So I was having trouble to find something so I wrote this. I have tested most of the cases and it should work in general.
It does the whole thing, let me know if you have some remarks or improvement suggestions.
Thanks !
#Don't use as is, check and modify according to your needs.
Requirements:
- ElasticBeanstalk Environmnet
- Ec2-elastic-beanstalk-service-role with access to Route53 Resource
- TCP Loadbalancer in front of EC2 instances
- Deployment policy rolling (one instance at a the time)
- NFS mount
It's a single .ebextension:
jq package is needed:
packages:
yum:
jq: []
Creating jsons:
files:
"/usr/local/bin/certbot/add_json.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
#Create TXT record JSON
cat > $1_TXT.json << END
{
"Comment": "TXT Verification for CertBOT",
"Changes": [
{
"Action": "$1",
"ResourceRecordSet": {
"Name": "_acme-challenge.$CERTBOT_DOMAIN",
"Type": "TXT",
"TTL": 300,
"ResourceRecords": [
{
"Value": "\"$CERTBOT_VALIDATION\""
}
]
}
}
]
}
END
Removing hook to Route53:
"/usr/local/bin/certbot/remove_txt_hook.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
PWD=`pwd`
APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`
aws route53 change-resource-record-sets \
--hosted-zone-id $ZONE_ID --change-batch file://$PWD/DELETE_TXT.json
rm CREATE_TXT.json
rm DELETE_TXT.json
Adding hook to Route53:
"/usr/local/bin/certbot/add_txt_hook.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
PWD=`pwd`
APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`
./add_json.sh CREATE
./add_json.sh DELETE
aws route53 change-resource-record-sets \
--hosted-zone-id $ZONE_ID --change-batch file://$PWD/CREATE_TXT.json
sleep 30
Deploying:
"/usr/local/bin/certbot/start_process.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
EFS_NAME=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.EFS_NAME')
PWD=`pwd`
if [ "$MY_DOMAIN" = example.com ]; then
if [ ! -d /etc/letsencrypt ]; then
mkdir -p /etc/letsencrypt
fi
if ! grep -qs ' /etc/letsencrypt ' /proc/mounts; then
mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 $EFS_NAME:/.certificates/.letsencrypt /etc/letsencrypt || exit
fi
if [ ! -f certbot-auto ]; then
yum -y install mod24_ssl augeas-libs libffi-devel python27-tools system-rpm-config
wget https://dl.eff.org/certbot-auto
chmod 550 certbot-auto
fi
if [ ! -f /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem ]; then
./certbot-auto certonly --debug -n --no-bootstrap --email <your e-mail> --agree-tos --manual-public-ip-logging-ok --manual --preferred-challenges=dns --manual-auth-hook $PWD/add_txt_hook.sh --manual-cleanup-hook $PWD/remove_txt_hook.sh -d $MY_DOMAIN
fi
echo "00 15 * * SUN root cd /usr/local/bin/certbot && ./renewal.sh >> certbot.log 2>&1" > /etc/cron.d/cron_certbot
fi
Renewing:
"/usr/local/bin/certbot/renewal.sh":
mode: "000550"
owner: root
group: root
content: |
##!/bin/bash
MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
PWD=`pwd`
ENV_ID=`{"Ref": "AWSEBEnvironmentId" }`
METADATA=/opt/aws/bin/ec2-metadata
INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`
TODAY=`date +%Y-%m-%d`
STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
while [ "$STATUS" != "Ready" ]; do
STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
sleep 10
done
if ! /usr/local/bin/certbot/one_instance.sh; then
i="0"
while [ "$i" -lt 180 ] && [ ! -f /etc/letsencrypt/renewed_$TODAY ]; do
i=$[$i+1]
sleep 2
done
if [ ! -f /etc/letsencrypt/renewed_$TODAY ]; then
exit
else
/etc/init.d/httpd graceful; exit
fi
fi
./certbot-auto renew --debug --no-bootstrap --renew-hook "/etc/init.d/httpd graceful; touch /etc/letsencrypt/renewed_$TODAY; find /etc/letsencrypt/ -type f -name 'renewed_*' -mtime +0 -exec rm {} \;"
Only on one instance:
"/usr/local/bin/certbot/one_instance.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
METADATA=/opt/aws/bin/ec2-metadata
INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`
ASG=`aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" \
--region $REGION --output text | awk '/aws:autoscaling:groupName/ {print $5}'`
SOLO_I=`aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG \
--region $REGION --output text | awk '/InService/ {print $4}' | sort | head -1`
[ "$SOLO_I" = "$INSTANCE_ID" ]
Executing:
commands:
01_start_certbot_deploy:
command: "/usr/local/bin/certbot/start_process.sh &>> certbot.log"
cwd: "/usr/local/bin/certbot"
02_delete_bak_files:
command: "rm -f *.bak"
cwd: "/usr/local/bin/certbot"
Thanks!