AWS Elastic Beanstalk .ebextensions config for single instance free SSL using letsencrypt certbot and nginx. http://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/

AWS_Single_LetsEncrypt.yaml

# Dont forget to set the env variable "certdomain", and either fill in your email below or use an env variable for that too.
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:

  # The Nginx config forces https, and is meant as an example only. 
  /etc/nginx/conf.d/000_http_redirect_custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        return 301 https://$host$request_uri;
      }

  # The Nginx config forces https, and is meant as an example only. 
  /etc/nginx/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server
      server {
        listen       443 default ssl;
        server_name  localhost;
        error_page  497 https://$host$request_uri;
        
        ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;

        ssl_session_timeout  5m;
        ssl_protocols  TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers   on;

        if ($ssl_protocol = "") {
          rewrite ^ https://$host$request_uri? permanent;
        }

        location ~ ^/(lib/|img/) {
          root /var/app/current/public;
          access_log off;
        }

        location / {
            proxy_pass  http://nodejs;
            proxy_set_header   Connection "";
            proxy_http_version 1.1;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Upgrade         $http_upgrade;
            proxy_set_header        Connection      "upgrade";
        }
      }

packages: 
  yum:
    epel-release: [] 

container_commands:
  10_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  20_getcert:
    command: "sudo ./certbot-auto certonly --debug --non-interactive --email [email protected] --agree-tos --standalone --domains ${certdomain} --keep-until-expiring --pre-hook \"service nginx stop\" --staging"
  30_link:
    command: "ln -sf /etc/letsencrypt/live/${certdomain} /etc/letsencrypt/live/ebcert"
  40_config:
    command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"

Thank you so much @vahiwe, it worked flawlessly.

Thank you so much @vahiwe, it worked flawlessly.

@andylolu2 you're welcome. You can reference an article I wrote on it here.

@vahiwe I took the OP's post and combined it with your solution from (above) changed a few params to work with Apache and got this:

Resources:
    sslSecurityGroupIngress:
        Type: AWS::EC2::SecurityGroupIngress
        Properties:
            GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
            IpProtocol: tcp
            ToPort: 443
            FromPort: 443
            CidrIp: 0.0.0.0/0

files:
    /etc/httpd/conf.d/ssl.pre:
        mode: "000644"
        owner: root
        group: root
        content: |
            LoadModule ssl_module modules/mod_ssl.so
            Listen 443

            <VirtualHost *:443>
                <Directory /opt/python/current/app/build/static>
                    Order deny,allow
                    Allow from all
                </Directory>
                
                SSLEngine on
                SSLCertificateFile "/etc/letsencrypt/live/${MY_DOMAIN}/fullchain.pem"
                SSLCertificateKeyFile "/etc/letsencrypt/live/${MY_DOMAIN}/privkey.pem"
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
                SSLProtocol All -SSLv2 -SSLv3
                SSLHonorCipherOrder On
                SSLSessionTickets Off
                
                Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
                Header always set X-Frame-Options DENY
                Header always set X-Content-Type-Options nosniff
                
                ProxyPass / http://localhost:80/ retry=0
                ProxyPassReverse / http://localhost:80/
                ProxyPreserveHost on
                RequestHeader set X-Forwarded-Proto "https" early
                # If you have pages that may take awhile to
                # respond, add a ProxyTimeout:
                # ProxyTimeout seconds
            </VirtualHost>
  
    /tmp/renew_cert_cron:
        mode: "000777"
        owner: root
        group: root
        content: |
            # renew Lets encrypt cert with certbot command
            0 1,13 * * * /tmp/certbot-auto renew

packages:
    yum:
        epel-release: []
        mod_ssl : []

container_commands:
    10_downloadepel:
        command: "sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/"
    20_installepel:
        command: "sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm --force"
    30_enableepl:
        command: "sudo yum-config-manager --enable epel*"
    40_installcertbot:
        command: "sudo yum install -y certbot"
    50_getcert:
        command: "sudo certbot certonly --debug --non-interactive --email [email protected] --agree-tos --standalone --domains ${MY_DOMAIN} --keep-until-expiring --pre-hook \"sudo service httpd stop\" --post-hook \"sudo service httpd start\""
    60_link:
        command: "ln -sf /etc/letsencrypt/live/${MY_DOMAIN} /etc/letsencrypt/live/ebcert"

And it executes (all commends run) but https is still not working (http works fine, but https immediately returns 'Unable to connect') Any ideas? I've been stuck for 2 days now.

@zedy I haven’t used Apache in any of my projects so might not really know what works and what doesn’t. But we can try connecting and solving it together.

@vahiwe Thanks for the response. I figured it out. The ssl.pre from the files section of the code block doesn't get executed and is never created, so i created it manually. Working perfectly. Thanks again.

