Put ACME challenges in /etc/letsencrypt/acme-challenges which should …

…make everything work well with multiple servers.
stefansundin · Nov 22, 2018 · 2a1f865 · 2a1f865
1 parent ceffc71
commit 2a1f865
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/.ebextensions/30-certbot.config b/.ebextensions/30-certbot.config
@@ -1,11 +1,11 @@
-# For your initial cert, invoke certbot manually:
-# - Set up EFS first so that all of your servers sync the /etc/letsencrypt/ directory. This will also keep your certs safe when servers are terminated. See 11-efs.config.
-# - Scale down your app to only one instance.
+# Set up EFS first so that all of your servers sync the /etc/letsencrypt/ directory. This will also keep your certs safe when servers are terminated. See 11-efs.config.
+# Putting the webroot inside of /etc/letsencrypt/ ensures that it is synced on EFS, and you should be able to request certificates with multiple servers behind a load balancer.
 
+# For your initial cert, invoke certbot manually:
 # sudo su
 # CERTBOT_EMAIL=your.email@gmail.com
 # CERTBOT_DOMAIN=yourdomainhere.elasticbeanstalk.com
-# /opt/certbot-auto certonly --debug --non-interactive --agree-tos --keep-until-expiring --installer nginx --authenticator webroot --webroot-path /var/www/acme-challenge --email $CERTBOT_EMAIL --domains $CERTBOT_DOMAIN
+# /opt/certbot-auto certonly --debug --non-interactive --agree-tos --keep-until-expiring --installer nginx --authenticator webroot --webroot-path /etc/letsencrypt/acme-challenges --email $CERTBOT_EMAIL --domains $CERTBOT_DOMAIN
 # ln -sf $CERTBOT_DOMAIN /etc/letsencrypt/live/eb
 
 # Once you have the cert and the symlink is set up, update nginx.conf to use it.
@@ -36,5 +36,5 @@ container_commands:
     cwd: /opt
     test: test ! -f /opt/certbot-auto
   "02":
-    command: "mkdir -p /var/www/acme-challenge/"
-    test: test ! -d /var/www/acme-challenge/
+    command: "mkdir -p /etc/letsencrypt/acme-challenges/"
+    test: test ! -d /etc/letsencrypt/acme-challenges/
diff --git a/.ebextensions/nginx/nginx.conf b/.ebextensions/nginx/nginx.conf
@@ -78,7 +78,7 @@ http {
 
     # Allow certbot to issue certificates
     location ^~ /.well-known/  {
-      root /var/www/acme-challenge;
+      root /etc/letsencrypt/acme-challenges;
     }
 
     # deny access to files starting with dot
@@ -99,7 +99,7 @@ http {
   #   listen 80;
   #   server_name _;
   #   location ^~ /.well-known/  {
-  #     root /var/www/acme-challenge;
+  #     root /etc/letsencrypt/acme-challenges;
   #   }
   #   location / {
   #     # Use this to intentionally remove the path: