Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS EB elastic beanstalk single instance nodejs nginx SSL/HTTPS ebextensions config file
# REQUIREMENTS
# set the following configuration environment variables at: configuration -> software -> modify -> environment variables
# CERT_EMAIL: the email address used for registering the cert
# CERT_DOMAIN: the domain to create a cert for
# EB environment URL (listed at the top of the environment page) or a custom domain, custom domains must have a DNS CNAME record pointing to the EB environment URL
# !! MUST NOT have "http://" prefix or the trailing "/" at the end !!
# EXAMPLES
# CERT_EMAIL: mymail@gmail.com
# CERT_DOMAIN: certbot-sample.us-east-1.elasticbeanstalk.com
# AWS resources to be provisioned for the EB environment
Resources:
# define a SG inbound rule that allows HTTPS traffic to the EB instance
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
# added to the EB environment SG
GroupId: { "Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"] }
IpProtocol: tcp
# to (instance) and from (internet) TCP port 443
ToPort: 443
FromPort: 443
# any IP address source (public internet)
CidrIp: 0.0.0.0/0
# add EPEL release package repo to yum for installing certbot dependencies
packages:
yum:
epel-release: [] # latest version
files:
# create a custom nginx proxy config that will be targetd by certbot
# after certificate is issued certbot will populate this file with SSL terminating attributes
/etc/nginx/conf.d/http-https-proxy.conf:
mode: "000644"
owner: root
group: root
content: |
# defines the nodejs server namespace listening on 8081
upstream nodejs {
# default port 8081, change if directly set in app code
server 127.0.0.1:8081;
keepalive 256;
}
server {
# capture all traffic on port 80 (http, unsecure)
# after cert success certbot will create a server block that redirects all traffic
# from port 80 (and 8080, default nginx) to port 443 (https, secure)
listen 80;
listen 8080; # default nginx service port
# define the server name so certbot can configure SSL after cert success
# this is either the EB environment URL or a custom domain
# custom domains must have a DNS CNAME record pointing to the EB environment URL
server_name `{"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "CERT_DOMAIN"}}`;
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
}
access_log /var/log/nginx/access.log main;
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
# location block to route access for ACME challenge
# certbot uses the endpoint /.well-known/acme-challenge/<CODE_FILE_NAME> during verification
location ~ /.well-known {
allow all;
# direct requests to the webroot where certbot creates the ACME challenge code
# this is the default webroot for AWS Linux AMI nginx
# any webroot can be used but must match the webroot param (-w) in the certbot command
root /usr/share/nginx/html;
}
location / {
# proxy requests + headers to the nodejs app server (namespaced from upstream above)
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# enable gzip compression for faster data transmission to clients of the nodejs app
gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
}
# script commands to setup and run the certbot process
container_commands:
# these are run in alphabetical order hence the numbering prefix
00_install_certbot:
command: |
mkdir -p /opt/certbot
wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto
chmod 700 /opt/certbot/certbot-auto
# make the default EB proxy conf a backup to prevent conflict with new conf
10_decomission_default_proxy_conf:
command: mv /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf.bak
# reload to use new conf
20_reload_nginx_conf:
command: sudo initctl reload nginx
# run certbot process
# creates an ACME challenge in the webroot directory
# verifies the challenge with an http (80) request
# installs the certificate in /etc/letsencrypt/live/<DOMAIN_NAME>
# updates /etc/nginx/conf.d/http-https-proxy.conf to listen on 443, use the cert, and redirect all unsecure traffic (80, http) to 443 (https)
30_run_certbot:
# --debug: required by AWS Linux AMI to install certbot deps
# --redirect: creates nginx port :80 -> :443 redirect rule on success
# --agree-tos: agrees to TOS without prompting
# -n: run without user interaction
# -d: set domain for certificate
# -m: set email for ACME account registration
# -i: select nginx as the installer plugin to update the conf file on success
# -a: select webroot as the authenticator plugin to use the ACME challenge
# -w: set the webroot path for serving the ACME challenge
command: /opt/certbot/certbot-auto run --debug --redirect --agree-tos -n -d ${CERT_DOMAIN} -m ${CERT_EMAIL} -i nginx -a webroot -w /usr/share/nginx/html --staging
# !! --staging: REMOVE FOR PRODUCTION, use the staging server for the certificate !!
# reload nginx to apply new conf
40_restart_nginx:
# depending on your AMI this may fail
# if it does replace with: service nginx restart or reload
command: sudo initctl reload nginx
# setup cron job to auto renew certificates
# 40_setup_cron_job:
# command:
@the-vampiire

This comment has been minimized.

Copy link
Owner Author

@the-vampiire the-vampiire commented Sep 2, 2019

file is titled 00-https-single-instance.yaml for syntax highlighting on gist.

must be:

.ebextensions/
  00-https-single-instance.config <--- .config NOT .yaml
@theIYD

This comment has been minimized.

