-
Notifications
You must be signed in to change notification settings - Fork 0
/
lets-encrypt.sh
83 lines (68 loc) · 3.27 KB
/
lets-encrypt.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash
# this must be run in the Elastic Beanstalk postdeploy hook so that nginx config doesn't get overwritten by Elastic Beanstalk
# ---- Configuration ----
#domain - The domain for which you want to generate the certificate (comma separated for multiple domains) ex: `myapp.acme.com,myapp-staging.acme.com`
#contact - The email address to use for Let's Encrypt
#bucket - The S3 bucket to use for storing the certificates
#test_mode - Set to `false` to use the Let's Encrypt production server and get a valid certificate. Test certificates are not trusted by browsers, but are useful for testing the deployment.
#environment - The Elastic Beanstalk environment name (test, production, etc.)
#
# Any of these values can also be configured in your EB environment variables rather than specified here. Settings here will override environment variables.
domain="my-app.company.com"
contact="[email protected]"
bucket="my-ssl-certificates-bucket"
test_mode=true
environment="production"
# -----------------------
# increase server_names_hash_bucket_size to 128 to handle long domain names in nginx
sed -i 's/http {/http {\n server_names_hash_bucket_size 128;/' /etc/nginx/nginx.conf
#add cron job
function add_cron_job {
touch /etc/cron.d/certbot_renew
echo "* * * * * webapp 0 2 * * * certbot renew --allow-subset-of-names
# empty line" | tee /etc/cron.d/certbot_renew
}
#check if certbot is already installed
if command -v certbot &>/dev/null; then
echo "certbot already installed"
else
# Install certbot since it's not installed already
# Instructions from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt
sudo dnf install -y python3-certbot-nginx
fi
if [ "$test_mode" = true ]; then
folder="s3://${bucket}/${environment}/LetsEncrypt-Staging/"
else
folder="s3://${bucket}/${environment}/LetsEncrypt/"
fi
# check if the S3 bucket already exists with a certificate
if [ -n "$(aws s3 ls $folder)" ]; then
# download and install certificate from existing S3 bucket
echo "$folder exists."
sudo rm -rf /etc/letsencrypt/*
sudo aws s3 cp ${folder}backup.tar.gz /tmp
sudo tar -xzvf /tmp/backup.tar.gz --directory /
sudo chown -R root:root /etc/letsencrypt
if [ "$test_mode" = true ]; then
sudo certbot -n -d ${domain} --nginx --agree-tos --email ${contact} --reinstall --redirect --expand --allow-subset-of-names --test-cert
else
sudo certbot -n -d ${domain} --nginx --agree-tos --email ${contact} --reinstall --redirect --expand --allow-subset-of-names
fi
systemctl reload nginx
# re-uploading the certificate in case of renewal during certbot installation
tar -czvf /tmp/backup.tar.gz /etc/letsencrypt/*
aws s3 cp /tmp/backup.tar.gz ${folder}
add_cron_job
exit
fi
# obtain, install, and upload certificate to S3 bucket since it does not exist already
if [ "$test_mode" = true ]; then
#get a test mode cert
sudo certbot -n -d ${domain} --nginx --agree-tos --email ${contact} --redirect --allow-subset-of-names --test-cert
else
#get a production cert
sudo certbot -n -d ${domain} --nginx --agree-tos --email ${contact} --redirect --allow-subset-of-names
fi
tar -czvf /tmp/backup.tar.gz /etc/letsencrypt/*
aws s3 cp /tmp/backup.tar.gz ${folder}
add_cron_job