Elastic Beanstalk Security Certificates Archived November 2020
Warning about the contents of this page
Note that all the information on this page is DEPRECATED. It is preserved there for archival purposes.
Generating LE Certificates
Running certbot-auto
WARNING! The certbot-auto script is not supported on Amazon Linux as of mid-2020.
The following is an example certbot-auto command.
$ sudo /opt/certbot/certbot-auto certonly --standalone --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos -d ${LETSENCRYPT_DOMAIN} -d www.${LETSENCRYPT_DOMAIN} --expand --renew-with-new-domains --pre-hook "service nginx stop"
Different authentication methods can be specified. The method above creates a challenge file in the web server directory, then makes a http request for that file in order to confirm there is legitimate access to the website. This means that the domain name must point to the server where certbot-auto is running.
Installing LE Certificates with nginx
The following instructions originate from Let's Encrypt with AWS Elastic Beanstalk by “PirateFaché”. This installs LE certificates on nginx.
The following directives in the .ebextensions file will NOT change the configuration of the nginx server. See Troubleshooting for details.
Creating /etc/nginx/conf.d/https_custom.conf allows requests to port 443 to access the LE certificates
# HTTPS server
server {
listen 443 default ssl;
server_name localhost;
error_page 497 https://$host$request_uri;
ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/*.conf;
}
It’s necessary to create a symbolic link from the “ebcert” directory specified in the file above with the actual directory containing the LE certificates:
$ sudo ln -sf /etc/letsencrypt/live/wiki.dbarchowsky.com /etc/letsencrypt/live/ebcert
Restart nginx
$ sudo systemctl restart nginx
At this point it should be possible to make https requests to the site:
$ curl https://mydomain.com
TLS 1.2
Note that this line in /etc/nginx/conf.d/https_custom.conf
ssl_protocols TLSv1.1 TLSv1.2;
Allows for both TLS 1.1 and TLS 1.2. TLS is the most current protocol (as of mid-2020) and addresses security issues with TLS 1.1. When confirming the certificate with SSL Labs this will result in a “B” grade only because TLS 1.1 is allowed. If you scroll down on the report TLS 1.2 is still supported. It looks like requests should still be handled if the client is limited to TLS 1.2.
Other Reference
- Nginx Server SSL Setup on AWS EC2 Linux with Letsencrypt
This covers some of the same territory as the link at the top of this section. Some configuration examples using Let’s Encrypt and Amazon Linux 2 - Tutorial: Configure SSL/TLS on Amazon Linux 2
This steers you to using apache, which is not running by default on an Amazon Linux 2 server by default. There is some information that helps understand how these servers are set up to process security certificates and https requests. - SSL On Single Instance Elastic Beanstalk Tutorial
Ultimately wasn’t helpful as it was configuring an Apache server. The basic steps are covered with working examples. - Setup (AWS) Amazon Elastic Beanstalk to work with Let's Encrypt
Another Apache example]