Skip to content

Commit 0722bda

Browse files
author
Tom Yates
committed
s3 integration
1 parent 319b727 commit 0722bda

5 files changed

+83
-3
lines changed

.DS_Store

6 KB
Binary file not shown.

.ebextensions/9-letsencrypt-ssl-install.sh

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,40 @@ set -e
55
# Loadvars
66
. /opt/elasticbeanstalk/support/envvars
77

8+
# Check if there is certificate on S3 that we can use
9+
10+
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
11+
REGION=$(curl http://169.254.169.254/latest/dynamic/instance-identity/document|grep region|awk -F\" '{print $4}')
12+
13+
echo $ACCOUNT_ID
14+
echo $REGION
15+
echo "bonjour"
16+
17+
URL="s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf"
18+
19+
count=$(aws s3 ls $URL | wc -l)
20+
if [ $count -gt 0 ]
21+
then
22+
echo "SSL Already Exists on S3"
23+
# Copy from S3 bucket
24+
25+
if [ ! -f /etc/httpd/conf.d/ssl.conf ] ; then
26+
27+
echo "copying from bucket"
28+
aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf /etc/httpd/conf.d/ssl.conf
29+
aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/cert.pem /etc/letsencrypt/live/$LE_SSL_DOMAIN/cert.pem
30+
aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/privkey.pem /etc/letsencrypt/live/$LE_SSL_DOMAIN/privkey.pem
31+
aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/fullchain.pem /etc/letsencrypt/live/$LE_SSL_DOMAIN/fullchain.pem
32+
33+
# restart
34+
sudo service httpd restart
35+
36+
fi
37+
38+
else
39+
echo "does not exist on s3"
40+
fi
41+
842
# Install if no SSL certificate installed or SSL install on deploy is true
943

1044
if [[ ("$LE_INSTALL_SSL_ON_DEPLOY" = true) || (! -f /etc/httpd/conf.d/ssl.conf) ]] ; then
@@ -52,3 +86,12 @@ if [[ ("$LE_INSTALL_SSL_ON_DEPLOY" = true) || (! -f /etc/httpd/conf.d/ssl.conf)
5286
sudo service httpd restart
5387

5488
fi
89+
90+
echo 'copying certificate'
91+
92+
# Copy cert to S3 regardless of outcome
93+
94+
aws s3 cp /etc/httpd/conf.d/ssl.conf s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf
95+
aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/cert.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/cert.pem
96+
aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/privkey.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/privkey.pem
97+
aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/fullchain.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/fullchain.pem

.ebextensions/9-post-renew-cp-s3.sh

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
#!/usr/bin/env bash
2+
set -e
3+
# Loadvars
4+
. /opt/elasticbeanstalk/support/envvars
5+
6+
# Check if there is certificate on S3 that we can use
7+
8+
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
9+
REGION=$(curl http://169.254.169.254/latest/dynamic/instance-identity/document|grep region|awk -F\" '{print $4}')
10+
11+
echo $ACCOUNT_ID
12+
echo $REGION
13+
14+
URL="s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf"
15+
16+
echo 'copying certificate'
17+
18+
# Copy cert to S3 regardless of outcome
19+
20+
aws s3 cp /etc/httpd/conf.d/ssl.conf s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf
21+
aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/cert.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/cert.pem
22+
aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/privkey.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/privkey.pem
23+
aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/fullchain.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/fullchain.pem
24+
25+
26+
27+

.ebextensions/9-ssl-letsencrypt-single-instance.config

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
option_settings:
22
- namespace: aws:elasticbeanstalk:application:environment
3-
option_name: LE_SSL_DOMAIN
3+
option_name: LE_SSL_DOMAIN
44
value: placeholder
55
- namespace: aws:elasticbeanstalk:application:environment
66
option_name: LE_EMAIL
@@ -14,6 +14,10 @@ container_commands:
1414
command: "sudo cp .ebextensions/9-letsencrypt-ssl-install.sh /opt/elasticbeanstalk/hooks/appdeploy/post/9-letsencrypt-ssl-install.sh && sudo chmod +x /opt/elasticbeanstalk/hooks/appdeploy/post/9-letsencrypt-ssl-install.sh"
1515
20_cpssltemplate:
1616
command: "sudo cp .ebextensions/ssl.conf.template /etc/httpd/conf.d/ssl.conf.template"
17+
30_postrenews3:
18+
command: "sudo cp .ebextensions/9-post-renew-cp-s3.sh /etc/9-post-renew-cp-s3.sh && sudo chmod +x /etc/9-post-renew-cp-s3.sh"
19+
40_cron_job:
20+
command: "crontab /tmp/cronjob"
1721

1822
Resources:
1923
icmpSecurityGroupIngress:
@@ -41,6 +45,8 @@ files:
4145
group: ec2-user
4246
content: |
4347
# renew ssl
44-
0 0 * * 0 /certbot/certbot-auto renew
48+
0 3 * * 0 /certbot/certbot-auto renew
49+
# post install ssl s3
50+
0 3 * * 0 /etc/9-post-renew-cp-s3.sh
4551

46-
encoding: plain
52+
encoding: plain

README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@
1010
3. Either change the values of environment variables in the config file, or add them to the container option from the console.
1111

1212
4. EB Deploy. The script will:
13+
- If SSL certificate already installed does nothing.
14+
- Checks to see if the SSL certificate already exists on the S3 bucket used for storing applicatons. If it does, it downloads and installs from S3.
1315
- Check to see if /etc/httpd/conf.d/ssl.conf exists already and if not, attempts to install certificate
1416
- Allow incoming traffic on port 443
1517
- Allow pinging to the server
@@ -19,6 +21,7 @@
1921
- Configure the Apache server with new certificate
2022
- Restart Apache
2123
- Install weekly cron to auto-update certificate
24+
- Install weekly cron to copy updated certificate to S3
2225

2326
5. After setup, you may force install the SSL certificate again by changing `LE_INSTALL_SSL_ON_DEPLOY` to `true`.
2427

@@ -30,4 +33,5 @@
3033
wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/9-ssl-letsencrypt-single-instance.config
3134
wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/9-letsencrypt-ssl-install.sh
3235
wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/ssl.conf.template
36+
wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/9-post-renew-cp-s3.sh
3337
```

0 commit comments

Comments
 (0)