Copy link

@theIYD theIYD commented Apr 6, 2020

I am getting the below error.

2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:certbot version: 1.3.0
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Arguments: ['--debug', '--redirect', '--agree-tos', '-n', '-d', 'CovidHelp-env.eba-jfwi2pgp.ap-south-1.elasticbeanstalk.com', '-m', 'idrees.d@somaiya.edu', '-i', 'nginx', '-a', 'webroot', '-w', '/usr/share/nginx/html', '--staging']
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-04-06 05:35:38,021:DEBUG:certbot._internal.log:Root logging level set at 20
2020-04-06 05:35:38,022:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-04-06 05:35:38,022:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer nginx
2020-04-06 05:35:38,029:ERROR:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1083, in run
    installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run")
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 224, in choose_configurator_plugins
    installer = pick_installer(config, req_inst, plugins, installer_question)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 31, in pick_installer
    config, default, plugins, question, (interfaces.IInstaller,))
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 104, in pick_plugin
    verified.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 253, in prepare
    return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 134, in prepare
    self._initialized.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 181, in prepare
    if not util.exe_exists(self.conf('ctl')):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 106, in exe_exists
    for path in os.environ["PATH"].split(os.pathsep):
  File "/opt/eff.org/certbot/venv/lib64/python2.7/UserDict.py", line 40, in __getitem__
    raise KeyError(key)
KeyError: 'PATH'
@the-vampiire

This comment has been minimized.

Copy link
Owner Author

@the-vampiire the-vampiire commented Apr 6, 2020

I am getting the below error.

2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:certbot version: 1.3.0
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Arguments: ['--debug', '--redirect', '--agree-tos', '-n', '-d', 'CovidHelp-env.eba-jfwi2pgp.ap-south-1.elasticbeanstalk.com', '-m', 'idrees.d@somaiya.edu', '-i', 'nginx', '-a', 'webroot', '-w', '/usr/share/nginx/html', '--staging']
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-04-06 05:35:38,021:DEBUG:certbot._internal.log:Root logging level set at 20
2020-04-06 05:35:38,022:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-04-06 05:35:38,022:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer nginx
2020-04-06 05:35:38,029:ERROR:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1083, in run
    installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run")
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 224, in choose_configurator_plugins
    installer = pick_installer(config, req_inst, plugins, installer_question)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 31, in pick_installer
    config, default, plugins, question, (interfaces.IInstaller,))
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 104, in pick_plugin
    verified.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 253, in prepare
    return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 134, in prepare
    self._initialized.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 181, in prepare
    if not util.exe_exists(self.conf('ctl')):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 106, in exe_exists
    for path in os.environ["PATH"].split(os.pathsep):
  File "/opt/eff.org/certbot/venv/lib64/python2.7/UserDict.py", line 40, in __getitem__
    raise KeyError(key)
KeyError: 'PATH'

hmm sorry man this was months ago. i remember seeing this issue but cant remember how i fixed it. i know i ended up going into that file and looking through the certbot source to see what the problem was. somehow the PATH key isnt being set.

if you fix it please post back so others can benefit

@raphamotta

This comment has been minimized.

Copy link

@raphamotta raphamotta commented Apr 22, 2020

Did you find the issue? I wold like to config that way as well

@obonyojimmy

This comment has been minimized.

Copy link

@obonyojimmy obonyojimmy commented May 14, 2020

I am getting the below error.

2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:certbot version: 1.3.0
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Arguments: ['--debug', '--redirect', '--agree-tos', '-n', '-d', 'CovidHelp-env.eba-jfwi2pgp.ap-south-1.elasticbeanstalk.com', '-m', 'idrees.d@somaiya.edu', '-i', 'nginx', '-a', 'webroot', '-w', '/usr/share/nginx/html', '--staging']
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-04-06 05:35:38,021:DEBUG:certbot._internal.log:Root logging level set at 20
2020-04-06 05:35:38,022:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-04-06 05:35:38,022:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer nginx
2020-04-06 05:35:38,029:ERROR:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1083, in run
    installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run")
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 224, in choose_configurator_plugins
    installer = pick_installer(config, req_inst, plugins, installer_question)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 31, in pick_installer
    config, default, plugins, question, (interfaces.IInstaller,))
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 104, in pick_plugin
    verified.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 253, in prepare
    return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 134, in prepare
    self._initialized.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 181, in prepare
    if not util.exe_exists(self.conf('ctl')):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 106, in exe_exists
    for path in os.environ["PATH"].split(os.pathsep):
  File "/opt/eff.org/certbot/venv/lib64/python2.7/UserDict.py", line 40, in __getitem__
    raise KeyError(key)
KeyError: 'PATH'

Remove the --redirect arg

@panagath

This comment has been minimized.

Copy link

@panagath panagath commented Jun 10, 2020

I'm using a similar script. Although the ingress rule is set up for my app, any https call is dropped immediately. I can only see http calls in the nginx logs. https don't reach nginx. Any ideas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment