ideal. \ncontainer_command 20_getcert in .ebextensions/https-instance-securitygroup.config failed. For more detail, check /var/log/eb-activity.log using console or EB CLI","returncode":1,"events":[]}],"truncated":"true"}
[2018-01-13T03:09:56.864Z] DEBUG [4009]  : Reading config file: /etc/elasticbeanstalk/.aws-eb-stack.properties
[2018-01-13T03:09:56.865Z] DEBUG [4009]  : Checking if the command processor should execute...
[2018-01-13T03:09:56.872Z] DEBUG [4009]  : Checking whether the command is applicable to instance (i-xxxxxxxxxxxxx)..
[2018-01-13T03:09:56.872Z] INFO  [4009]  : Command is applicable to this instance (i-xxxxxxxxxxxxx)..
[2018-01-13T03:09:56.872Z] DEBUG [4009]  : Checking if the received command stage is valid..
[2018-01-13T03:09:56.872Z] INFO  [4009]  : No stage_num in command. Valid stage..
[2018-01-13T03:09:56.872Z] INFO  [4009]  : Received command CMD-TailLogs: {"execution_data":"{\"aws_access_key_id\":\"ASIAJ5PBUH3S35QTZQEQ\",\"signature\":\"i5m2JH8jnX1Ji\\\/WxwaaYBhHrsTE=\",\"security_token\":\"....."],"data":"3ab026e3-f80f-11e7-bdaa-4da0e17fb298","command_name":"CMD-TailLogs","api_version":"1.0","resource_name":"AWSEBAutoScalingGroup","request_id":"3ab026e3-f80f-11e7-bdaa-4da0e17fb298"}
[2018-01-13T03:09:56.872Z] INFO  [4009]  : Command processor should execute command.
[2018-01-13T03:09:56.872Z] DEBUG [4009]  : Storing current stage..
[2018-01-13T03:09:56.872Z] DEBUG [4009]  : Stage_num does not exist. Not saving null stage. Returning..
[2018-01-13T03:09:56.873Z] DEBUG [4009]  : Reading config file: /etc/elasticbeanstalk/.aws-eb-stack.properties
[2018-01-13T03:09:56.873Z] DEBUG [4009]  : Retrieving metadata for key: AWS::ElasticBeanstalk::Ext||_ContainerConfigFileContent||commands..
[2018-01-13T03:09:56.878Z] DEBUG [4009]  : Retrieving metadata for key: AWS::ElasticBeanstalk::Ext||_API||_Commands..
[2018-01-13T03:09:56.880Z] INFO  [4009]  : Found enabled addons: ["logpublish", "logstreaming"].
[2018-01-13T03:09:56.883Z] INFO  [4009]  : Updating Command definition of addon logpublish.
[2018-01-13T03:09:56.883Z] INFO  [4009]  : Updating Command definition of addon logstreaming.
[2018-01-13T03:09:56.884Z] DEBUG [4009]  : Loaded definition of Command CMD-TailLogs.
[2018-01-13T03:09:56.884Z] INFO  [4009]  : Executing CMD-TailLogs
[2018-01-13T03:09:56.885Z] INFO  [4009]  : Executing command: CMD-TailLogs...
[2018-01-13T03:09:56.885Z] INFO  [4009]  : Executing command CMD-TailLogs activities...
[2018-01-13T03:09:56.885Z] DEBUG [4009]  : Setting environment variables..
[2018-01-13T03:09:56.885Z] INFO  [4009]  : Running AddonsBefore for command CMD-TailLogs...
[2018-01-13T03:09:56.886Z] DEBUG [4009]  : Running stages of Command CMD-TailLogs from stage 0 to stage 0...
[2018-01-13T03:09:56.886Z] INFO  [4009]  : Running stage 0 of command CMD-TailLogs...
[2018-01-13T03:09:56.886Z] DEBUG [4009]  : Loaded 1 actions for stage 0.
[2018-01-13T03:09:56.886Z] INFO  [4009]  : Running 1 of 1 actions: TailLogs...
	172.31.43.189 - - [13/Jan/2018:03:01:56 +0000] "GET / HTTP/1.1" 404 139 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" "191.37.20.2"
	172.31.43.189 - - [13/Jan/2018:03:02:03 +0000] "GET / HTTP/1.1" 404 139 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.58" "191.37.20.2"
	172.31.20.92 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "52.29.173.72"
	172.31.20.92 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "34.213.106.112"
	172.31.43.189 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "66.133.109.36"
	172.31.43.189 - - [13/Jan/2018:03:07:10 +0000] "GET /.well-known/acme-challenge/<my-key-here> HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "13.58.30.69"
	###
	# Based on https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
	# and http://bit.ly/aws-and-lets-encrypt-ssl-2CW5d4e
	###

