elasticbeanstalk-letsencrypt-ssl.config

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod24_ssl : []

files:
  /tmp/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule wsgi_module modules/mod_wsgi.so
      WSGIPythonHome /opt/python/run/baselinenv
      WSGISocketPrefix run/wsgi
      WSGIRestrictEmbedded On
      Listen 443
      <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile "/etc/letsencrypt/live/ebcert/fullchain.pem"
        SSLCertificateKeyFile "/etc/letsencrypt/live/ebcert/privkey.pem"

        Alias /static/ /opt/python/current/app/static/
        <Directory /opt/python/current/app/static>
        Order allow,deny
        Allow from all
        </Directory>

        WSGIScriptAlias / /opt/python/current/app/wsgi.py

        <Directory /opt/python/current/app>
        Require all granted
        </Directory>

        WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
          python-path=/opt/python/current/app:/opt/python/run/venv/lib/python3.4/site-packages:/opt/python/run/venv/lib64/python3.4/site-packages \
          home=/opt/python/current/app \
          user=wsgi \
          group=wsgi
        WSGIProcessGroup wsgi-ssl

      </VirtualHost>
      <VirtualHost *:80>
          RewriteEngine On
          RewriteCond %{HTTPS} off
          RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
      </VirtualHost>
      LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  /tmp/certificate_renew:
    mode: "000644"
    owner: root
    group: root
    content: |
      0 0 * * 0 root /opt/certbot/certbot-auto renew --standalone --pre-hook "killall httpd" --post-hook "sudo restart supervisord || sudo start supervisord" --force-renew >> /var/log/certificate_renew.log 2>&1

container_commands:
  # creates a swapfile to avoid memory errors in small instances
  00_enable_swap:
    command: "sudo swapoff /tmp/swapfile_certbot ; sudo rm /tmp/swapfile_certbot ; sudo fallocate -l 1G /tmp/swapfile_certbot && sudo chmod 600 /tmp/swapfile_certbot && sudo mkswap /tmp/swapfile_certbot && sudo swapon /tmp/swapfile_certbot"
  # installs certbot
  10_install_certbot:
    command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto"
  # issue the certificate if it does not exist. Remove --staging to deploy in production.
  20_install_certificate:
    command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring --pre-hook \"service httpd stop\" "
  # create a link so we can use '/etc/letsencrypt/live/ebcert/fullchain.pem'
  # in the apache config file
  30_link:
    command: "ln -sf /etc/letsencrypt/live/${LETSENCRYPT_DOMAIN} /etc/letsencrypt/live/ebcert"
  # move the apache .conf file to the conf.d directory.
  # Rename the default .conf file so it won't be used by Apache.
  40_config:
    command: "mv /tmp/ssl.conf /etc/httpd/conf.d/ssl.conf && mv /etc/httpd/conf.d/wsgi.conf /etc/httpd/conf.d/wsgi.conf.bkp || true"
  # clear the swap files created in 00_enable_swap
  50_cleanup_swap:
    command: "sudo swapoff /tmp/swapfile_certbot && sudo rm /tmp/swapfile_certbot"
  # kill all httpd processes so Apache will use the new configuration
  60_killhttpd:
    command: "killall httpd ; sleep 3"
  # Add renew cron job to renew the certificate
  70_cronjob_certificate_renew:
    command: "mv /tmp/certificate_renew /etc/cron.d/certificate_renew"