Amazon cloudformation 具有letsencrypt SSL证书的AWS Cloudformation模板
我想用创建一个AWS Cloudformation模板Amazon cloudformation 具有letsencrypt SSL证书的AWS Cloudformation模板,amazon-cloudformation,Amazon Cloudformation,我想用创建一个AWS Cloudformation模板 具有apache Web服务器和letsencrypt SSL证书的单个EC2实例 路由53是一个记录,它是一个动态模板参数 我可以让letsencrypt运行,因为我需要完成一个挑战 问题:HTTP-01质询需要在EC2实例之前创建Route53 A记录,但这是不可能的,因为我需要EC2实例的IP地址来创建Route53 A记录 我曾考虑过使用EIP,但EIP只能在EC2实例创建后才能关联,而不是在同一时间,因此质询也失败了 dns-
- 具有apache Web服务器和letsencrypt SSL证书的单个EC2实例
- 路由53是一个记录,它是一个动态模板参数
dns-01挑战在cloudformation中是不可能的。这将在带有apache Web服务器的Amazon Linux 2 EC2实例上安装certbot SSL证书。 问题是,对于ssl验证挑战,您需要一个指向该EC2实例的域,但是可以在使用cloudformation创建EC2实例之后设置该域 我找到了一个解决方案,它会一直等到域设置为CloudFormation
Resources:
WebServerInstance:
Type: AWS::EC2::Instance
Metadata:
AWS::CloudFormation::Init:
InstallApache:
packages:
yum:
httpd: []
InstallCerbotSsl:
packages:
yum:
certbot: []
python2-certbot-apache: []
files:
/use/bin/install_certbot_after_domain_is_set_route53.sh:
content: !Sub |
#!/bin/bash
while true; do
certbot -i apache -a apache --preferred-challenges http -d "${Domain}" -m ${AdminEmail} -n --redirect --agree-tos
if [ $? -eq 0 ]
then
echo "Certbot success"
service httpd restart
break
else
echo "retry..."
sleep 10
fi
done
mode: '000600'
owner: root
group: root
InstallCrontab:
files:
/var/spool/cron/root:
content: !Sub |
# m h dom mon dow command
39 1,13 * * * certbot renew --no-self-upgrade > /dev/null 2>&1
mode: '000600'
owner: root
group: root
这将向堆栈添加域,certbot需要验证httpd质询:
DNSRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: foo.de.
Name: !Ref Domain
Type: A
TTL: 300
ResourceRecords:
- !GetAtt WebServerInstance.PublicIp
以及用户数据触发器,其在创建成功信号fpr之后执行,以在创建过程中步进CF堆栈
UserData:
# is executed as root user
Fn::Base64: !Sub |
#!/bin/bash
# create EC2 instance
yum update -y aws-cfn-bootstrap
# create EC2 instance
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --configsets InstallAndRun --region ${AWS::Region}
# send create success signal to cloudformation
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region}
# update all packages to latest
yum update -y
service httpd restart
# install certbot sll certificate, can take some time until domain is set
bash /use/bin/install_certbot_after_domain_is_set_route53.sh > /use/bin/install_certbot.log
# reboot system
reboot