Amazons-aws-elasticbeanstalk-lets-encrypt


#1

So I was having trouble to find something so I wrote this. I have tested most of the cases and it should work in general.
It does the whole thing, let me know if you have some remarks or improvement suggestions.

Thanks !

#Don’t use as is, check and modify according to your needs.

Requirements:

  1. ElasticBeanstalk Environmnet
  2. Ec2-elastic-beanstalk-service-role with access to Route53 Resource
  3. TCP Loadbalancer in front of EC2 instances
  4. Deployment policy rolling (one instance at a the time)
  5. NFS mount

It’s a single .ebextension:

jq package is needed:

packages:
  yum:
    jq: []

Creating jsons:

files:
  "/usr/local/bin/certbot/add_json.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash

      #Create TXT record JSON

      cat > $1_TXT.json << END
      {
        "Comment": "TXT Verification for CertBOT",
        "Changes": [
          {
            "Action": "$1",
            "ResourceRecordSet": {
              "Name": "_acme-challenge.$CERTBOT_DOMAIN",
              "Type": "TXT",
              "TTL": 300,
              "ResourceRecords": [
                {
                  "Value": "\"$CERTBOT_VALIDATION\""
                }
              ]
            }
          }
        ]
      }
      END

Removing hook to Route53:

  "/usr/local/bin/certbot/remove_txt_hook.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      PWD=`pwd`
      APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
      ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`

      aws route53 change-resource-record-sets \
        --hosted-zone-id $ZONE_ID --change-batch file://$PWD/DELETE_TXT.json

      rm CREATE_TXT.json
      rm DELETE_TXT.json

Adding hook to Route53:

  "/usr/local/bin/certbot/add_txt_hook.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      PWD=`pwd`
      APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
      ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`

      ./add_json.sh CREATE
      ./add_json.sh DELETE

      aws route53 change-resource-record-sets \
      --hosted-zone-id $ZONE_ID --change-batch file://$PWD/CREATE_TXT.json

      sleep 30

Deploying:

  "/usr/local/bin/certbot/start_process.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
      EFS_NAME=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.EFS_NAME')
      PWD=`pwd`
      if [ "$MY_DOMAIN" = example.com ]; then

        if [ ! -d /etc/letsencrypt ]; then
          mkdir -p /etc/letsencrypt
        fi

        if ! grep -qs ' /etc/letsencrypt ' /proc/mounts; then
          mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 $EFS_NAME:/.certificates/.letsencrypt /etc/letsencrypt || exit
        fi

        if [ ! -f certbot-auto ]; then
          yum -y install mod24_ssl augeas-libs libffi-devel python27-tools system-rpm-config
          wget https://dl.eff.org/certbot-auto
          chmod 550 certbot-auto
        fi

        if [ ! -f /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem ]; then
          ./certbot-auto certonly --debug -n --no-bootstrap --email <your e-mail> --agree-tos --manual-public-ip-logging-ok --manual --preferred-challenges=dns --manual-auth-hook $PWD/add_txt_hook.sh --manual-cleanup-hook $PWD/remove_txt_hook.sh -d $MY_DOMAIN
        fi
      echo "00 15 * * SUN root cd /usr/local/bin/certbot && ./renewal.sh >> certbot.log 2>&1" > /etc/cron.d/cron_certbot
      fi

Renewing:

  "/usr/local/bin/certbot/renewal.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      ##!/bin/bash
      MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
      PWD=`pwd`
      ENV_ID=`{"Ref": "AWSEBEnvironmentId" }`
      METADATA=/opt/aws/bin/ec2-metadata
      INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
      REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`
      TODAY=`date +%Y-%m-%d`
      STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
      
      while [ "$STATUS" != "Ready" ]; do
        STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
        sleep 10
      done
      
      if ! /usr/local/bin/certbot/one_instance.sh; then
        i="0"
        while [ "$i" -lt 180 ] && [ ! -f /etc/letsencrypt/renewed_$TODAY ]; do
          i=$[$i+1]
          sleep 2
        done
        if [ ! -f /etc/letsencrypt/renewed_$TODAY ]; then
          exit
        else
          /etc/init.d/httpd graceful; exit
        fi
      fi
      ./certbot-auto renew --debug --no-bootstrap --renew-hook "/etc/init.d/httpd graceful; touch /etc/letsencrypt/renewed_$TODAY; find /etc/letsencrypt/ -type f -name 'renewed_*' -mtime +0 -exec rm {} \;"

Only on one instance:

  "/usr/local/bin/certbot/one_instance.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash

      METADATA=/opt/aws/bin/ec2-metadata
      INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
      REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`

      ASG=`aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" \
        --region $REGION --output text | awk '/aws:autoscaling:groupName/ {print $5}'`

      SOLO_I=`aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG \
        --region $REGION --output text | awk '/InService/ {print $4}' | sort | head -1`

      [ "$SOLO_I" = "$INSTANCE_ID" ]

Executing:

commands:
  01_start_certbot_deploy:
    command: "/usr/local/bin/certbot/start_process.sh &>> certbot.log"
    cwd: "/usr/local/bin/certbot"
  02_delete_bak_files:
    command: "rm -f *.bak"
    cwd: "/usr/local/bin/certbot"

Thanks!


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.