tellodaniel/00_ssl.config

## 00_ssl.config
Content of ssl.pre is wrong! that configuration is for Nginx

Apache here!

You need to modify the next paths depending your conf:

# Make an Apache config file for SSL
files:
    /etc/httpd/conf.d/ssl.pre:
        mode: "000644"
        owner: root
        group: root
        content: |
            LoadModule wsgi_module modules/mod_wsgi.so
            WSGIPythonHome /opt/python/run/baselinenv
            WSGISocketPrefix run/wsgi
            WSGIRestrictEmbedded On
            Listen 443

            <VirtualHost *:443>
                SSLEngine on
                SSLCertificateFile /etc/letsencrypt/live/ DOMAIN_HERE /fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/ DOMAIN_HERE /privkey.pem
                Alias /static/ /opt/python/current/app/ STATIC_ROUTE_HERE
                <Directory /opt/python/current/app/ STATIC_ROUTE_HERE>
                Order allow,deny
                Allow from all
                </Directory>
                WSGIScriptAlias / /opt/python/current/app/application.py <- APP_HERE
                <Directory /opt/python/current/app/>
                Require all granted
                </Directory>
                WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
                python-path=/opt/python/current/app:/opt/python/run/venv/lib64/python3.4/site-packages:/opt/python/run/venv/lib/python3.4/site-packages user=wsgi group=wsgi \
                home=/opt/python/current/app
                WSGIProcessGroup wsgi-ssl
           </VirtualHost>

packages:
    yum:
       epel-release: []
       mod24_ssl : []

# Steps here
# 1. Install certbot
# 2. Get cert (stop apache before grabbing)
# 3. Link certs where Apache can grab
# 4. Get the Apache config in place
# 5. Move certbot-auto into tmp folder
container_commands:
    10_installcertbot:
        command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
    20_getcert:
        command: "sudo ./certbot-auto certonly --debug --non-interactive --email EMAIL_HERE --agree-tos --standalone --domains ${certdomain} --keep-until-expiring --pre-hook \"service httpd stop\" --post-hook \"service httpd start\""
    30_link:
        command: "ln -sf /etc/letsencrypt/live/${certdomain} /etc/letsencrypt/live/ebcert"
    40_config:
        command: "mv /etc/httpd/conf.d/ssl.pre /etc/httpd/conf.d/ssl.conf"
    50_mv_certbot_to_temp_for_cron_renew:
        command: "mv ./certbot-auto /tmp"

Be careful with identetation!!!!

If something fails just ssh your server and write "service httpd restart"
If it can't bind the port just wait some minutes
	Content of ssl.pre is wrong! that configuration is for Nginx

	Apache here!

	You need to modify the next paths depending your conf:

	# Make an Apache config file for SSL
	files:
	/etc/httpd/conf.d/ssl.pre:
	mode: "000644"
	owner: root
	group: root
	content: \|
	LoadModule wsgi_module modules/mod_wsgi.so
	WSGIPythonHome /opt/python/run/baselinenv
	WSGISocketPrefix run/wsgi
	WSGIRestrictEmbedded On
	Listen 443

	<VirtualHost *:443>
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/ DOMAIN_HERE /fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/ DOMAIN_HERE /privkey.pem
	Alias /static/ /opt/python/current/app/ STATIC_ROUTE_HERE
	<Directory /opt/python/current/app/ STATIC_ROUTE_HERE>
	Order allow,deny
	Allow from all
	</Directory>
	WSGIScriptAlias / /opt/python/current/app/application.py <- APP_HERE
	<Directory /opt/python/current/app/>
	Require all granted
	</Directory>
	WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
	python-path=/opt/python/current/app:/opt/python/run/venv/lib64/python3.4/site-packages:/opt/python/run/venv/lib/python3.4/site-packages user=wsgi group=wsgi \
	home=/opt/python/current/app
	WSGIProcessGroup wsgi-ssl
	</VirtualHost>

	packages:
	yum:
	epel-release: []
	mod24_ssl : []

	# Steps here
	# 1. Install certbot
	# 2. Get cert (stop apache before grabbing)
	# 3. Link certs where Apache can grab
	# 4. Get the Apache config in place
	# 5. Move certbot-auto into tmp folder
	container_commands:
	10_installcertbot:
	command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
	20_getcert:
	command: "sudo ./certbot-auto certonly --debug --non-interactive --email EMAIL_HERE --agree-tos --standalone --domains ${certdomain} --keep-until-expiring --pre-hook \"service httpd stop\" --post-hook \"service httpd start\""
	30_link:
	command: "ln -sf /etc/letsencrypt/live/${certdomain} /etc/letsencrypt/live/ebcert"
	40_config:
	command: "mv /etc/httpd/conf.d/ssl.pre /etc/httpd/conf.d/ssl.conf"
	50_mv_certbot_to_temp_for_cron_renew:
	command: "mv ./certbot-auto /tmp"

	Be careful with identetation!!!!

	If something fails just ssh your server and write "service httpd restart"
	If it can't bind the port just wait some minutes