I have a REST api hosted on AWS with elastic beanstalk, all the code works as intended when I try to access it through HTTP and the SSL cert is set up correctly as far as I'm aware, I think the problem I'm having is with nginx, but I'm not sure where I have the port 443 open with an.ebextensions config file
---
# Open port 443 in security group
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt":["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
# Configure for single instance and apache
option_settings:
aws:elasticbeanstalk:environment:
EnvironmentType: SingleInstance
and here's the script that sets up the SSL cert
#!/bin/bash
# IMPORTANT: use this bash otherwise following error: "failed with error exit status 127. Stderr:/usr/bin/env: bash: No such file or directory"
# IMPORTANT: use LF instead of CRLF for .sh files, otherwise following error: "00_ssl_setup_certbot.sh: no such file or directory"
# IMPORTANT: for LF: also set "* text eol=lf" in ".gitattributes" file otherwise git will convert it into CRLF again on Windows :(
set -euo pipefail
# Postdeploy script for enabling SSL (single instance)
# Compatible only with Amazon Linux 2 EC2 instances
LOG_PATH=$(find /var/log/ -type f -iname 'eb-hooks.log')
DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
# IMPORTANT: no whitespaces in CERTBOT_NAME, otherwise following error: "invalid number of arguments in "ssl_certificate" directive in /etc/nginx/nginx.conf:81"
CERTBOT_NAME='Sealion'
CERTBOT_EMAIL='<email>'
# Multiple domain example: CERTBOT_DOMAINS='bort.com,www.bort.com,bort-env.eba-2kg3gsq2.us-east-2.elasticbeanstalk.com'
CERTBOT_DOMAINS='<URL>'
LOG_PATH=$(find /var/log/ -type f -iname 'eb-hooks.log')
log_level() {
if [ -n "$LOG_PATH" ]; then
DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
echo "$DATE | $1: $2" | tee -a "$LOG_PATH"
fi
}
log_debug() { log_level 'DEBUG' "$1"; }
log_info() { log_level 'INFO' "$1"; }
log_error() { log_level 'ERROR' "$1"; }
# Variable check
log_debug "Check certbot variables"
if [ -z "$CERTBOT_NAME" ] || [ -z "$CERTBOT_EMAIL" ] || [ -z "$CERTBOT_DOMAINS" ]; then
log_error 'Certbot and/or proxy server information is missing.'
exit 1
fi
# Install EPEL
# Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html
log_debug "yum: Install EPEL"
if ! yum list installed epel-release; then
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
fi
# Install certbot
log_debug "yum: Install certbot"
if yum list installed epel-release && ! command -v certbot &>/dev/null; then
yum install -y certbot python2-certbot-nginx
fi
HTTP_STRING='^http\s*{$'
NAME_LIMIT='http {\nserver_names_hash_bucket_size 192;\n'
# Prevent replace if not clean sample app
if ! grep -Fxq "$NAME_LIMIT" /etc/nginx/nginx.conf; then
# Increase size of string name for --domains (for default EB configs)
log_debug "nginx: Increase name limit"
if ! sed -i "s/$HTTP_STRING/$NAME_LIMIT/g" /etc/nginx/nginx.conf; then
log_error 'Changing server name limit failed'
exit 1
fi
fi
# Set up certificates
if command -v certbot &>/dev/null; then
log_debug "nginx: Check configuration"
if nginx -t; then
log_debug "certbot: Install nginx configuration"
certbot --nginx \
--cert-name "$CERTBOT_NAME" \
--email "$CERTBOT_EMAIL" \
--domains "$CERTBOT_DOMAINS" \
--redirect \
--agree-tos \
--no-eff-email \
--keep-until-expiring \
--non-interactive
else
log_error 'Nginx configuration is invalid.'
exit 1
fi
else
log_error 'Certbot installation may have failed.'
exit 1
fi
# cron: Attempt to renew certificates twice a day (to account for revocations, etc.)
cat >> /etc/cron.d/certbot_renew << END_CRON
MAILTO="$CERTBOT_EMAIL"
42 2,14 * * * root certbot renew --quiet --no-self-upgrade --deploy-hook "service nginx reload && service nginx restart"
END_CRON
chmod +x /etc/cron.d/certbot_renew
log_info 'Script ran successfully.'
Suggest to test connectivity using curl
command.
Suggest to inspect and configure firewall.
In Red Hat based Linux (RHEL, Centos, Fedora, Oracle...), read this article .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.