-
-
Save tony-gutierrez/198988c34e020af0192bab543d35a62a to your computer and use it in GitHub Desktop.
# Dont forget to set the env variable "certdomain", and either fill in your email below or use an env variable for that too. | |
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready! | |
Resources: | |
sslSecurityGroupIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} | |
IpProtocol: tcp | |
ToPort: 443 | |
FromPort: 443 | |
CidrIp: 0.0.0.0/0 | |
files: | |
# The Nginx config forces https, and is meant as an example only. | |
/etc/nginx/conf.d/000_http_redirect_custom.conf: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
server { | |
listen 8080; | |
return 301 https://$host$request_uri; | |
} | |
# The Nginx config forces https, and is meant as an example only. | |
/etc/nginx/conf.d/https_custom.pre: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
# HTTPS server | |
server { | |
listen 443 default ssl; | |
server_name localhost; | |
error_page 497 https://$host$request_uri; | |
ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem; | |
ssl_session_timeout 5m; | |
ssl_protocols TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_prefer_server_ciphers on; | |
if ($ssl_protocol = "") { | |
rewrite ^ https://$host$request_uri? permanent; | |
} | |
location ~ ^/(lib/|img/) { | |
root /var/app/current/public; | |
access_log off; | |
} | |
location / { | |
proxy_pass http://nodejs; | |
proxy_set_header Connection ""; | |
proxy_http_version 1.1; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
} | |
} | |
packages: | |
yum: | |
epel-release: [] | |
container_commands: | |
10_installcertbot: | |
command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto" | |
20_getcert: | |
command: "sudo ./certbot-auto certonly --debug --non-interactive --email XXX@XXX.com --agree-tos --standalone --domains ${certdomain} --keep-until-expiring --pre-hook \"service nginx stop\" --staging" | |
30_link: | |
command: "ln -sf /etc/letsencrypt/live/${certdomain} /etc/letsencrypt/live/ebcert" | |
40_config: | |
command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf" |
I am getting the following error:
"Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
"
It looks like certbot-auto was deprecated:
certbot/certbot@cac9d8f
Here is a discussion:
https://community.letsencrypt.org/t/your-system-is-not-supported-by-certbot-auto-anymore/135504/21
Any other ideas about how to get it to work?
Thank you.
I almost cried when I saw the lock icon as I spent 2 days running Linux commands. Just wanted to thank you for all the solutions in this thread.
@morsanu Happy to help.
I am getting the following error:
"Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
"It looks like certbot-auto was deprecated:
certbot/certbot@cac9d8fHere is a discussion:
https://community.letsencrypt.org/t/your-system-is-not-supported-by-certbot-auto-anymore/135504/21Any other ideas about how to get it to work?
Thank you.
You can install the original certbot, instead of certbot-auto
wget -O epel.rpm –nv https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y ./epel.rpm
sudo yum install -y python2-certbot-apache.noarch
then replace ./certbot-auto
command with certbot
Thank you so much @vahiwe, it worked flawlessly.
Thank you so much @vahiwe, it worked flawlessly.
@andylolu2 you're welcome. You can reference an article I wrote on it here.
@vahiwe I took the OP's post and combined it with your solution from (above) changed a few params to work with Apache and got this:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/httpd/conf.d/ssl.pre:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Directory /opt/python/current/app/build/static>
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/${MY_DOMAIN}/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/${MY_DOMAIN}/privkey.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
# If you have pages that may take awhile to
# respond, add a ProxyTimeout:
# ProxyTimeout seconds
</VirtualHost>
/tmp/renew_cert_cron:
mode: "000777"
owner: root
group: root
content: |
# renew Lets encrypt cert with certbot command
0 1,13 * * * /tmp/certbot-auto renew
packages:
yum:
epel-release: []
mod_ssl : []
container_commands:
10_downloadepel:
command: "sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/"
20_installepel:
command: "sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm --force"
30_enableepl:
command: "sudo yum-config-manager --enable epel*"
40_installcertbot:
command: "sudo yum install -y certbot"
50_getcert:
command: "sudo certbot certonly --debug --non-interactive --email test@test.com --agree-tos --standalone --domains ${MY_DOMAIN} --keep-until-expiring --pre-hook \"sudo service httpd stop\" --post-hook \"sudo service httpd start\""
60_link:
command: "ln -sf /etc/letsencrypt/live/${MY_DOMAIN} /etc/letsencrypt/live/ebcert"
And it executes (all commends run) but https is still not working (http works fine, but https immediately returns 'Unable to connect') Any ideas? I've been stuck for 2 days now.
@zedy I haven’t used Apache in any of my projects so might not really know what works and what doesn’t. But we can try connecting and solving it together.
@vahiwe Thanks for the response. I figured it out. The ssl.pre
from the files section of the code block doesn't get executed and is never created, so i created it manually. Working perfectly. Thanks again.
Created ssl.conf
in /etc/httpd/conf.d/
(mod => 644, owner:group => root:root)
<VirtualHost *:443>
<Directory /opt/python/current/app/build/static>
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/${MY_DOMAIN}/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/${MY_DOMAIN}/privkey.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
# If you have pages that may take awhile to
# respond, add a ProxyTimeout:
# ProxyTimeout seconds
</VirtualHost>
p.s. don't forget to restart sudo service httpd restart
👍 @zedy. You can share for others who might have the same issue.
Maybe this will help someone:
I updated my single web instance PHP Platform version and all my https stuff broke because of certbot-auto being deprecated. I'm just using the httpd config files that beanstalk uses by default.
I spent a while trying to get 'certbot' installed by all the different solutions above and elsewhere but kept running into errors/issues.
I was finally able to get it all working using this .ebextension config: https://gist.github.com/caseypage/3f59f29f1fb4d6590c9193340a38ea03
Maybe this will help someone:
I updated my single web instance PHP Platform version and all my https stuff broke because of certbot-auto being deprecated. I'm just using the httpd config files that beanstalk uses by default.
I spent a while trying to get 'certbot' installed by all the different solutions above and elsewhere but kept running into errors/issues.
I was finally able to get it all working using this .ebextension config: https://gist.github.com/caseypage/3f59f29f1fb4d6590c9193340a38ea03
Thank You! I also ran into issues because of certbot-auto being deprecated and tried different solutions. I was about to give up on this approach until I saw this comment.
@vahiwe I can't thank you enough. Worked perfectly.
for those who is interested, i have created a simple template(for python and nodejs). the EB portion is generic and can be used for other framework(.NET etc.)
Anyone with a working example of using acme.sh?
If I'm not mistaken, this is all it takes now:
.ebextensions
|_ 00_epel.config
|_ 01_AWS_Single_LetsEncrypt.config
00_epel.config
commands:
add_epel_repo:
command: "sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
test: "[ ! -e /tmp/add_epel_repo_run_once ] && touch /tmp/add_epel_repo_run_once || exit 0"
ignoreErrors: true
01_AWS_Single_LetsEncrypt.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: { "Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"] }
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
epel-release: []
container_commands:
01_certbot_install:
command: "sudo yum install certbot python-certbot-nginx"
02_certbot_generate_certs:
command: "sudo certbot --agree-tos --non-interactive --domains ${CERT_DOMAINS} --email ${CERT_EMAIL} --nginx"
03_certbot_auto_renew:
command: "sudo certbot renew --dry-run"
This will not work, because container_commands
runs before Elastic Beanstalk deploys and runs your application and the proxy server. So, the /etc/nginx/nginx.conf
will be overridden.
The structure that works for me is shown below:
|-- .platform
| -- hooks
| -- postdeploy
| -- ssl_setup_certbot.sh
|-- .ebextensions
| -- ssl.config
The content of ssl_setup_certbot.sh:
#!/usr/bin/env bash
echo "Installing CERTBOT.."
CERT_DOMAIN=`/opt/elasticbeanstalk/bin/get-config environment -k CERT_DOMAIN`
CERT_EMAIL=`/opt/elasticbeanstalk/bin/get-config environment -k CERT_EMAIL`
sudo yum -y install certbot python-certbot-nginx
sudo certbot --agree-tos --non-interactive --domains ${CERT_DOMAIN} --email ${CERT_EMAIL} --nginx
sudo certbot renew --dry-run
echo "CERTBOT installed!"
The content of ssl.config:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: { "Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"] }
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
epel-release: []
files:
"/etc/cron.d/certbot_renew":
mode: "000644"
owner: root
group: root
content: |
0 */12 * * * root /usr/bin/certbot -q renew --nginx
commands:
add_epel_repo:
command: "sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
test: "[ ! -e /tmp/add_epel_repo_run_once ] && touch /tmp/add_epel_repo_run_once || exit 0"
ignoreErrors: true
CERT_DOMAIN and CERT_EMAIL is environment variable included in the eb environment.
Thanks @lucas-coelho, I'll test that out
I pretty much got exhausted and switched to CodeDeploy 😅
Hi @lucas-coelho.
I'm trying this your config in code but not run https.
can you tell me what config am i missing?
I tried using the
container_commands
to setup the nginx configuration files but i couldn't find the files after successful deployment. After carrying out some research, I was pointed to this AWS documentation on how to override nginx configuration files. My folder structure is shown below.I also had issues with installing the epel using the yum package manager on Amazon Linux 2. So i tweaked the setup to use rpm to install epel.
Here is the content of my
ssl.config
:Below is the content of
nginx.conf
:Below is the content of
https_custom.conf
:Hopefully this helps.