	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	SourceSecurityGroupName: {"Fn::GetAtt" : ["AWSEBLoadBalancer" , "SourceSecurityGroup.GroupName"]}

	files:

	/etc/letsencrypt/configs/${CERT_DOMAIN}.conf
	mode: "000644"
	owner: root
	group: root
	content: \|
	# the domain we want to get the cert for;
	# technically it's possible to have multiple of this lines, but it only worked
	# with one domain for me, another one only got one cert, so I would recommend
	# separate config files per domain.
	domains = ${CERT_DOMAIN}

	# increase key size
	rsa-key-size = 4096 # 2048 or 4096

	# the current closed beta (as of 2015-Nov-07) is using this server
	server = https://acme-v01.api.letsencrypt.org/directory

	# this address will receive renewal reminders
	email = ${CERT_EMAIL}

	# turn off the ncurses UI, we want this to be run as a cronjob
	text = True

	debug = True
	non-interactive = True
	agree-tos = True
	standalone = True
	staging = True

	# Obtain certificates using a DNS TXT record (if you are using Route53 for DNS).
	dns-route53 = True

	# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
	# and then letting LE fetch it
	authenticator = webroot
	webroot-path = /var/www/letsencrypt/

	/etc/letsencrypt/config/renewal-cert.sh
	mode: "000644"
	owner: root
	group: root
	content: \|
	#!/bin/sh

	cd /opt/letsencrypt/
	./certbot-auto --config /etc/letsencrypt/configs/my-domain.conf certonly

	if [ $? -ne 0 ]
	then
	ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
	echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
	$ERRORLOG
	else
	nginx -s reload
	fi

	exit 0

	/etc/nginx/conf.d/letsencrypt-temp-file.conf.txt
	mode: "000644"
	owner: root
	group: root
	content: \|
	server {
	listen 80;

	location /.well-know/acme-challenge {
	root /var/www/letsencrypt;
	}
	}

	/var/www/letsencrypt/config/prepare_letsencrypt_nginx.sh
	mode: "0000644"
	owner: root
	group: root
	content: \|
	#!/bin/bash

	mkdir /var/www/letsencrypt
	chgrp nginx /var/www/letsencrypt
	cp /etc/nginx/conf.d/letsencrypt-temp-file.conf.txt /etc/nginx/conf.d/letsencrypt-temp-file.conf"

	nginx -s reload

	/etc/nginx/conf.d/https_custom.pre:
	mode: "000644"
	owner: root
	group: root
	content: \|
	# HTTPS Server

	upstream node_upstream {
	server 127.0.0.1:5000;
	keepalive 256;
	}

	server {
	listen 443;

	error_page 497 https://$host$request_uri;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/${CERT_DOMAIN}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/${CERT_DOMAIN}/privkey.pem;

	ssl_session_timeout 5m;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;

	if ($ssl_protocol = "") {
	rewrite ^ https://$host$request_uri? permanent;
	}

	location / {
	proxy_pass http://node_upstream;
	proxy_set_header Connection "";
	proxy_http_version 1.1;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}
	}

	/etc/nginx/conf.d/http-redirect-custom.conf.pos:
	mode: "000644"
	owner: root
	group: root
	content: \|
	server {
	listen 80;
	return 301 https://$host$request_uri;
	}

