certbot SSL certifact stops working on nginx configuration update

Question

I have a Django application setup CI/CD via Bitbucket on AWS EC2 via AWS CodeDeploy.

In the AWS CodeDeploy hooks under AfterInstall

hooks:
  AfterInstall:
    - location: scripts/ngnix.sh
      timeout: 6000
      runas: ubuntu

and the nginx.sh script is

#!/usr/bin/env bash

mkdir -p /etc/nginx/sites-enabled
mkdir -p /etc/nginx/sites-available
sudo mkdir -p /etc/nginx/log/
sudo unlink /etc/nginx/sites-enabled/*
sudo cp /path_to_app/configs/nginx.conf /etc/nginx/sites-available/app-host.conf
sudo ln -s /etc/nginx/sites-available/app-host.conf /etc/nginx/sites-enabled/app-host.conf
sudo /etc/init.d/nginx stop
sudo /etc/init.d/nginx start
sudo /etc/init.d/nginx status

But every time this script is run via CI/CD pipeline, SSL stops working and the website is not accessible using https.

To re-enable SSL, I have to manually run

sudo certbot --nginx

And re-configure SSL certificate.

What could be the issue for not working of the SSL and how to automate this?

Answer 1

The certbot procures the ssl certificates from Lets Encrypt and keeps those certificates on your machine. You can run the command sudo certbot certificates to see the certificates path.

Found the following certs:
  Certificate Name: example.com
    Domains: example.com, www.example.com
    Expiry Date: 2017-02-19 19:53:00+00:00 (VALID: 30 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

You need to store the the files located at Certificate Path & Private Key Path in a persisted volume so they don't get wiped out everytime you deploy your app. In your case I think these certificate files are getting wiped out and that is the reason you have to run the command sudo certbot --nginx to procure new cerificate.