Editing Elastic Beanstalk Security Certificates Archived November 2020 (section)

== Generating LE Certificates ==

=== Running certbot-auto ===

<p class="alert alert-warning">WARNING! The `certbot-auto` script is not supported on Amazon Linux as of mid-2020.</p>

The following is an example `certbot-auto` command.

<pre>
$ sudo /opt/certbot/certbot-auto certonly --standalone --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos -d ${LETSENCRYPT_DOMAIN} -d www.${LETSENCRYPT_DOMAIN} --expand --renew-with-new-domains --pre-hook "service nginx stop"
</pre>

Different authentication methods can be specified. The method above creates a challenge file in the web server directory, then makes a http request for that file in order to confirm there is legitimate access to the website. This means that the domain name must point to the server where `certbot-auto` is running. 

=== Installing LE Certificates with nginx ===

The following instructions originate from [https://piratefache.ch/lets-encrypt-with-amazon-elastic-beanstalk/ Let's Encrypt with AWS Elastic Beanstalk] by “PirateFaché”. This installs LE certificates on nginx.

<p class="alert alert-warning">The following directives in the .ebextensions file will ''NOT'' change the configuration of the nginx server. See [[#Cannot_create_files_in_.2Fetc.2Fnginx.2Fconf.d_with_.ebextensions|Troubleshooting]] for details.</p>

Creating `/etc/nginx/conf.d/https_custom.conf` allows requests to port 443 to access the LE certificates

<syntaxhighlight lang="yaml">
# HTTPS server
server {
    listen       443 default ssl;
    server_name  localhost;
    error_page  497 https://$host$request_uri;

    ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;

    ssl_session_timeout  5m;
    ssl_protocols  TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers   on;

    # Include the Elastic Beanstalk generated locations
    include conf.d/elasticbeanstalk/*.conf;
}
</syntaxhighlight>

It’s necessary to create a symbolic link from the “ebcert” directory specified in the file above with the actual directory containing the LE certificates:

<pre>
$ sudo ln -sf /etc/letsencrypt/live/wiki.dbarchowsky.com /etc/letsencrypt/live/ebcert
</pre>

Restart nginx

<pre>
$ sudo systemctl restart nginx
</pre>

At this point it should be possible to make https requests to the site:

<pre>
$ curl https://mydomain.com
</pre>

=== TLS 1.2 ===

Note that this line in `/etc/nginx/conf.d/https_custom.conf`

<pre>
ssl_protocols  TLSv1.1 TLSv1.2;
</pre>

Allows for both TLS 1.1 and TLS 1.2. TLS is the most current protocol (as of mid-2020) and addresses security issues with TLS 1.1. When confirming the certificate with [https://www.ssllabs.com/ssltest/ SSL Labs] this will result in a “B” grade only because TLS 1.1 is allowed. If you scroll down on the report TLS 1.2 is still supported. It looks like requests should still be handled if the client is limited to TLS 1.2.

=== Other Reference ===

* [https://pyliaorachel.github.io/blog/tech/system/2017/07/14/nginx-server-ssl-setup-on-aws-ec2-linux-with-letsencrypt.html Nginx Server SSL Setup on AWS EC2 Linux with Letsencrypt]<br />This covers some of the same territory as the link at the top of this section. Some configuration examples using Let’s Encrypt and Amazon Linux 2
* [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html Tutorial: Configure SSL/TLS on Amazon Linux 2]<br />This steers you to using apache, which is not running by default on an Amazon Linux 2 server by default. There is some information that helps understand how these servers are set up to process security certificates and https requests.
* [https://www.tutcodex.com/ssl-on-single-instance-elastic-beanstalk-tutorial/   SSL On Single Instance Elastic Beanstalk Tutorial]<br />Ultimately wasn’t helpful as it was configuring an Apache server. The basic steps are covered with working examples.
* [https://undebugable.blogspot.com/2019/07/setup-aws-amazon-elastic-beanstalk-to.html Setup (AWS) Amazon Elastic Beanstalk to work with Let's Encrypt]<br />Another Apache example]