statickidz/cronjob-certbot.config

## cronjob-certbot.config
files:
  "/etc/cron.d/certbot":
    mode: "000644"
    owner: root
    group: root
    content: |
      56 1 * * * root /opt/certbot/certbot-auto renew
commands:
  remove_old_cron:
    command: "rm -f /etc/cron.d/*.bak"

## https-instance.config
packages:
  yum:
    mod24_ssl : []

files:
  "/etc/httpd/conf.d/ssl_rewrite.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
      RewriteEngine On
      RewriteCond %{HTTP:X-Forwarded-Proto} !https
      RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem"
        SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early

      </VirtualHost>
  "/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
    mode: "000755"
    owner: root
    group: root
    content: |
      /var/log/letsencrypt/letsencrypt.log

container_commands:
# installs certbot
  10_stop_apache:
    command: "killall httpd ; sleep 3"
  10_replace_placeholders:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g'
      echo $SED_EXPRESSION
      sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf
  20_install_certbot:
    command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto"
  30_install_certificate:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring
  40_start_apache:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      sudo httpd -k start
	files:
	"/etc/cron.d/certbot":
	mode: "000644"
	owner: root
	group: root
	content: \|
	56 1 * * * root /opt/certbot/certbot-auto renew
	commands:
	remove_old_cron:
	command: "rm -f /etc/cron.d/*.bak"
	packages:
	yum:
	mod24_ssl : []

	files:
	"/etc/httpd/conf.d/ssl_rewrite.conf":
	mode: "000644"
	owner: root
	group: root
	content: \|
	RewriteEngine On
	RewriteCond %{HTTP:X-Forwarded-Proto} !https
	RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

	/etc/httpd/conf.d/ssl.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	LoadModule ssl_module modules/mod_ssl.so
	Listen 443
	<VirtualHost *:443>
	<Proxy *>
	Order deny,allow
	Allow from all
	</Proxy>

	SSLEngine on
	SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem"
	SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem"
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLSessionTickets Off

	Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff

	ProxyPass / http://localhost:80/ retry=0
	ProxyPassReverse / http://localhost:80/
	ProxyPreserveHost on
	RequestHeader set X-Forwarded-Proto "https" early

	</VirtualHost>
	"/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
	mode: "000755"
	owner: root
	group: root
	content: \|
	/var/log/letsencrypt/letsencrypt.log

	container_commands:
	# installs certbot
	10_stop_apache:
	command: "killall httpd ; sleep 3"
	10_replace_placeholders:
	command: \|
	source /opt/elasticbeanstalk/support/envvars
	SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g'
	echo $SED_EXPRESSION
	sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf
	20_install_certbot:
	command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto"
	30_install_certificate:
	command: \|
	source /opt/elasticbeanstalk/support/envvars
	sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring
	40_start_apache:
	command: \|
	source /opt/elasticbeanstalk/support/envvars
	sudo httpd -k start