packages: yum: mod24_ssl : [] files: "/etc/httpd/conf.d/ssl_rewrite.conf": mode: "000644" owner: root group: root content: | RewriteEngine On RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301] /etc/httpd/conf.d/ssl.conf: mode: "000644" owner: root group: root content: | LoadModule ssl_module modules/mod_ssl.so Listen 443 Order deny,allow Allow from all SSLEngine on SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem" SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLSessionTickets Off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff ProxyPass / http://localhost:80/ retry=0 ProxyPassReverse / http://localhost:80/ ProxyPreserveHost on RequestHeader set X-Forwarded-Proto "https" early "/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf": mode: "000755" owner: root group: root content: | /var/log/letsencrypt/letsencrypt.log container_commands: # installs certbot 10_stop_apache: command: "killall httpd ; sleep 3" 10_replace_placeholders: command: | source /opt/elasticbeanstalk/support/envvars SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g' echo $SED_EXPRESSION sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf 20_install_certbot: command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto" 30_install_certificate: command: | source /opt/elasticbeanstalk/support/envvars sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone -d "$LETSENCRYPT_DOMAIN" -d "www.$LETSENCRYPT_DOMAIN" --renew-by-default 40_start_apache: command: | source /opt/elasticbeanstalk/support/envvars sudo httpd -k start