I setup WinSCP following the instructions (including opening Port 22) and got to:

Enter /foundrydata/Data/ to access the location where the data files are kept.

This gives the error:

Cannot get real path for '/foundrydata/Data'.
Permission denied.
Error code: 3
Error message from server: Permission denied

If I navigate up to root, I can see /foundrydata in the folder list, but clicking on it gives Server returned empty listing for directory '/foundrydata'.

I can see that the owner for this folder is foundry, whereas the owner for all other folders is root. So I'm guessing it's something in the permissions? Thanks!

I'm not sure how active this project is, but I decided to take the plunge and have a go at updating things. A good way to learn some AWS, I guess!

I've made a fork at https://github.com/mikehdt/aws-foundry-ssl

Gone through updating all the things I could find that needed to be updated. More than happy if you want to pull the changes I've made back into here. Although note I did remove the non-Amazon domain registar support (it was a bit too confusing, and I didn't want to have to deal with fixing or testing it with the other changes I've made).

The main highlights are: now uses Amazon Linux 2023, Node 18.x, fixes a whole lot of little issues, and supports Foundry 11.

It's not super duper tested yet, there may still be issues, but hopefully it helps anyone who was looking to update from Foundry 10.

Unfortunately, you will need to tear down and recreate the old stack with the newer one. Make sure you back up / transfer your data and settings out first!

I set everything up, and it runs great. I seem to have access through the app to everything. I added game system, a pre-built world, and an empty world ... but I can't find my User Data files for any of it. The S3 bucket I set up during this process is empty.

Thanks for all the work putting this together folks! I'm getting this error on the final screen, however.

Followed the instructions: bought an .eu domain at route53 and created the stack based on the template. Foundry is installed but seems to be without a certificate. I checked crt.sh as mentioned in the troubleshooting, there is no entry for my domain.

When I check the stack in CloudFormation it gives me the status create_complete but when I click on the stack and open the "events" tub there 50 entries of which only 17 are marked as create_complete the rest as create_in_progress.

I deleted the stack an retried the process. Same results.

Can anybody help?

The original guide was really great, and this definitely seems like an improvement, but it feels like some corners were cut. Specifically removing the section about how to change regions from the AWS Console.

Any chance this can get added?

Current workarounds:

1. Create a copy of the world folder and delete the original world folder
2. SSH using putty and elevate to root to change permissions or sftp files and folders

We will rehaul the setup method and permissions to fix this issue. Please use the workarounds in the meantime

Hello and thanks for the assistance.

I applied the patch to node per the instructions, checked my node version and it is showing as upgraded (14.17.0.). When I go to my server, however, and try to upgrade foundry, I am still getting the following error:

An update to version 0.8.6 is available but cannot be performed because upgrading to this version requires a full reinstall in order to obtain Node.js version 14 and other updated dependencies. You can manually download this latest version from the Foundry Virtual Tabletop website.

Below is a log of all the processes regarding the patch. Thanks for the help!

   __|  __|_  )
   _|  (     /   Amazon Linux 2 AMI
  ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user ~]$ sudo su
[rootec2-user]# wget https://raw.githubusercontent.com/cat-box/aws-foundry-ssl/master/patches/node_v14.sh
--2021-05-31 19:24:36-- https://raw.githubusercontent.com/cat-box/aws-foundry-ssl/master/patches/node_v14.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 536 [text/plain]
Saving to: ‘node_v14.sh’

100%[======================================>] 536 --.-K/s in 0s

2021-05-31 19:24:36 (21.6 MB/s) - ‘node_v14.sh’ saved [536/536]

[root@ip- ec2-user]# chmod a+x node_v14.sh
[root@ip- ec2-user]# ./node_v14.sh
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
228 packages excluded due to repository priority protections
No packages marked for update
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package nodejs.x86_64 2:14.17.0-1nodesource will be erased
---> Package nodesource-release.noarch 0:el7-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size

Removing:
nodejs x86_64 2:14.17.0-1nodesource @nodesource 91 M
nodesource-release noarch el7-1 installed 3.1 k

Transaction Summary

Remove 2 Packages

Installed size: 91 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : nodesource-release-el7-1.noarch 1/2
Erasing : 2:nodejs-14.17.0-1nodesource.x86_64 2/2
Verifying : nodesource-release-el7-1.noarch 1/2
Verifying : 2:nodejs-14.17.0-1nodesource.x86_64 2/2

Removed:
nodejs.x86_64 2:14.17.0-1nodesource nodesource-release.noarch 0:el7-1

Complete!

Installing the NodeSource Node.js 14.x repo...

Inspecting system...

• rpm -q --whatprovides redhat-release || rpm -q --whatprovides centos-release || rpm -q --whatprovides cloudlinux-release || rpm -q --whatprovides sl-release
• uname -m

Confirming "el7-x86_64" is supported...

• curl -sLf -o /dev/null 'https://rpm.nodesource.com/pub_14.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm'

Downloading release setup RPM...

• mktemp
• curl -sL -o '/tmp/tmp.CD9b0qRqOx' 'https://rpm.nodesource.com/pub_14.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm'

Installing release setup RPM...

• rpm -i --nosignature --force '/tmp/tmp.CD9b0qRqOx'

Cleaning up...

• rm -f '/tmp/tmp.CD9b0qRqOx'

Checking for existing installations...

• rpm -qa 'node|npm' | grep -v nodesource

Run sudo yum install -y nodejs to install Node.js 14.x and npm.

You may also need development tools to build native addons:

 sudo yum install gcc-c++ make

To install the Yarn package manager, run:

 curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
 sudo yum install yarn

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Existing lock /var/run/yum.pid: another copy is running as pid 4089.
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 119 M RSS (335 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:03 ago
State : Running, pid: 4089
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 276 M RSS (493 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:05 ago
State : Running, pid: 4089
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 311 M RSS (528 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:07 ago
State : Running, pid: 4089
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 311 M RSS (527 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:09 ago
State : Running, pid: 4089
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-nginx1 epel nodesource
Cleaning up everything
Maybe you want: rm -rf /var/cache/yum, to also free up space taken by orphaned data from disabled or removed repos
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00
amzn2extra-docker | 3.0 kB 00:00
amzn2extra-nginx1 | 3.0 kB 00:00
epel/x86_64/metalink | 15 kB 00:00
epel | 4.7 kB 00:00
nodesource | 2.5 kB 00:00
(1/11): amzn2-core/2/x86_64/group_gz | 2.5 kB 00:00
(2/11): amzn2-core/2/x86_64/updateinfo | 373 kB 00:00
(3/11): amzn2extra-nginx1/2/x86_64/primary_db | 30 kB 00:00
(4/11): amzn2extra-docker/2/x86_64/updateinfo | 76 B 00:00
(5/11): amzn2extra-docker/2/x86_64/primary_db | 78 kB 00:00
(6/11): amzn2extra-nginx1/2/x86_64/updateinfo | 76 B 00:00
(7/11): epel/x86_64/group_gz | 96 kB 00:00
(8/11): epel/x86_64/updateinfo | 1.0 MB 00:00
(9/11): nodesource/x86_64/primary_db | 40 kB 00:00
(10/11): epel/x86_64/primary_db | 6.9 MB 00:00
(11/11): amzn2-core/2/x86_64/primary_db | 53 MB 00:02
228 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package nodejs.x86_64 2:14.17.0-1nodesource will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size

Installing:
nodejs x86_64 2:14.17.0-1nodesource nodesource 32 M

Transaction Summary

Install 1 Package

Total download size: 32 M
Installed size: 91 M
Downloading packages:
nodejs-14.17.0-1nodesource.x86_64.rpm | 32 MB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : 2:nodejs-14.17.0-1nodesource.x86_64 1/1
Verifying : 2:nodejs-14.17.0-1nodesource.x86_64 1/1

Installed:
nodejs.x86_64 2:14.17.0-1nodesource

Complete!
[root@ip- ec2-user]# rm node_v14.sh
rm: remove regular file ‘node_v14.sh’? y
[root@ip- ec2-user]# node -v
v14.17.0
[root@ip-ec2-user]#

I am a frugal guy. I want to ensure I am not wasting money. HOWEVER, I am also forgetful. Sometimes I forget to turn off my instance and have to pay a whole 10 dollars for that month.

I think this should have an optional piece in CloudFormation for an alarm to text you if you leave the instance running too long.

As you can see SNS allows up to 100 free SMS messages, so it aligns with my frugal ways.
https://aws.amazon.com/sns/pricing/

Please implement immediately. Due date: 07/04/2021

Hi,

So I've followed all the steps, CF works no worries, and I can access Foundry on its subdomain over http, but not https. I've checked the wiki, but it's not a rate limit or any such.

AWS being the sprawling beast that it is, not sure how best to diagnose this. I'm wondering if it's because my normal site (which is unrelated to Foundry) is served from S3, with CloudFront which has its own SSL cert. As CF is wont to do its SSL cert is configured to cover a subdomain wildcard. Would that perhaps trip up the CF script from creating its own specific subdomain SSL cert?

Thanks, and thanks for providing such a helpful script :)

Edit: I've done some poking around in the EC2 instance.

It looks like the script failed, given that I didn't want it to touch my main domain?

2023-02-04 03:59:59,688:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: [redacted]
Type:   dns
Detail: DNS problem: NXDOMAIN looking up A for [redacted] - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for [redacted] - check that a DNS record exists for this domain
2023-02-04 03:59:59,689:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2023-02-04 03:59:59,689:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-02-04 03:59:59,689:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-02-04 04:00:00,895:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1156, in run
    certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 135, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

Maybe a chicken-and-egg scenario, where the subdomain wasn't configured in time on setup?

Edit 2: I managed to kickstart the certbot by finding the line that's normally run by the install script. It went and found the domain this time, restarted the server, and then when I refreshed my VTT domain, it was using SSL. Nice! Maybe some issue with the creation of subdomains when not also configuring the main domain?

I'd help by having a look, but DevOps-y things I always find very tricky to see what's going on, especially with the panopoly of AWS services that are all being intermingled 😅

I went through the setup and it was smooth and easy to setup. However when I attempted to use the S3 bucket in-world to upload content it failed to upload. I checked the AWS.json file in the config folder on the EC2 instance and the secretAccessKey value was not set. It looked to still be set to a default value.

I went into iams and generated a new accesskeyId and secretAccessKey pair for the existing user account, (confirmed it was the right one by matching the existing accesskeyId in the file) and updated the AWS.json file wiith the new pair value. However, even after doing all this and restarting the instance, it still will not work with S3. It writes the following error.

What other areas need to be changed to make this work appropriately?

I read your wiki, and didn't really understand if the approach would work if I already owned a domain (from a registrar not listed here). Could you maybe say how that works or specifically say it doesn't?

Just looking for clarity.

Love your concept and your work.

Can you please include an option for those of us who have NS and a domain setup.
EG let us manually create/specify an address or output a hostname/address that you have read from AWS.
Yes I know this will involve using an Elastic IP

I was able to get your solution working but had to muck around with the lets encrypt stuff.

After stopping and starting the EC2 instance I can no longer connect to foundry. connection just times out

More a question on the patch then an issue. I got an email saying my SSL encryption was set to expire in 19 days, and came here to find that a patch had been released to fix it to allow for auto renewal. I'm not entirely familiar with how Lets Encrypt does their renewals but it seems like they recommend auto renewing 30 days prior to expiration. Does that logic for the patch check regularly even after the 30 day count down begins or do I need to manually renew it this time and then in the future it will catch it at the 30 day mark?

Just looking for confirmation one way or another. Thanks for the amazing work!!

Did I miss something in the instructions?

In looking at the scripts in this repo it looks like this is an NGINX thing. I guess something went wrong there. I can manually setup the proxy I suppose.

zone_id is appended on the same line as webserver_pass when the scripts/amazon/dynamic_dns.sh is run. You should add a newline after webserver_pass in the cloud formation template so that does not happen...

we could add instructions for this page https://github.com/cat-box/aws-foundry-ssl/wiki/Transferring-Files#mac

along these lines:
https://github.com/stonematt/aws-foundry-ssl/wiki

If something goes wrong with the server or a script like the letsencrypt job fails I'd like to be able to send logs to CloudWatch for easy viewing instead of having to SSH and trawl through them with cli tools. While it should be simple enough to do this manually, having it at least an optional step to do it automatically would be useful especially in cases where we're running multiple servers.

After setting up the CloudFormation the EC2 Instance terminated itself?

I'm pointing my domains to Host Gator and one of them is purchased through Whois, would I be able to create a hosted zone on AWS grabbing the domain from Whois?