# Dont forget to set the env variable "certdomain", and either fill in your email below or use an env variable for that too. | |
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready! | |
Resources: | |
sslSecurityGroupIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} | |
IpProtocol: tcp | |
ToPort: 443 | |
FromPort: 443 | |
CidrIp: 0.0.0.0/0 | |
files: | |
# The Nginx config forces https, and is meant as an example only. | |
/etc/nginx/conf.d/000_http_redirect_custom.conf: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
server { | |
listen 8080; | |
return 301 https://$host$request_uri; | |
} | |
# The Nginx config forces https, and is meant as an example only. | |
/etc/nginx/conf.d/https_custom.pre: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
# HTTPS server | |
server { | |
listen 443 default ssl; | |
server_name localhost; | |
error_page 497 https://$host$request_uri; | |
ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem; | |
ssl_session_timeout 5m; | |
ssl_protocols TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_prefer_server_ciphers on; | |
if ($ssl_protocol = "") { | |
rewrite ^ https://$host$request_uri? permanent; | |
} | |
location ~ ^/(lib/|img/) { | |
root /var/app/current/public; | |
access_log off; | |
} | |
location / { | |
proxy_pass http://nodejs; | |
proxy_set_header Connection ""; | |
proxy_http_version 1.1; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
} | |
} | |
packages: | |
yum: | |
epel-release: [] | |
container_commands: | |
10_installcertbot: | |
command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto" | |
20_getcert: | |
command: "sudo ./certbot-auto certonly --debug --non-interactive --email XXX@XXX.com --agree-tos --standalone --domains ${certdomain} --keep-until-expiring --pre-hook \"service nginx stop\" --staging" | |
30_link: | |
command: "ln -sf /etc/letsencrypt/live/${certdomain} /etc/letsencrypt/live/ebcert" | |
40_config: | |
command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf" |
This comment has been minimized.
This comment has been minimized.
More or less correct. See my reply to your comment on the original blogpost. Also I found that using --standalone now works on AWS and is more reliable. See latest version of GIST. |
This comment has been minimized.
This comment has been minimized.
Very nice Gist! Thanks a lot! |
This comment has been minimized.
This comment has been minimized.
Did you have any success running this configuration during the elastic beanstalk creation? It seems that neither nginx nor puma (in my case) are running when certbot tries to validate the domain and get the certificate. I tried to create a shell script on /opt/elasticbeanstalk/hooks/appdeploy/post directory to perform all these configurations after the EBS setup but it didn't work either. Certbot can't get a response from the server (I tried forcing validation on ports 80 and 443). Nonetheless, if you are performing a simple deploy (not a eb creation), both methods work. Any ideas? |
This comment has been minimized.
This comment has been minimized.
@williamdias, I usually launch instances with the sample app, and then upload my code, so it may not work on creation. It sounds like a timing issue. Let me know what you find out? Also, I don't get notified of comments here, so you might want to comment on the original blog post. Thanks! |
This comment has been minimized.
This comment has been minimized.
Your script doesn't work anymore because nginx service is now always forced to run in all new AWS EBS instance.
And I added a new command :
according to this stackoverflow fix |
This comment has been minimized.
This comment has been minimized.
Hi @tony-gutierrez, I really want to thank you for this code ! It seems to be working for the certificate (I'm still with LetsEncrypt staging server) However I keep getting this error (from /var/log/nginx/error.log) with a 502 Bad Gateway nginx/1.10.1 :
I'm running a NodeJS server. I've been looking for a solution for hours and I can't figure out what's causing it... Have you - or anybody else - an idea of what could be the problem ? EDIT : Solved the issue, seems like the proxy headers are case sensitive, such as this line :
should become :
See : https://github.com/websocket-rails/websocket-rails/issues/55 |
This comment has been minimized.
This comment has been minimized.
Thanks for this, absolute lifesaver! Do you have any tips on how I could automate renewal of the certificate? |
This comment has been minimized.
This comment has been minimized.
This is a great gist, thanks for sharing it. I'm exploring using certbot via the nginx plugin (certbot-auto --nginx) in a post deploy hook. Have you tried that at all? |
This comment has been minimized.
This comment has been minimized.
FYI I did it via certbot-auto --nginx and was able to get it to work, with relatively simpler configuration. Hoping to make a script that can update ssls for new domains without a new deploy (for whitelabel client setup) by running certbot-auto -- nginx. |
This comment has been minimized.
This comment has been minimized.
@adailey14 let us know how you go :) |
This comment has been minimized.
This comment has been minimized.
Just out of curiosity, have you guys tried using AWS cert manager? They provide certs to you for free: https://aws.amazon.com/certificate-manager/pricing/ |
This comment has been minimized.
This comment has been minimized.
You are great, thank you! |
This comment has been minimized.
This comment has been minimized.
Does this handle the cert expiration? I know they are only valid for 90 days. My environment will probably be reloaded in that time, but just in case. |
This comment has been minimized.
This comment has been minimized.
@adailey14 can you share your simplified version? |
This comment has been minimized.
This comment has been minimized.
Hello, I used this Gist to make mine, in which I use Apache. Who has interest, follow link: link gist . |
This comment has been minimized.
This comment has been minimized.
There are some problems with Certbot for the mode standalone on ngnix i think. So I created another script based on yours for the Webroot mode and it works well. https://github.com/SammyHam/LetsEncrypt-SSL-config-for-Elastic-Beanstalk Thank you very much for sharing. |
This comment has been minimized.
This comment has been minimized.
Hey |
This comment has been minimized.
This comment has been minimized.
I own a domain xxx.com what should I use for the CERTDOMAIN? I have tried all them and I keep getting the following errors: Domain: app-production.us-east-1.elasticbeanstalk.com To fix these errors, please make sure that your domain name was |
This comment has been minimized.
This comment has been minimized.
@jiawenzhang , you would need to use domain name which has access from internet on 80 port. It's a simple LetsEncrypt verification step |
This comment has been minimized.
This comment has been minimized.
@jiawenzhang - make sure your |
This comment has been minimized.
This comment has been minimized.
@adailey14 Would you mind sharing your solution ? |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I have the same problem, do you resolve it? |
This comment has been minimized.
This comment has been minimized.
Now i resolved problem with CNAME, but i have a problem with port / configuragion. Where can i corret? |
This comment has been minimized.
This comment has been minimized.
My two cents:
|
This comment has been minimized.
This comment has been minimized.
I followed the steps as described above and concerning the advice of @tbezemer. Finally I discovered the solution for my problem - I had to modify the line
|
This comment has been minimized.
This comment has been minimized.
This is what I ended up with:
|
This comment has been minimized.
This comment has been minimized.
Any example ? i need to create .ebextensions folder and then inside it -> .config ? |
This comment has been minimized.
This comment has been minimized.
For a while my config was pretty much the same as @krissrex example, but I had some issues:
I modified my config to this one and it fits the needs I described above:
I had to move all It also enables HTTP2 protocol. To make it work you have to set an environment variable at elastic beanstalk config called Example of valid values for CERT_DOMAINS env:
@jakupi1 You can create a file with a name of your choice inside your app source code, inside path |
This comment has been minimized.
This comment has been minimized.
@williamweckl im getting strange errors, im using amazon aws linux ami |
This comment has been minimized.
This comment has been minimized.
@jakupi1 I'm using aws linux too. What errors are you getting? I had a lot of pain to make it work for the first time too |
This comment has been minimized.
This comment has been minimized.
@williamweckl I'm getting the following error when attempting to use your file - any insight?
|
This comment has been minimized.
This comment has been minimized.
@mjgall nginx is not finding the certificate at this location |
This comment has been minimized.
This comment has been minimized.
Ssh in and find it. You can also edit the nginx config and restart until they are correct. Then copy the changes to your files. |
This comment has been minimized.
