AWS EB elastic beanstalk single instance nodejs nginx SSL/HTTPS ebextensions config file

00-https-single-instance.yaml

# REQUIREMENTS
# set the following configuration environment variables at: configuration -> software -> modify -> environment variables

# CERT_EMAIL: the email address used for registering the cert

# CERT_DOMAIN: the domain to create a cert for
# EB environment URL (listed at the top of the environment page) or a custom domain, custom domains must have a DNS CNAME record pointing to the EB environment URL
# !! MUST NOT have "http://" prefix or the trailing "/" at the end !!

# EXAMPLES
# CERT_EMAIL: [email protected]
# CERT_DOMAIN: certbot-sample.us-east-1.elasticbeanstalk.com

# AWS resources to be provisioned for the EB environment
Resources:
  # define a SG inbound rule that allows HTTPS traffic to the EB instance
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      # added to the EB environment SG
      GroupId: { "Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"] }
      IpProtocol: tcp
      # to (instance) and from (internet) TCP port 443
      ToPort: 443
      FromPort: 443
      # any IP address source (public internet)
      CidrIp: 0.0.0.0/0

# add EPEL release package repo to yum for installing certbot dependencies
packages:
  yum:
    epel-release: [] # latest version

files:
  # create a custom nginx proxy config that will be targetd by certbot
  # after certificate is issued certbot will populate this file with SSL terminating attributes
  /etc/nginx/conf.d/http-https-proxy.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      # defines the nodejs server namespace listening on 8081
      upstream nodejs {
          # default port 8081, change if directly set in app code
          server 127.0.0.1:8081;
          keepalive 256;
      }

      server {
          # capture all traffic on port 80 (http, unsecure)
            # after cert success certbot will create a server block that redirects all traffic
            # from port 80 (and 8080, default nginx) to port 443 (https, secure)
          listen 80;
          listen 8080; # default nginx service port
        
          # define the server name so certbot can configure SSL after cert success
            # this is either the EB environment URL or a custom domain
            # custom domains must have a DNS CNAME record pointing to the EB environment URL
          server_name `{"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "CERT_DOMAIN"}}`;
          
          if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
              set $year $1;
              set $month $2;
              set $day $3;
              set $hour $4;
          }

          access_log /var/log/nginx/access.log main;
          access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
          
          # location block to route access for ACME challenge
          # certbot uses the endpoint /.well-known/acme-challenge/<CODE_FILE_NAME> during verification 
          location ~ /.well-known {
              allow all;
              # direct requests to the webroot where certbot creates the ACME challenge code
                # this is the default webroot for AWS Linux AMI nginx
                # any webroot can be used but must match the webroot param (-w) in the certbot command
              root /usr/share/nginx/html;
          }

          location / {
              # proxy requests + headers to the nodejs app server (namespaced from upstream above)
              proxy_pass  http://nodejs;
              proxy_set_header   Connection "";
              proxy_http_version 1.1;
              proxy_set_header  Host             $host;
              proxy_set_header  X-Real-IP        $remote_addr;
              proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
          }
          
          # enable gzip compression for faster data transmission to clients of the nodejs app
          gzip on;
          gzip_comp_level 4;
          gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
      }

# script commands to setup and run the certbot process
container_commands:
  # these are run in alphabetical order hence the numbering prefix
  00_install_certbot:
    command: |
      mkdir -p /opt/certbot
      wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto
      chmod 700 /opt/certbot/certbot-auto

  # make the default EB proxy conf a backup to prevent conflict with new conf
  10_decomission_default_proxy_conf:
    command: mv /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf.bak

  # reload to use new conf
  20_reload_nginx_conf:
    command: sudo initctl reload nginx

  # run certbot process
  # creates an ACME challenge in the webroot directory
  # verifies the challenge with an http (80) request
  # installs the certificate in /etc/letsencrypt/live/<DOMAIN_NAME>
  # updates /etc/nginx/conf.d/http-https-proxy.conf to listen on 443, use the cert, and redirect all unsecure traffic (80, http) to 443 (https)
  30_run_certbot:
    # --debug: required by AWS Linux AMI to install certbot deps
    # --redirect: creates nginx port :80 -> :443 redirect rule on success
    # --agree-tos: agrees to TOS without prompting
    # -n: run without user interaction
    # -d: set domain for certificate
    # -m: set email for ACME account registration
    # -i: select nginx as the installer plugin to update the conf file on success
    # -a: select webroot as the authenticator plugin to use the ACME challenge
    # -w: set the webroot path for serving the ACME challenge
    command: /opt/certbot/certbot-auto run --debug --redirect --agree-tos -n -d ${CERT_DOMAIN} -m ${CERT_EMAIL} -i nginx -a webroot -w /usr/share/nginx/html --staging
    # !! --staging: REMOVE FOR PRODUCTION, use the staging server for the certificate !!

  # reload nginx to apply new conf
  40_restart_nginx:
    # depending on your AMI this may fail
    # if it does replace with: service nginx restart or reload
    command: sudo initctl reload nginx
  # setup cron job to auto renew certificates
  # 40_setup_cron_job:
  #   command:

I am getting the below error.

2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:certbot version: 1.3.0
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Arguments: ['--debug', '--redirect', '--agree-tos', '-n', '-d', 'CovidHelp-env.eba-jfwi2pgp.ap-south-1.elasticbeanstalk.com', '-m', '[email protected]', '-i', 'nginx', '-a', 'webroot', '-w', '/usr/share/nginx/html', '--staging']
2020-04-06 05:35:38,005:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-04-06 05:35:38,021:DEBUG:certbot._internal.log:Root logging level set at 20
2020-04-06 05:35:38,022:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-04-06 05:35:38,022:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer nginx
2020-04-06 05:35:38,029:ERROR:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1083, in run
    installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run")
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 224, in choose_configurator_plugins
    installer = pick_installer(config, req_inst, plugins, installer_question)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 31, in pick_installer
    config, default, plugins, question, (interfaces.IInstaller,))
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 104, in pick_plugin
    verified.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 253, in prepare
    return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 134, in prepare
    self._initialized.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 181, in prepare
    if not util.exe_exists(self.conf('ctl')):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 106, in exe_exists
    for path in os.environ["PATH"].split(os.pathsep):
  File "/opt/eff.org/certbot/venv/lib64/python2.7/UserDict.py", line 40, in __getitem__
    raise KeyError(key)
KeyError: 'PATH'

Remove the --redirect arg

I'm using a similar script. Although the ingress rule is set up for my app, any https call is dropped immediately. I can only see http calls in the nginx logs. https don't reach nginx. Any ideas?