	/opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh:
	mode: "000644"
	owner: root
	group: root
	content: \|
	#!/bin/bash -xe
	rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
	service nginx stop
	service nginx start

	packages:
	yum:
	epel-release: []

	container_commands:
	removeconfig:
	command: "sh /opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh"
	owner: root
	group: root
	prepare_letsencrypt_nginx:
	command "sh /var/www/letsencrypt/config/prepare_letsencrypt_nginx.sh"
	owner: root
	group: root
	00_createdir:
	command: "mkdir /opt/certbot \|\| true"
	01_installcertbot:
	command: "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
	02_permission:
	command: "chmod a+x /opt/certbot/certbot-auto"
	03_getcert:
	## command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --standalone --email ${CERT_EMAIL} --agree-tos -d ${CERT_DOMAIN} --keep-until-expiring"
	command : "sudo /opt/certbot/certbot-auto --config /etc/letsencrypt/configs/${CERT_DOMAIN}.conf certonly"
	04_link:
	command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/${CERT_DOMAIN}"
	05_cronjob_renew:
	## command: "cat .ebextensions/certificate_renew.txt > /etc/cron.d/certificate_renew && chmod 644 /etc/cron.d/certificate_renew"
	command: "sudo sh /etc/letsencrypt/config/renewal-cert.sh"
	# Dont forget to set the env variable "certdomain", and either fill in your email below or use an env variable for that too.
	# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!
	#
	# Based on http://bit.ly/aws-and-lets-encrypt-ssl-2EEMn25
	###
	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0

	files:

	# The Nginx config forces https, and is meant as an example only.
	/etc/nginx/conf.d/000_http_redirect_custom.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	server {
	listen 8080;
	return 301 https://$host$request_uri;
	}
	# The Nginx config forces https, and is meant as an example only.
	/etc/nginx/conf.d/https_custom.pre:
	mode: "000644"
	owner: root
	group: root
	content: \|
	# HTTPS server
	server {
	listen 443 default ssl;
	server_name localhost;
	error_page 497 https://$host$request_uri;

	ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;
	ssl_session_timeout 5m;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;

	if ($ssl_protocol = "") {
	rewrite ^ https://$host$request_uri? permanent;
	}

	location / {
	proxy_pass http://nodejs;
	proxy_set_header Connection "";
	proxy_http_version 1.1;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}
	}
	packages:
	yum:
	epel-release: []

	container_commands:
	10_installcertbot:
	command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
	20_getcert:
	command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${CERT_EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring --pre-hook \"service nginx stop\" --staging"
	30_link:
	command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/ebcert"
	40_config:
	command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"
	-------------------------------------
	/var/log/eb-activity.log
	-------------------------------------
	Verifying : libverto-devel-0.2.5-4.9.amzn1.x86_64 8/13
	Verifying : krb5-devel-1.15.1-8.43.amzn1.x86_64 9/13
	Verifying : libsepol-devel-2.1.7-3.12.amzn1.x86_64 10/13
	Verifying : system-rpm-config-9.0.3-42.28.amzn1.noarch 11/13
	Verifying : libffi-devel-3.0.13-16.5.amzn1.x86_64 12/13
	Verifying : libselinux-devel-2.1.10-3.22.amzn1.x86_64 13/13

	Installed:
	augeas-libs.x86_64 0:1.0.0-5.7.amzn1
	libffi-devel.x86_64 0:3.0.13-16.5.amzn1
	openssl-devel.x86_64 1:1.0.2k-8.106.amzn1
	python27-tools.x86_64 0:2.7.12-2.121.amzn1
	system-rpm-config.noarch 0:9.0.3-42.28.amzn1

	Dependency Installed:
	keyutils-libs-devel.x86_64 0:1.5.8-3.12.amzn1
	krb5-devel.x86_64 0:1.15.1-8.43.amzn1
	libcom_err-devel.x86_64 0:1.42.12-4.40.amzn1
	libkadm5.x86_64 0:1.15.1-8.43.amzn1
	libselinux-devel.x86_64 0:2.1.10-3.22.amzn1
	libsepol-devel.x86_64 0:2.1.7-3.12.amzn1
	libverto-devel.x86_64 0:0.2.5-4.9.amzn1
	zlib-devel.x86_64 0:1.2.8-7.18.amzn1

