Created
September 2, 2019 10:13
-
-
Save the-vampiire/489299336200659a8f96cb6f2d593b64 to your computer and use it in GitHub Desktop.
AWS EB elastic beanstalk single instance nodejs nginx SSL/HTTPS ebextensions config file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# REQUIREMENTS | |
# set the following configuration environment variables at: configuration -> software -> modify -> environment variables | |
# CERT_EMAIL: the email address used for registering the cert | |
# CERT_DOMAIN: the domain to create a cert for | |
# EB environment URL (listed at the top of the environment page) or a custom domain, custom domains must have a DNS CNAME record pointing to the EB environment URL | |
# !! MUST NOT have "http://" prefix or the trailing "/" at the end !! | |
# EXAMPLES | |
# CERT_EMAIL: [email protected] | |
# CERT_DOMAIN: certbot-sample.us-east-1.elasticbeanstalk.com | |
# AWS resources to be provisioned for the EB environment | |
Resources: | |
# define a SG inbound rule that allows HTTPS traffic to the EB instance | |
sslSecurityGroupIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
# added to the EB environment SG | |
GroupId: { "Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"] } | |
IpProtocol: tcp | |
# to (instance) and from (internet) TCP port 443 | |
ToPort: 443 | |
FromPort: 443 | |
# any IP address source (public internet) | |
CidrIp: 0.0.0.0/0 | |
# add EPEL release package repo to yum for installing certbot dependencies | |
packages: | |
yum: | |
epel-release: [] # latest version | |
files: | |
# create a custom nginx proxy config that will be targetd by certbot | |
# after certificate is issued certbot will populate this file with SSL terminating attributes | |
/etc/nginx/conf.d/http-https-proxy.conf: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
# defines the nodejs server namespace listening on 8081 | |
upstream nodejs { | |
# default port 8081, change if directly set in app code | |
server 127.0.0.1:8081; | |
keepalive 256; | |
} | |
server { | |
# capture all traffic on port 80 (http, unsecure) | |
# after cert success certbot will create a server block that redirects all traffic | |
# from port 80 (and 8080, default nginx) to port 443 (https, secure) | |
listen 80; | |
listen 8080; # default nginx service port | |
# define the server name so certbot can configure SSL after cert success | |
# this is either the EB environment URL or a custom domain | |
# custom domains must have a DNS CNAME record pointing to the EB environment URL | |
server_name `{"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "CERT_DOMAIN"}}`; | |
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") { | |
set $year $1; | |
set $month $2; | |
set $day $3; | |
set $hour $4; | |
} | |
access_log /var/log/nginx/access.log main; | |
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd; | |
# location block to route access for ACME challenge | |
# certbot uses the endpoint /.well-known/acme-challenge/<CODE_FILE_NAME> during verification | |
location ~ /.well-known { | |
allow all; | |
# direct requests to the webroot where certbot creates the ACME challenge code | |
# this is the default webroot for AWS Linux AMI nginx | |
# any webroot can be used but must match the webroot param (-w) in the certbot command | |
root /usr/share/nginx/html; | |
} | |
location / { | |
# proxy requests + headers to the nodejs app server (namespaced from upstream above) | |
proxy_pass http://nodejs; | |
proxy_set_header Connection ""; | |
proxy_http_version 1.1; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
} | |
# enable gzip compression for faster data transmission to clients of the nodejs app | |
gzip on; | |
gzip_comp_level 4; | |
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
} | |
# script commands to setup and run the certbot process | |
container_commands: | |
# these are run in alphabetical order hence the numbering prefix | |
00_install_certbot: | |
command: | | |
mkdir -p /opt/certbot | |
wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto | |
chmod 700 /opt/certbot/certbot-auto | |
# make the default EB proxy conf a backup to prevent conflict with new conf | |
10_decomission_default_proxy_conf: | |
command: mv /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf.bak | |
# reload to use new conf | |
20_reload_nginx_conf: | |
command: sudo initctl reload nginx | |
# run certbot process | |
# creates an ACME challenge in the webroot directory | |
# verifies the challenge with an http (80) request | |
# installs the certificate in /etc/letsencrypt/live/<DOMAIN_NAME> | |
# updates /etc/nginx/conf.d/http-https-proxy.conf to listen on 443, use the cert, and redirect all unsecure traffic (80, http) to 443 (https) | |
30_run_certbot: | |
# --debug: required by AWS Linux AMI to install certbot deps | |
# --redirect: creates nginx port :80 -> :443 redirect rule on success | |
# --agree-tos: agrees to TOS without prompting | |
# -n: run without user interaction | |
# -d: set domain for certificate | |
# -m: set email for ACME account registration | |
# -i: select nginx as the installer plugin to update the conf file on success | |
# -a: select webroot as the authenticator plugin to use the ACME challenge | |
# -w: set the webroot path for serving the ACME challenge | |
command: /opt/certbot/certbot-auto run --debug --redirect --agree-tos -n -d ${CERT_DOMAIN} -m ${CERT_EMAIL} -i nginx -a webroot -w /usr/share/nginx/html --staging | |
# !! --staging: REMOVE FOR PRODUCTION, use the staging server for the certificate !! | |
# reload nginx to apply new conf | |
40_restart_nginx: | |
# depending on your AMI this may fail | |
# if it does replace with: service nginx restart or reload | |
command: sudo initctl reload nginx | |
# setup cron job to auto renew certificates | |
# 40_setup_cron_job: | |
# command: | |
I am getting the below error.
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:certbot version: 1.3.0 2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Arguments: ['--debug', '--redirect', '--agree-tos', '-n', '-d', 'CovidHelp-env.eba-jfwi2pgp.ap-south-1.elasticbeanstalk.com', '-m', '[email protected]', '-i', 'nginx', '-a', 'webroot', '-w', '/usr/share/nginx/html', '--staging'] 2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2020-04-06 05:35:38,021:DEBUG:certbot._internal.log:Root logging level set at 20 2020-04-06 05:35:38,022:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2020-04-06 05:35:38,022:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer nginx 2020-04-06 05:35:38,029:ERROR:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main return config.func(config, plugins) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1083, in run installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run") File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 224, in choose_configurator_plugins installer = pick_installer(config, req_inst, plugins, installer_question) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 31, in pick_installer config, default, plugins, question, (interfaces.IInstaller,)) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 104, in pick_plugin verified.prepare() File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 253, in prepare return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)] File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 134, in prepare self._initialized.prepare() File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 181, in prepare if not util.exe_exists(self.conf('ctl')): File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 106, in exe_exists for path in os.environ["PATH"].split(os.pathsep): File "/opt/eff.org/certbot/venv/lib64/python2.7/UserDict.py", line 40, in __getitem__ raise KeyError(key) KeyError: 'PATH'
hmm sorry man this was months ago. i remember seeing this issue but cant remember how i fixed it. i know i ended up going into that file and looking through the certbot source to see what the problem was. somehow the PATH key isnt being set.
if you fix it please post back so others can benefit
Did you find the issue? I wold like to config that way as well
I am getting the below error.
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:certbot version: 1.3.0 2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Arguments: ['--debug', '--redirect', '--agree-tos', '-n', '-d', 'CovidHelp-env.eba-jfwi2pgp.ap-south-1.elasticbeanstalk.com', '-m', '[email protected]', '-i', 'nginx', '-a', 'webroot', '-w', '/usr/share/nginx/html', '--staging'] 2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2020-04-06 05:35:38,021:DEBUG:certbot._internal.log:Root logging level set at 20 2020-04-06 05:35:38,022:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2020-04-06 05:35:38,022:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer nginx 2020-04-06 05:35:38,029:ERROR:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main return config.func(config, plugins) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1083, in run installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run") File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 224, in choose_configurator_plugins installer = pick_installer(config, req_inst, plugins, installer_question) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 31, in pick_installer config, default, plugins, question, (interfaces.IInstaller,)) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 104, in pick_plugin verified.prepare() File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 253, in prepare return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)] File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 134, in prepare self._initialized.prepare() File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 181, in prepare if not util.exe_exists(self.conf('ctl')): File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 106, in exe_exists for path in os.environ["PATH"].split(os.pathsep): File "/opt/eff.org/certbot/venv/lib64/python2.7/UserDict.py", line 40, in __getitem__ raise KeyError(key) KeyError: 'PATH'
Remove the --redirect
arg
I'm using a similar script. Although the ingress rule is set up for my app, any https call is dropped immediately. I can only see http calls in the nginx logs. https don't reach nginx. Any ideas?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am getting the below error.