This comment has been minimized.
Hi, I'm able to install certbot, stop nginx, get a certificate in standalone mode, but when I try to restart nginx I get the following error: [emerg] host not found in upstream "nodejs" in /etc/nginx/conf.d/https_custom.conf:21 Any suggestions? |
This comment has been minimized.
This comment has been minimized.
@mjgall Have you found the problem for this error message? I get the same error and found out, that no certificate is generated. The HTTP Challenges are failing although i specified the desired domains in route53 and configured them for the elb instance. I also opened the HTTP port in case it is needed for the http challenge. But unfortunately without any effect. The certification process still fails with "Connection refused". Any suggestions? |
This comment has been minimized.
This comment has been minimized.
I added two more security rules to the beginning of the script of @williamweckl and rebuild the environment. That did the job for my problem. Thank you guys! |
This comment has been minimized.
This comment has been minimized.
Here is my solution which is combining from @tony-gutierrez, @krissrex, and @williamweckl: https://github.com/Archinowsk/konsti-server/tree/master/.ebextensions. Thanks!
// Edit: Some updates. Turns out cert challenge check was not working properly. Hopefully fixed now. |
This comment has been minimized.
This comment has been minimized.
@Archinowsk This is awesome work. Thanks so much for taking the time to share this. One question I have, why is the 03_nginx.config after the certificate generation? Wouldn't this need to be run and configured prior to the certbot verification process? |
This comment has been minimized.
This comment has been minimized.
Good question :D. My thought was that nginx config is referring to the certificate files -> create those first. Not completely sure if the order matters at that point. |
This comment has been minimized.
This comment has been minimized.
From the EB Docs: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-container-commands
So looks like the order of the files does not matter, it is the type of operation the file describes that determines when it will execute in the EB deployment lifecycle. In short, your code should work fine. I am however still struggling to get this to work. Off to do more tinkering... |
This comment has been minimized.
This comment has been minimized.
Did you ever manage to get @Archinowsk configs to work? Still getting the following error No such file or directory:fopen('/etc/letsencrypt/live/ebcert/fullchain.pem','r') |
This comment has been minimized.
This comment has been minimized.
I did end up getting it to work. It is worth noting I do have this config split into separate files, just adding them all at once here for simplicity. If you try and use this all in one file you may have issues since there are multiple
|
This comment has been minimized.
This comment has been minimized.
Hey, This is still not working for me. When I run this then connection is refused on both HTTP and HTTPS. I've added these connections to the security group of the AWS beanstalk. |
This comment has been minimized.
This comment has been minimized.
For some reason my Full example: https://github.com/Archinowsk/konsti-server/tree/9de485e25ac2cf757d3e4b0b73ef662bda766847/.ebextensions
|
This comment has been minimized.
This comment has been minimized.
@Archinowsk Thanks so much! Worked like a charm! |
This comment has been minimized.
This comment has been minimized.
Any solution to this ? Facing the same problem |
This comment has been minimized.
This comment has been minimized.
Here is something I have working for a python flask Apache beanstalk application: https://github.com/russau/renew-certs-flask The project from @Archinowsk was a big help getting this done. |
This comment has been minimized.
This comment has been minimized.
Here is mine:
|
This comment has been minimized.
This comment has been minimized.
I've updated my project to work with the new Amazon Linux 2 Python 3.7 platform: https://github.com/russau/renew-certs-flask-nginx There are new "platform hook" features to make this a bit easier: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html |
This comment has been minimized.
This comment has been minimized.
Following the script of @cavasinf, I get the following error in
Multiple "no such file or directory" errors follow, which I suppose are a result of the above error, which is the first. I am not sure if there is a problem with the file itself or this is unique to me. |
This comment has been minimized.
This comment has been minimized.
@corei8 In my case I want the HTTP to redirect to the HTTPS. Can you go into your EC2 of EB, and check the SecurityGroup -> Inbound rules ?
|
This comment has been minimized.
This comment has been minimized.
My solution @ https://github.com/HausCloud/AWS-ElasticBeanstalk-SSL |
This comment has been minimized.
This comment has been minimized.
Have you found a solution to this? Currently facing the same error. |
This comment has been minimized.
This comment has been minimized.
Hello all. I have been trying to set this up. Although it seems that certbot downloads a certificate all well and that the custom files are put inside the nginx config.d directory and that nginx restarts properly...I still can't seem to be able to reach the API using Https... Actually now even http is broken. Any ideas?
Here is my current config:
EDIT: I was polling the nginx config directory. The script seems to be working fine and puts the files in the nginx directory. But after this finishes, just before the app starts, something totally resets nginx, the directory is deleted and put back in place. So those files get deleted and the config is not there anymore. Any ideas? |
This comment has been minimized.
This comment has been minimized.
The solution from @HausCloud works perfectly. Although I got permissions denied error, I managed to fix it by following this issue. |
This comment has been minimized.
This comment has been minimized.
Hey @DavidSanek, I'm quite new to EB and the associated stuff. Would you be kind enough to post your final solution of the setup you have in .ebextensions (incorporating @HausCloud certbot stuff)? Regards |
This comment has been minimized.
This comment has been minimized.
Hey @mstarcevic, I've created a Gist with both files that I needed to setup certbot. |
This comment has been minimized.
This comment has been minimized.
@DavidSanek Thank you very much. Appreciated. |
This comment has been minimized.
This comment has been minimized.
@panagath Were you able to figure it out? |
This comment has been minimized.
This comment has been minimized.
Hey @HausCloud, I used your solution in your Gist and it deployed successfully with no errors. But https doesn't seem to work. The http version works fine though. Is there a step after deployment that I'm missing? |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3 I got it working just last week. Let me go back over my notes later today and I'll let you know what exactly I did. |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3 Details as promised:
single_instance.config https.config
|
This comment has been minimized.
This comment has been minimized.
Thanks @mstarcevic. It seemed to deploy fine with no errors or issues. The logs even suggest the certificate was successfully enabled: |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3 I can't remember anything else that I may have had to do, either in eb or on the AWS console side of things. My domain names are registered through Route 53 and I know I did a bit of stuffing around with Alias records and such. But I'm pretty sure that I also got it going with the environment URL directly. How are you checking? Postman? Did you include the eb environment URL in the domain names CERTBOT variable? And what format did you use, assuming you did... |
This comment has been minimized.
This comment has been minimized.
I think that I included IP addresses somewhere along the line but no longer. However, you did remind me of one other thing... In the corresponding EC2 instance in the incoming rules, I have a provision for port 443. I think that I had to put that in... in any case, it's there... |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3 Can you curl localhost:80 and localhost:443? Check your config. You may have a load balancer attached. |
This comment has been minimized.
This comment has been minimized.
@HausCloud It failed with connection refused on port 443. Have checked the config and there's no load balancer is attached. |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3 I am having the exact same issue as you. I can see that the SSL certificate was successfully enabled, but I am also getting connection refused on port 443. |
This comment has been minimized.
This comment has been minimized.
@HausCloud I just stepped through it with a fresh sample app. The problem occurs when I input multiple domains in 00_ssl_setup_certbot.sh, i.e., CERTBOT_DOMAINS = "somedomain.ap-southeast-2.elasticbeanstalk.com,somedomain.co.nz,www.somedomain.co.nz". The code says the certificate is successfully installed and the http site will work, but the https version of the site will return a connection refused error. |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3 I'm inputting 2 domains and it still works. |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3 Want to set up a zoom call? Let's see if we can debug it. |
This comment has been minimized.
This comment has been minimized.
When I SSH into my EC2 console and run |
This comment has been minimized.
This comment has been minimized.
@HausCloud I managed to get it to work by rebuilding the environment. I didn't make any other changes. |
This comment has been minimized.