Created ssl.conf in /etc/httpd/conf.d/ (mod => 644, owner:group => root:root)

<VirtualHost *:443>
	<Directory /opt/python/current/app/build/static>
		Order deny,allow
		Allow from all
	</Directory>
	
	SSLEngine on
	SSLCertificateFile "/etc/letsencrypt/live/${MY_DOMAIN}/fullchain.pem"
	SSLCertificateKeyFile "/etc/letsencrypt/live/${MY_DOMAIN}/privkey.pem"
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLSessionTickets Off
	
	Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff
	
	ProxyPass / http://localhost:80/ retry=0
	ProxyPassReverse / http://localhost:80/
	ProxyPreserveHost on
	RequestHeader set X-Forwarded-Proto "https" early
	# If you have pages that may take awhile to
	# respond, add a ProxyTimeout:
	# ProxyTimeout seconds
</VirtualHost>

p.s. don't forget to restart sudo service httpd restart

👍 @zedy. You can share for others who might have the same issue.

Maybe this will help someone:

I updated my single web instance PHP Platform version and all my https stuff broke because of certbot-auto being deprecated. I'm just using the httpd config files that beanstalk uses by default.

I spent a while trying to get 'certbot' installed by all the different solutions above and elsewhere but kept running into errors/issues.

I was finally able to get it all working using this .ebextension config: https://gist.github.com/caseypage/3f59f29f1fb4d6590c9193340a38ea03

Maybe this will help someone:

I updated my single web instance PHP Platform version and all my https stuff broke because of certbot-auto being deprecated. I'm just using the httpd config files that beanstalk uses by default.

I spent a while trying to get 'certbot' installed by all the different solutions above and elsewhere but kept running into errors/issues.

I was finally able to get it all working using this .ebextension config: https://gist.github.com/caseypage/3f59f29f1fb4d6590c9193340a38ea03

Thank You! I also ran into issues because of certbot-auto being deprecated and tried different solutions. I was about to give up on this approach until I saw this comment.

@vahiwe I can't thank you enough. Worked perfectly.

for those who is interested, i have created a simple template(for python and nodejs). the EB portion is generic and can be used for other framework(.NET etc.)

https://github.com/garyng2000/flaskweb

Anyone with a working example of using acme.sh?

If I'm not mistaken, this is all it takes now:

.ebextensions
|_ 00_epel.config
|_ 01_AWS_Single_LetsEncrypt.config

00_epel.config

commands:
  add_epel_repo:
    command: "sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
    test: "[ ! -e /tmp/add_epel_repo_run_once ] && touch /tmp/add_epel_repo_run_once || exit 0"
    ignoreErrors: true

01_AWS_Single_LetsEncrypt.config

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: { "Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"] }
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    epel-release: []

container_commands:
  01_certbot_install:
    command: "sudo yum install certbot python-certbot-nginx"
  02_certbot_generate_certs:
    command: "sudo certbot --agree-tos --non-interactive --domains ${CERT_DOMAINS} --email ${CERT_EMAIL} --nginx"
  03_certbot_auto_renew:
    command: "sudo certbot renew --dry-run"

This will not work, because container_commands runs before Elastic Beanstalk deploys and runs your application and the proxy server. So, the /etc/nginx/nginx.conf will be overridden.
The structure that works for me is shown below:

|-- .platform
|   -- hooks
|       -- postdeploy
|           -- ssl_setup_certbot.sh
|-- .ebextensions
|   -- ssl.config

The content of ssl_setup_certbot.sh:

#!/usr/bin/env bash

echo "Installing CERTBOT.."
CERT_DOMAIN=`/opt/elasticbeanstalk/bin/get-config environment -k CERT_DOMAIN`
CERT_EMAIL=`/opt/elasticbeanstalk/bin/get-config environment -k CERT_EMAIL`
sudo yum -y install certbot python-certbot-nginx
sudo certbot --agree-tos --non-interactive --domains ${CERT_DOMAIN} --email ${CERT_EMAIL} --nginx
sudo certbot renew --dry-run
echo "CERTBOT installed!"

The content of ssl.config:

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: { "Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"] }
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    epel-release: []

files:
  "/etc/cron.d/certbot_renew":
    mode: "000644"
    owner: root
    group: root
    content: |
      0 */12 * * * root /usr/bin/certbot -q renew --nginx
 
commands:
  add_epel_repo:
    command: "sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
    test: "[ ! -e /tmp/add_epel_repo_run_once ] && touch /tmp/add_epel_repo_run_once || exit 0"
    ignoreErrors: true
    
   

CERT_DOMAIN and CERT_EMAIL is environment variable included in the eb environment.

Thanks @lucas-coelho, I'll test that out
I pretty much got exhausted and switched to CodeDeploy 😅

Hi @lucas-coelho.
I'm trying this your config in code but not run https.
can you tell me what config am i missing?