Here’s a working set of configuration files that will enable you to leverage Let’s Encrypt for your Elastic Beanstalk hosted site. Couple of assumptions:

used with PHP apps hosted using Apache

Single instance environments, if you are using Load Balancers leverage AWS Certificate Manager instead

you know how to work with files in .ebextentions

Start your configuration by adding following environment variables to your configuration using the console:

LETSENCRYPT_DOMAIN — what domain is your SSL certificate will service

LETSENCRYPT_EMAIL — who get’s updates about certificate renewals

There are 2 files that you will need to add to .ebextensions

https-instance.config

This file overrides default Apache configuration file and will have values provided in configation variables.

There are a few things to go over here:

/etc/httpd/conf.d/ssl.conf

This is a basic apache host configuration for HTTPS. You will notice use of LETSENCRYPT_DOMAIN. This value gets replace by command further down the file, let’s go over those next.

10_stop_apache

Just stops Apache to get certbot a chance to do its work without interruption

10_replace_placeholders

Replaces placeholder in Apache configuration with environmental variables provided in applicatio Configuration. Also notice that first line of this command says source /opt/elasticbeanstalk/support/envvars. This is required on Linux systems hosted on Elastic Beanstalk as environmental variables defined via AWS Console will not be available to linux user executing app configuration scripts. It just loads those vars from a file Elastic Beanstalk injects into the machine.

20_install_certbot

Install certbot which will help manage Let’s Encrypt Certificates

30_install_certificate

Install certifiacte, notice use of envrionmental variables

40_start_apache

Restart apache, cerbot is done.

This file will install a cron job that will try and renew SSL certificates using certbot.

Ideally change this value 56 1 * * * to something of your own to randomize when the certbot service is hit by requests for certificates.

One more thing

Check out “/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf” section of the https-instance.config file, it adds certbot log file to Elastic Beanstalk logs so you can diagnose issues with downloaded logs.