This comment has been minimized.
HausCloud I tried setting up https using your code. But I found that nothing sort of happens even the logging things. I have set up domain for single instance in the said variable still it didn't work. I even tried it with fresh environment setup. But no luck. |
This comment has been minimized.
This comment has been minimized.
@sinmarcus3, @HausCloud and @jhaist I am having a similar issue, when I deploy my application HTTPS doesn't work while HTTP does. However, if I rebuild the environment then HTTPS and HTTPS redirect start working until I deploy again, which requires another rebuild. |
This comment has been minimized.
This comment has been minimized.
same issue as @gavleavitt, when I use the solution from @HausCloud https stops working after CodePipeline deploy phase, rebuilding environment helps. Tried some things like removing the hook script after first run, but no luck. (I have single domain) |
This comment has been minimized.
This comment has been minimized.
@EffyCoder @gavleavitt Can you post your EB setup so I can try to reproduce the issue? |
This comment has been minimized.
This comment has been minimized.
@HausCloud @optimistiks @gavleavitt @sinmarcus3. Had a similar issue, but I sorted it out - found that postdeploy script was filling |
This comment has been minimized.
This comment has been minimized.
I've modified the postdeploy script as following (also commented out the 'Prevent certificate installation if not clean sample app' part).
|
This comment has been minimized.
This comment has been minimized.
I almost cried when I saw the lock icon as I spent 2 days running Linux commands. Just wanted to thank you for all the solutions in this thread. |
This comment has been minimized.
This comment has been minimized.
Your comment saved me. I was struggling for month. Trying out various configurations. But had no luck. |
This comment has been minimized.
This comment has been minimized.
I tried using the
I also had issues with installing the epel using the yum package manager on Amazon Linux 2. So i tweaked the setup to use rpm to install epel. Here is the content of my
Below is the content of
Below is the content of
Hopefully this helps. |
This comment has been minimized.
This comment has been minimized.
I am getting the following error: It looks like certbot-auto was deprecated: Here is a discussion: Any other ideas about how to get it to work? Thank you. |
This comment has been minimized.
This comment has been minimized.
@morsanu Happy to help. |
This comment has been minimized.
This comment has been minimized.
You can install the original certbot, instead of
then replace |
This comment has been minimized.
This comment has been minimized.
Thank you so much @vahiwe, it worked flawlessly. |
This comment has been minimized.
This comment has been minimized.
@andylolu2 you're welcome. You can reference an article I wrote on it here. |
This comment has been minimized.
This comment has been minimized.
@vahiwe I took the OP's post and combined it with your solution from (above) changed a few params to work with Apache and got this:
And it executes (all commends run) but https is still not working (http works fine, but https immediately returns 'Unable to connect') Any ideas? I've been stuck for 2 days now. |
This comment has been minimized.
This comment has been minimized.
@zedy I haven’t used Apache in any of my projects so might not really know what works and what doesn’t. But we can try connecting and solving it together. |
This comment has been minimized.
This comment has been minimized.
@vahiwe Thanks for the response. I figured it out. The Created
p.s. don't forget to restart |
This comment has been minimized.
This comment has been minimized.
|
This comment has been minimized.
This comment has been minimized.
Maybe this will help someone: I updated my single web instance PHP Platform version and all my https stuff broke because of certbot-auto being deprecated. I'm just using the httpd config files that beanstalk uses by default. I spent a while trying to get 'certbot' installed by all the different solutions above and elsewhere but kept running into errors/issues. I was finally able to get it all working using this .ebextension config: https://gist.github.com/caseypage/3f59f29f1fb4d6590c9193340a38ea03 |
This comment has been minimized.
This comment has been minimized.
Thank You! I also ran into issues because of certbot-auto being deprecated and tried different solutions. I was about to give up on this approach until I saw this comment. |
This comment has been minimized.
Hey Tony, this is amazing, exactly what I was looking for.
So all I have to do is:
Correct?