Score:0

Running certbot on an ECS instance

gh flag

I am trying to run certbot on an ECS instance which is running a docker image (docker.io/existdb/teipublisher). The image runs well and I have associated it with a custom subdomain teipub.dh-dev.com using an elastic IP.

Trying to install and run certbot so I can have an Https connection has proven to be surprisingly difficult.

running as root, I install nginx with:

sudo amazon-linux-extras list | grep nginx
sudo amazon-linux-extras enable nginx1
sudo yum clean metadata
sudo yum -y install nginx

then, following this from nginx I create /etc/nginx/conf.d/teipub.dh-dev.com.conf with the content:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    server_name teipub.dh-dev.com;
}

but now when running sudo nginx -c /etc/nginx/nginx.conf to reload the new configuration I get enter image description here

Which makes sense to me because when I built the task definition to run my image on the ECS cluster I used a portMapping between the hostPorts 80 and 443 and the corresponding containerPorts, which means something is already listening on port 80 (as well as 443).

running sudo systemctl status nginx, sudo systemctl status httpd or sudo systemctl status apache2 on a clean ECS EC2 instance that is running the docker image cannot find those services. So nginx is not installed let alone running before I try to run it.

So my question is: isn't there already a webserver on the ECS instance? What is it and can I install the certbot on it? Or else, what is listening on port 80?

Alternatively - is there a different way to use certbot on an ECS instance?

BTW, and I don't think this is relevant, my main domain (dh-dev.com and www.dh-dev.com) allows https connections, probably through a certificate supplied by my hosting provider.

===Update===

following @dave_thompson_085's comment, I now understand (see image below) that a process called docker-proxy is listening on ports 80 and 443. Which is why I cannot use nginx to configure certbot on these ports. Any ideas on how to progress most welcome...

enter image description here

dave_thompson_085 avatar
jp flag
You say "nginx is not installed" but you did `sudo yum install -y nginx` which installed it, although TTBOMK that alone shouldn't have started it. `httpd` and `apache2` are NOT the names of nginx; do `sudo systemctl status nginx` and you'll see it, and see if it is running.
gh flag
@dave_thompson_085 ``sudo systemctl status nginx`` on a clean ECS EC2 instance produces ``Unit nginx.service could not be found``. Edited question to reflect that.
dave_thompson_085 avatar
jp flag
nginx isn't installed on a clean instance, but it is installed after you do the four commands you listed under "I install nginx with" and before you try (explicitly) to run it; that's the time I thought you were talking about. Anyway, do `sudo ss -antp | grep -e :80 -e :443` or if you prefer `netstat` instead of `ss` to see what is in fact running on those ports.
gh flag
Thanks! ran the ss command and indeed there is a process called ``docker-proxy`` listening on ports 80 and 443. So the question remains, how can use certbot (or any other SSL enabling solution) with this setup?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.