-
-
Save kwalski/4431df892f9c2e9e40c667d0848b078f to your computer and use it in GitHub Desktop.
LetsEncrypt SSL config for Elastic Beanstalk single instances - Webroot mode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# STEP 0 : | |
Opened up port 443 in your EC2 instance Security Group. | |
# STEP 1 : | |
set two enviroment variables "CERTDOMAIN" and "EMAIL" on your Elastic Beanstalk app. | |
# STEP 2 : | |
Create a folder .ebextensions and stick the file "AWS_Single_LetsEncrypt.config" in it (don't forget to change the extension) | |
# STEP 3 : | |
Deploy your app and enjoy the green lock ;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# (!) Based on : https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a | |
# Dont forget to set the env variable "CERTDOMAIN" and "EMAIL" | |
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready! | |
Resources: | |
sslSecurityGroupIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} | |
IpProtocol: tcp | |
ToPort: 443 | |
FromPort: 443 | |
CidrIp: 0.0.0.0/0 | |
files: | |
# The Nginx config forces https, and is meant as an example only. | |
/etc/nginx/conf.d/000_http_redirect_custom.conf: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
server { | |
listen 8080; | |
return 301 https://$host$request_uri; | |
} | |
# Allow verification to perform the challenge | |
/etc/nginx/conf.d/Allow_LetsEncrypt_verification.conf: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
server { | |
listen 8080; | |
location ~ /.well-known/ { | |
root /var/www/acme-challenge/; | |
} | |
} | |
# The Nginx config forces https, and is meant as an example only. | |
/etc/nginx/conf.d/https_custom.pre: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
# HTTPS server | |
server { | |
listen 443 default ssl; | |
server_name localhost; | |
error_page 497 https://$host$request_uri; | |
ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem; | |
ssl_session_timeout 5m; | |
ssl_protocols TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_prefer_server_ciphers on; | |
if ($ssl_protocol = "") { | |
rewrite ^ https://$host$request_uri? permanent; | |
} | |
location ~ ^/(lib/|img/) { | |
root /var/app/current/public; | |
access_log off; | |
} | |
location / { | |
proxy_pass http://nodejs; | |
proxy_set_header Connection ""; | |
proxy_http_version 1.1; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
} | |
} | |
packages: | |
yum: | |
epel-release: [] | |
container_commands: | |
10_installcertbot: | |
command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto" | |
20_createwebrootpath: | |
command: "sudo mkdir /var/www/acme-challenge/" | |
30_getcertwebrootmode: | |
command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${EMAIL} --authenticator webroot --webroot-path /var/www/acme-challenge --domains ${CERTDOMAIN} --keep-until-expiring --installer nginx" | |
40_link: | |
command: "sudo ln -sf /etc/letsencrypt/live/${CERTDOMAIN} /etc/letsencrypt/live/ebcert" | |
50_config: | |
command: "sudo mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment