How to get a SSL certificate running in AWS Elastic Beanstalk using Certbot

When you want to have a SSL certificate to ensure encrypted communication between your applications and the user, AWS gives you the option to use Amazon Certificate Manager (ACM) which you can use only by using Elastic Load Balancer (ELB) too, which has a cost of around 18$/month. If you don’t need the advantages of having a load balancer and you want to save some money, here you have a guide on how to have a free SSL certificate with Let’s Encrypt in your Elastic Beanstalk (EB) for Amazon Linux 2.

Let’s first refresh some concepts:

Elastic Beanstalk is a PaaS (Platform as a Service) that allows developers to deploy and scale web applications easily.

It’s a tool to enable HTTPS, deploying a Let’s Encrypt certificate easily and for free.

Every time a new application version is deployed to Elastic Beanstalk or the environment configuration is updated, Nginx/Apache configuration is overwritten, so we are not dealing with a normal EC2 machine where you can connect and install the certificate as in a typical server (or you would have to do it every time, which of course, is not ideal).

To make this work, we need to add to our project some files that Elastic Beanstalk will execute every time the application is deployed.

Summarizing the steps we need to make this work are:

Please remember, the domain you want to configure needs to point to the server. So the http connection should be already working to continue with the steps.

Let’s check step by step how to get it working.

When customizing the machine Elastic Beanstalk deploys, there is a way to run scripts to change the standard configuration. These scripts are known as ebextensions.

First of all, you need to create a .ebextensions folder in the root of your project and create a file into it, with .config extension. The script files are executed alphabetically, so it’s recommended to add a number in front of the filename.

In this script we download, install and enable Epel (Certbot needs it to run in Amazon Linux 2). In the last step, we finally install Certbot. If you are using Apache, replace python2-certbot-nginx with python2-certbot-apache
When Certbot is installed, it creates the folder /etc/letsencrypt/, so we add the line test: test ! -d “/etc/letsencrypt/”, so if the folder exists, the test fails and the step is not executed, avoiding reinstalling it.

The security group created by default in Elastic Beanstalk only has the ports 80 and 22 open. HTTPS default port is 443, so we need to open it. If you don’t, when you try to connect though HTTPS you’ll get a timeout error.

Since the security group is overwritten every time the application is deployed, as in step 1, we need to add to a .config file the following content, you can use the one you already created or a new one.

In Elastic Beanstalk we can write prebuilt, redeploy and post deploy hooks.

To understand the deployment flow, please take a look to the image below:

We would need to run a script during the post deploy stage, to ensure that Certbot Nginx configuration remains.

Therefore, we need to create a folder .platform/hooks/postdeploy in the root of our project, with a .sh file inside it. The recommendation for the name is the same as ebextensions files, a number in the front.

Replace DOMAIN with the instance domain you want to create the certificate for. You can add as many domains you want separating them using a comma.
Replace EMAIL with the email you want for the certificate.
If you use Apache, replace — nginx by — apache

When the script is executed, Certbot configures Nginx or Apache automatically.

Now we have the script file created but we have to grant it executable permissions in your Elastic Beanstalk instance. We have to add the next code to our ebextensions file (again existing or new).

Certbot recommends renewing the certificate twice a day, so we can schedule this task using a Cron job.

To do this, we need to add this block to our ebextensions script file.

After all these steps your project structure should looks like this:

And with this we are good to go!

Since some times things go wrong, here some tips for debugging:

After you have added all this to your project you only need to zip the code (if it’s a jar or war project, you need to zip the jar or war file, .ebextensions folder, and .platform folder) and deploy it to the Elastic Beanstalk instance.

When you are connected you can perform some checks.

Others useful commands are:

If you want to use CodeBuild to deploy the application, you need to to ensure that .platform and .ebextensions folders are being copied to the artifact in CodeBuild.

In Java, for example, we can add this to our buildspec file:

Related posts:

Programming boot-camps and coding schools are doing difficult and important work. It is not easy to take hundreds of people from ‘how do I turn this on’ to hirable in a short amount of time, but…

Dari perbincangan malam ini dengan temanku, anganku melayang sampai dititik “lucu ya, orang yang sudah lama tidak bertemu denganku tetapi masih punya anggapan ttg diriku sendiri, ternyata masih…

One day while returning home I saw dark brown clotted red spots on the street. Someone shouted, “Hey be careful, Its blood”. I asked, “From Whom?”, Someone replied, “Don’t know but he was with a…