	Complete!
	Creating virtual environment...
	Installing Python packages...
	Installation succeeded.
	Saving debug log to /var/log/letsencrypt/letsencrypt.log
	Plugins selected: Authenticator standalone, Installer None
	Running pre-hook command: service nginx stop
	Output from service:
	Stopping nginx:
	Hook command "service nginx stop" returned error code 137
	Error output from service:
	/sbin/service: line 66: 3905 Killed env -i PATH="$PATH" TERM="$TERM" "${SERVICEDIR}/${SERVICE}" ${OPTIONS}

	Obtaining a new certificate
	Performing the following challenges:
	http-01 challenge for my-site.domain.com
	Waiting for verification...
	Cleaning up challenges
	Exiting abnormally:
	Traceback (most recent call last):
	File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
	sys.exit(main())
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 861, in main
	return config.func(config, plugins)
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 786, in certonly
	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 85, in _get_and_save_cert
	lineage = le_client.obtain_and_enroll_certificate(domains, certname)
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
	certr, chain, key, _ = self.obtain_certificate(domains)
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate
	self.config.allow_subset_of_names)
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
	self._respond(resp, best_effort)
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
	self._poll_challenges(chall_update, best_effort)
	File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
	raise errors.FailedChallenges(all_failed_achalls)
	FailedChallenges: Failed authorization procedure. my-site.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://my-site.domain.com/.well-known/acme-challenge/<my-key-here>: Timeout
	Please see the logfiles in /var/log/letsencrypt for more details.
	IMPORTANT NOTES:
	- The following errors were reported by the server:

	Domain: my-site.domain.com
	Type: connection
	Detail: Fetching
	https://my-site.domain.com/.well-known/acme-challenge/<my-key-here>:
	Timeout

	To fix these errors, please make sure that your domain name was
	entered correctly and the DNS A/AAAA record(s) for that domain
	contain(s) the right IP address. Additionally, please check that
	your computer has a publicly routable IP address and that no
	firewalls are preventing the server from communicating with the
	client. If you're using the webroot plugin, you should also verify
	that you are serving files from the webroot path you provided.
	- Your account credentials have been saved in your Certbot
	configuration directory at /etc/letsencrypt. You should make a
	secure backup of this folder now. This configuration directory will
	also contain certificates and private keys obtained by Certbot so
	making regular backups of this folder is ideal.
	(ElasticBeanstalk::ExternalInvocationError)


	[2018-01-13T03:07:23.754Z] INFO [3220] - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_stack_SampleApplication_W4FJ8W83X64B/Command 20_getcert] : Activity failed.
	[2018-01-13T03:07:23.754Z] INFO [3220] - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_stack_SampleApplication_W4FJ8W83X64B] : Activity failed.
	[2018-01-13T03:07:23.754Z] INFO [3220] - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild] : Activity failed.
	[2018-01-13T03:07:23.872Z] INFO [3220] - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0/EbExtensionPostBuild] : Activity failed.
	[2018-01-13T03:07:23.872Z] INFO [3220] - [Application update app-6f42-xxxxxxxxxx@32/AppDeployStage0] : Activity failed.
	[2018-01-13T03:07:23.873Z] INFO [3220] - [Application update app-6f42-xxxxxxxxxx@32] : Completed activity. Result:
	Application update - Command CMD-AppDeploy failed
	[2018-01-13T03:09:56.885Z] INFO [4009] - [CMD-TailLogs] : Starting activity...
	[2018-01-13T03:09:56.886Z] INFO [4009] - [CMD-TailLogs/AddonsBefore] : Starting activity...
	[2018-01-13T03:09:56.886Z] INFO [4009] - [CMD-TailLogs/AddonsBefore] : Completed activity.
	[2018-01-13T03:09:56.886Z] INFO [4009] - [CMD-TailLogs/TailLogs] : Starting activity...
	[2018-01-13T03:09:56.886Z] INFO [4009] - [CMD-TailLogs/TailLogs/TailLogs] : Starting activity...