amazon-web-services - Amazon 的 AWS ElasticBeanstalk 让我们加密 CertBot

Question

如何在 Elastic beanstalk 上运行 Let's encrypt Certbot 的自动化可扩展版本？尚未在网上找到答案，所以我整理了这个 .ebextension。希望对你有帮助。

Answer 1

不要照原样使用，根据自己的需要检查修改。

Requirements:

1. ElasticBeanstalk Environmnet
2. Ec2-elastic-beanstalk-service-role with access to Route53 Resource
3. TCP Loadbalancer in front of EC2 instances
4. Deployment policy rolling (one instance at a the time)
5. NFS mount

这是一个单一的 .ebextension:

需要jq包:

packages:
  yum:
    jq: []

创建 json:

files:
  "/usr/local/bin/certbot/add_json.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash

      #Create TXT record JSON

      cat > $1_TXT.json << END
      {
        "Comment": "TXT Verification for CertBOT",
        "Changes": [
          {
            "Action": "$1",
            "ResourceRecordSet": {
              "Name": "_acme-challenge.$CERTBOT_DOMAIN",
              "Type": "TXT",
              "TTL": 300,
              "ResourceRecords": [
                {
                  "Value": "\"$CERTBOT_VALIDATION\""
                }
              ]
            }
          }
        ]
      }
      END

删除对 Route53 的 Hook :

  "/usr/local/bin/certbot/remove_txt_hook.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      PWD=`pwd`
      APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
      ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`

      aws route53 change-resource-record-sets \
        --hosted-zone-id $ZONE_ID --change-batch file://$PWD/DELETE_TXT.json

      rm CREATE_TXT.json
      rm DELETE_TXT.json

为 Route53 添加钩子(Hook):

  "/usr/local/bin/certbot/add_txt_hook.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      PWD=`pwd`
      APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
      ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`

      ./add_json.sh CREATE
      ./add_json.sh DELETE

      aws route53 change-resource-record-sets \
      --hosted-zone-id $ZONE_ID --change-batch file://$PWD/CREATE_TXT.json

      sleep 30

部署:

  "/usr/local/bin/certbot/start_process.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash
      MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
      EFS_NAME=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.EFS_NAME')
      PWD=`pwd`
      if [ "$MY_DOMAIN" = example.com ]; then

        if [ ! -d /etc/letsencrypt ]; then
          mkdir -p /etc/letsencrypt
        fi

        if ! grep -qs ' /etc/letsencrypt ' /proc/mounts; then
          mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 $EFS_NAME:/.certificates/.letsencrypt /etc/letsencrypt || exit
        fi

        if [ ! -f certbot-auto ]; then
          yum -y install mod24_ssl augeas-libs libffi-devel python27-tools system-rpm-config
          wget https://dl.eff.org/certbot-auto
          chmod 550 certbot-auto
        fi

        if [ ! -f /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem ]; then
          ./certbot-auto certonly --debug -n --no-bootstrap --email <your e-mail> --agree-tos --manual-public-ip-logging-ok --manual --preferred-challenges=dns --manual-auth-hook $PWD/add_txt_hook.sh --manual-cleanup-hook $PWD/remove_txt_hook.sh -d $MY_DOMAIN
        fi
      echo "00 15 * * SUN root cd /usr/local/bin/certbot && ./renewal.sh >> certbot.log 2>&1" > /etc/cron.d/cron_certbot
      fi

更新:

  "/usr/local/bin/certbot/renewal.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      ##!/bin/bash
      MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
      PWD=`pwd`
      ENV_ID=`{"Ref": "AWSEBEnvironmentId" }`
      METADATA=/opt/aws/bin/ec2-metadata
      INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
      REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`
      TODAY=`date +%Y-%m-%d`
      STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`

      while [ "$STATUS" != "Ready" ]; do
        STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
        sleep 10
      done

      if ! /usr/local/bin/certbot/one_instance.sh; then
        i="0"
        while [ "$i" -lt 180 ] && [ ! -f /etc/letsencrypt/renewed_$TODAY ]; do
          i=$[$i+1]
          sleep 2
        done
        if [ ! -f /etc/letsencrypt/renewed_$TODAY ]; then
          exit
        else
          /etc/init.d/httpd graceful; exit
        fi
      fi
      ./certbot-auto renew --debug --no-bootstrap --renew-hook "/etc/init.d/httpd graceful; touch /etc/letsencrypt/renewed_$TODAY; find /etc/letsencrypt/ -type f -name 'renewed_*' -mtime +0 -exec rm {} \;"

仅在一个实例中:

  "/usr/local/bin/certbot/one_instance.sh":
    mode: "000550"
    owner: root
    group: root
    content: |
      #!/bin/bash

      METADATA=/opt/aws/bin/ec2-metadata
      INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
      REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`

      ASG=`aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" \
        --region $REGION --output text | awk '/aws:autoscaling:groupName/ {print $5}'`

      SOLO_I=`aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG \
        --region $REGION --output text | awk '/InService/ {print $4}' | sort | head -1`

      [ "$SOLO_I" = "$INSTANCE_ID" ]

执行:

commands:
  01_start_certbot_deploy:
    command: "/usr/local/bin/certbot/start_process.sh &>> certbot.log"
    cwd: "/usr/local/bin/certbot"
  02_delete_bak_files:
    command: "rm -f *.bak"
    cwd: "/usr/local/bin/certbot"

Let me know if you have some remarks or improvement suggestions.

谢谢!