s3 integration

Author: Tom Yates

.DS_Store

@@ -5,6 +5,40 @@ set -e
 # Loadvars
 . /opt/elasticbeanstalk/support/envvars
 
+# Check if there is certificate on S3 that we can use
+
+ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
+REGION=$(curl http://169.254.169.254/latest/dynamic/instance-identity/document|grep region|awk -F\" '{print $4}')
+
+echo $ACCOUNT_ID
+echo $REGION
+echo "bonjour"
+
+URL="s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf"
+
+count=$(aws s3 ls $URL | wc -l)
+if [ $count -gt 0 ]
+then
+  echo "SSL Already Exists on S3"
+ # Copy from S3 bucket
+
+    if [ ! -f /etc/httpd/conf.d/ssl.conf ] ; then
+
+	echo "copying from bucket"
+        aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf /etc/httpd/conf.d/ssl.conf
+        aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/cert.pem /etc/letsencrypt/live/$LE_SSL_DOMAIN/cert.pem
+        aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/privkey.pem /etc/letsencrypt/live/$LE_SSL_DOMAIN/privkey.pem
+        aws s3 cp s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/fullchain.pem /etc/letsencrypt/live/$LE_SSL_DOMAIN/fullchain.pem
+
+        # restart
+        sudo service httpd restart
+
+    fi
+
+else
+  echo "does not exist on s3"
+fi
+
 # Install if no SSL certificate installed or SSL install on deploy is true
 
 if [[ ("$LE_INSTALL_SSL_ON_DEPLOY" = true) || (! -f /etc/httpd/conf.d/ssl.conf) ]] ; then
@@ -52,3 +86,12 @@ if [[ ("$LE_INSTALL_SSL_ON_DEPLOY" = true) || (! -f /etc/httpd/conf.d/ssl.conf)
     sudo service httpd restart
 
 fi
+
+echo 'copying certificate'
+
+# Copy cert to S3 regardless of outcome
+
+aws s3 cp /etc/httpd/conf.d/ssl.conf s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf
+aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/cert.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/cert.pem
+aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/privkey.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/privkey.pem
+aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/fullchain.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/fullchain.pem

.ebextensions/9-letsencrypt-ssl-install.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -e
+# Loadvars
+. /opt/elasticbeanstalk/support/envvars
+
+# Check if there is certificate on S3 that we can use
+
+ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
+REGION=$(curl http://169.254.169.254/latest/dynamic/instance-identity/document|grep region|awk -F\" '{print $4}')
+
+echo $ACCOUNT_ID
+echo $REGION
+
+URL="s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf"
+
+echo 'copying certificate'
+
+# Copy cert to S3 regardless of outcome
+
+aws s3 cp /etc/httpd/conf.d/ssl.conf s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/ssl.conf
+aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/cert.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/cert.pem
+aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/privkey.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/privkey.pem
+aws s3 cp /etc/letsencrypt/live/$LE_SSL_DOMAIN/fullchain.pem s3://elasticbeanstalk-$REGION-$ACCOUNT_ID/ssl/$LE_SSL_DOMAIN/fullchain.pem
+
+
+
+

.ebextensions/9-post-renew-cp-s3.sh

@@ -1,6 +1,6 @@
 option_settings:
   - namespace: aws:elasticbeanstalk:application:environment
-    option_name: LE_SSL_DOMAIN
+    option_name:  LE_SSL_DOMAIN
     value: placeholder
   - namespace: aws:elasticbeanstalk:application:environment
     option_name: LE_EMAIL
@@ -14,6 +14,10 @@ container_commands:
     command: "sudo cp .ebextensions/9-letsencrypt-ssl-install.sh /opt/elasticbeanstalk/hooks/appdeploy/post/9-letsencrypt-ssl-install.sh && sudo chmod +x /opt/elasticbeanstalk/hooks/appdeploy/post/9-letsencrypt-ssl-install.sh"
   20_cpssltemplate:
     command: "sudo cp .ebextensions/ssl.conf.template /etc/httpd/conf.d/ssl.conf.template"
+  30_postrenews3:
+    command: "sudo cp .ebextensions/9-post-renew-cp-s3.sh /etc/9-post-renew-cp-s3.sh && sudo chmod +x /etc/9-post-renew-cp-s3.sh"
+  40_cron_job:
+    command: "crontab /tmp/cronjob"
 
 Resources:
   icmpSecurityGroupIngress:
@@ -41,6 +45,8 @@ files:
     group: ec2-user
     content: |
       # renew ssl
-      0 0 * * 0 /certbot/certbot-auto renew
+      0 3 * * 0 /certbot/certbot-auto renew
+      # post install ssl s3
+      0 3 * * 0 /etc/9-post-renew-cp-s3.sh
 
-    encoding: plain
+    encoding: plain

.ebextensions/9-ssl-letsencrypt-single-instance.config

@@ -10,6 +10,8 @@
 3. Either change the values of environment variables in the config file, or add them to the container option from the console.
 
 4. EB Deploy. The script will:
+- If SSL certificate already installed does nothing.
+- Checks to see if the SSL certificate already exists on the S3 bucket used for storing applicatons. If it does, it downloads and installs from S3.
 - Check to see if /etc/httpd/conf.d/ssl.conf exists already and if not, attempts to install certificate
 - Allow incoming traffic on port 443
 - Allow pinging to the server
@@ -19,6 +21,7 @@
 - Configure the Apache server with new certificate
 - Restart Apache
 - Install weekly cron to auto-update certificate
+- Install weekly cron to copy updated certificate to S3
 
 5. After setup, you may force install the SSL certificate again by changing `LE_INSTALL_SSL_ON_DEPLOY` to `true`.
 
@@ -30,4 +33,5 @@
 wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/9-ssl-letsencrypt-single-instance.config
 wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/9-letsencrypt-ssl-install.sh
 wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/ssl.conf.template
+wget https://raw.githubusercontent.com/tomyates/letsencrypt-install-elasticbeanstalk-single-instance/master/.ebextensions/9-post-renew-cp-s3.sh
 ```