LetsEncrypt SSL config for Elastic Beanstalk single instances - Webroot mode

README.txt

# STEP 0 :
Opened up port 443 in your EC2 instance Security Group.

# STEP 1 : 
set two enviroment variables "CERTDOMAIN" and "EMAIL" on your Elastic Beanstalk app.

# STEP 2 : 
Create a folder .ebextensions and stick the file "AWS_Single_LetsEncrypt.config" in it (don't forget to change the extension)

# STEP 3 :
Deploy your app and enjoy the green lock ;)

AWS_Single_LetsEncrypt.yaml

# (!) Based on : https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a
# Dont forget to set the env variable "CERTDOMAIN" and "EMAIL"
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:

  # The Nginx config forces https, and is meant as an example only. 
  /etc/nginx/conf.d/000_http_redirect_custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        return 301 https://$host$request_uri;
      }
  # Allow verification to perform the challenge
  /etc/nginx/conf.d/Allow_LetsEncrypt_verification.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        location ~ /.well-known/  {
            root /var/www/acme-challenge/;
        }
      }    
      
  # The Nginx config forces https, and is meant as an example only. 
  /etc/nginx/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server
      server {
        listen       443 default ssl;
        server_name  localhost;
        error_page  497 https://$host$request_uri;
        
        ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;
        ssl_session_timeout  5m;
        ssl_protocols  TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers   on;
        if ($ssl_protocol = "") {
          rewrite ^ https://$host$request_uri? permanent;
        }
        location ~ ^/(lib/|img/) {
          root /var/app/current/public;
          access_log off;
        }
        location / {
            proxy_pass  http://nodejs;
            proxy_set_header   Connection "";
            proxy_http_version 1.1;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Upgrade         $http_upgrade;
            proxy_set_header        Connection      "upgrade";
        }
      }
packages: 
  yum:
    epel-release: [] 

container_commands:
  10_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  20_createwebrootpath:
    command: "sudo mkdir /var/www/acme-challenge/"  
  30_getcertwebrootmode:
    command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${EMAIL} --authenticator webroot --webroot-path /var/www/acme-challenge --domains ${CERTDOMAIN} --keep-until-expiring --installer nginx"
  40_link:
    command: "sudo ln -sf /etc/letsencrypt/live/${CERTDOMAIN} /etc/letsencrypt/live/ebcert"
  50_config:
    command: "sudo mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"