亚马逊的AWS ElasticBeanstalk让我们加密CertBot

时间:2018-06-28 15:34:16

标签: amazon-web-services ssl elastic-beanstalk lets-encrypt certbot

如何在Elastic beanstalk上运行并自动扩展版本的Let's Encrypt Certbot?尚未在网络上找到答案,因此我将其扩展为.ebextension。希望对你有帮助。

1 个答案:

答案 0 :(得分:0)

不要照常使用,请根据需要进行检查和修改。

  

要求:

     
      
  1. ElasticBeanstalk环境
  2.   
  3. 可以访问Route53资源的EC2-elastic-beanstalk-service-role
  4.   
  5. EC2实例前面的TCP负载均衡器
  6.   
  7. 部署策略滚动(一次一个实例)
  8.   
  9. NFS挂载
  10.   

这是一个.ebextension:

需要jq软件包:

packages:
  yum:
    jq: []

创建json:

files:
  "/usr/local/bin/certbot/add_json.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash

      #Create TXT record JSON

      cat > $1_TXT.json << END
      {
        "Comment": "TXT Verification for CertBOT",
        "Changes": [
          {
            "Action": "$1",
            "ResourceRecordSet": {
              "Name": "_acme-challenge.$CERTBOT_DOMAIN",
              "Type": "TXT",
              "TTL": 300,
              "ResourceRecords": [
                {
                  "Value": "\"$CERTBOT_VALIDATION\""
                }
              ]
            }
          }
        ]
      }
      END

将钩子移至Route53:

  "/usr/local/bin/certbot/remove_txt_hook.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      PWD=`pwd`
      APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
      ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`

      aws route53 change-resource-record-sets \
        --hosted-zone-id $ZONE_ID --change-batch file://$PWD/DELETE_TXT.json

      rm CREATE_TXT.json
      rm DELETE_TXT.json

将钩子添加到Route53:

  "/usr/local/bin/certbot/add_txt_hook.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      PWD=`pwd`
      APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
      ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`

      ./add_json.sh CREATE
      ./add_json.sh DELETE

      aws route53 change-resource-record-sets \
      --hosted-zone-id $ZONE_ID --change-batch file://$PWD/CREATE_TXT.json

      sleep 30

部署:

  "/usr/local/bin/certbot/start_process.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
      EFS_NAME=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.EFS_NAME')
      PWD=`pwd`
      if [ "$MY_DOMAIN" = example.com ]; then

        if [ ! -d /etc/letsencrypt ]; then
          mkdir -p /etc/letsencrypt
        fi

        if ! grep -qs ' /etc/letsencrypt ' /proc/mounts; then
          mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 $EFS_NAME:/.certificates/.letsencrypt /etc/letsencrypt || exit
        fi

        if [ ! -f certbot-auto ]; then
          yum -y install mod24_ssl augeas-libs libffi-devel python27-tools system-rpm-config
          wget https://dl.eff.org/certbot-auto
          chmod 550 certbot-auto
        fi

        if [ ! -f /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem ]; then
          ./certbot-auto certonly --debug -n --no-bootstrap --email <your e-mail> --agree-tos --manual-public-ip-logging-ok --manual --preferred-challenges=dns --manual-auth-hook $PWD/add_txt_hook.sh --manual-cleanup-hook $PWD/remove_txt_hook.sh -d $MY_DOMAIN
        fi
      echo "00 15 * * SUN root cd /usr/local/bin/certbot && ./renewal.sh >> certbot.log 2>&1" > /etc/cron.d/cron_certbot
      fi

续订:

  "/usr/local/bin/certbot/renewal.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      ##!/bin/bash
      MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
      PWD=`pwd`
      ENV_ID=`{"Ref": "AWSEBEnvironmentId" }`
      METADATA=/opt/aws/bin/ec2-metadata
      INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
      REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`
      TODAY=`date +%Y-%m-%d`
      STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`

      while [ "$STATUS" != "Ready" ]; do
        STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
        sleep 10
      done

      if ! /usr/local/bin/certbot/one_instance.sh; then
        i="0"
        while [ "$i" -lt 180 ] && [ ! -f /etc/letsencrypt/renewed_$TODAY ]; do
          i=$[$i+1]
          sleep 2
        done
        if [ ! -f /etc/letsencrypt/renewed_$TODAY ]; then
          exit
        else
          /etc/init.d/httpd graceful; exit
        fi
      fi
      ./certbot-auto renew --debug --no-bootstrap --renew-hook "/etc/init.d/httpd graceful; touch /etc/letsencrypt/renewed_$TODAY; find /etc/letsencrypt/ -type f -name 'renewed_*' -mtime +0 -exec rm {} \;"

仅在一个实例上

  "/usr/local/bin/certbot/one_instance.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash

      METADATA=/opt/aws/bin/ec2-metadata
      INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
      REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`

      ASG=`aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" \
        --region $REGION --output text | awk '/aws:autoscaling:groupName/ {print $5}'`

      SOLO_I=`aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG \
        --region $REGION --output text | awk '/InService/ {print $4}' | sort | head -1`

      [ "$SOLO_I" = "$INSTANCE_ID" ]

执行中:

commands:
  01_start_certbot_deploy:
    command: "/usr/local/bin/certbot/start_process.sh &>> certbot.log"
    cwd: "/usr/local/bin/certbot"
  02_delete_bak_files:
    command: "rm -f *.bak"
    cwd: "/usr/local/bin/certbot"
  

如果您有任何评论或改进建议,请告诉我。

谢谢!