cat-box / aws-foundry-ssl Goto Github PK
View Code? Open in Web Editor NEWDeploys Foundry VTT with SSL encryption in AWS using CloudFormation (Beginner Friendly)
License: GNU General Public License v2.0
Deploys Foundry VTT with SSL encryption in AWS using CloudFormation (Beginner Friendly)
License: GNU General Public License v2.0
I setup WinSCP following the instructions (including opening Port 22) and got to:
Enter
/foundrydata/Data/
to access the location where the data files are kept.
This gives the error:
Cannot get real path for '/foundrydata/Data'.
Permission denied.
Error code: 3
Error message from server: Permission denied
If I navigate up to root, I can see /foundrydata in the folder list, but clicking on it gives Server returned empty listing for directory '/foundrydata'.
I can see that the owner for this folder is foundry
, whereas the owner for all other folders is root
. So I'm guessing it's something in the permissions? Thanks!
I'm not sure how active this project is, but I decided to take the plunge and have a go at updating things. A good way to learn some AWS, I guess!
I've made a fork at https://github.com/mikehdt/aws-foundry-ssl
Gone through updating all the things I could find that needed to be updated. More than happy if you want to pull the changes I've made back into here. Although note I did remove the non-Amazon domain registar support (it was a bit too confusing, and I didn't want to have to deal with fixing or testing it with the other changes I've made).
The main highlights are: now uses Amazon Linux 2023, Node 18.x, fixes a whole lot of little issues, and supports Foundry 11.
It's not super duper tested yet, there may still be issues, but hopefully it helps anyone who was looking to update from Foundry 10.
Unfortunately, you will need to tear down and recreate the old stack with the newer one. Make sure you back up / transfer your data and settings out first!
I set everything up, and it runs great. I seem to have access through the app to everything. I added game system, a pre-built world, and an empty world ... but I can't find my User Data files for any of it. The S3 bucket I set up during this process is empty.
Thanks for all the work putting this together folks! I'm getting this error on the final screen, however.
Followed the instructions: bought an .eu domain at route53 and created the stack based on the template. Foundry is installed but seems to be without a certificate. I checked crt.sh as mentioned in the troubleshooting, there is no entry for my domain.
When I check the stack in CloudFormation it gives me the status create_complete but when I click on the stack and open the "events" tub there 50 entries of which only 17 are marked as create_complete the rest as create_in_progress.
I deleted the stack an retried the process. Same results.
Can anybody help?
The original guide was really great, and this definitely seems like an improvement, but it feels like some corners were cut. Specifically removing the section about how to change regions from the AWS Console.
Any chance this can get added?
Current workarounds:
We will rehaul the setup method and permissions to fix this issue. Please use the workarounds in the meantime
Hello and thanks for the assistance.
I applied the patch to node per the instructions, checked my node version and it is showing as upgraded (14.17.0.). When I go to my server, however, and try to upgrade foundry, I am still getting the following error:
An update to version 0.8.6 is available but cannot be performed because upgrading to this version requires a full reinstall in order to obtain Node.js version 14 and other updated dependencies. You can manually download this latest version from the Foundry Virtual Tabletop website.
Below is a log of all the processes regarding the patch. Thanks for the help!
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ec2-user ~]$ sudo su
[rootec2-user]# wget https://raw.githubusercontent.com/cat-box/aws-foundry-ssl/master/patches/node_v14.sh
--2021-05-31 19:24:36-- https://raw.githubusercontent.com/cat-box/aws-foundry-ssl/master/patches/node_v14.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 536 [text/plain]
Saving to: ‘node_v14.sh’
100%[======================================>] 536 --.-K/s in 0s
2021-05-31 19:24:36 (21.6 MB/s) - ‘node_v14.sh’ saved [536/536]
[root@ip- ec2-user]# chmod a+x node_v14.sh
[root@ip- ec2-user]# ./node_v14.sh
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
228 packages excluded due to repository priority protections
No packages marked for update
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package nodejs.x86_64 2:14.17.0-1nodesource will be erased
---> Package nodesource-release.noarch 0:el7-1 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
Removing:
nodejs x86_64 2:14.17.0-1nodesource @nodesource 91 M
nodesource-release noarch el7-1 installed 3.1 k
Remove 2 Packages
Installed size: 91 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : nodesource-release-el7-1.noarch 1/2
Erasing : 2:nodejs-14.17.0-1nodesource.x86_64 2/2
Verifying : nodesource-release-el7-1.noarch 1/2
Verifying : 2:nodejs-14.17.0-1nodesource.x86_64 2/2
Removed:
nodejs.x86_64 2:14.17.0-1nodesource nodesource-release.noarch 0:el7-1
Complete!
sudo yum install -y nodejs
to install Node.js 14.x and npm. sudo yum install gcc-c++ make
curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
sudo yum install yarn
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Existing lock /var/run/yum.pid: another copy is running as pid 4089.
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 119 M RSS (335 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:03 ago
State : Running, pid: 4089
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 276 M RSS (493 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:05 ago
State : Running, pid: 4089
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 311 M RSS (528 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:07 ago
State : Running, pid: 4089
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 311 M RSS (527 MB VSZ)
Started: Mon May 31 19:25:00 2021 - 00:09 ago
State : Running, pid: 4089
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-nginx1 epel nodesource
Cleaning up everything
Maybe you want: rm -rf /var/cache/yum, to also free up space taken by orphaned data from disabled or removed repos
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00
amzn2extra-docker | 3.0 kB 00:00
amzn2extra-nginx1 | 3.0 kB 00:00
epel/x86_64/metalink | 15 kB 00:00
epel | 4.7 kB 00:00
nodesource | 2.5 kB 00:00
(1/11): amzn2-core/2/x86_64/group_gz | 2.5 kB 00:00
(2/11): amzn2-core/2/x86_64/updateinfo | 373 kB 00:00
(3/11): amzn2extra-nginx1/2/x86_64/primary_db | 30 kB 00:00
(4/11): amzn2extra-docker/2/x86_64/updateinfo | 76 B 00:00
(5/11): amzn2extra-docker/2/x86_64/primary_db | 78 kB 00:00
(6/11): amzn2extra-nginx1/2/x86_64/updateinfo | 76 B 00:00
(7/11): epel/x86_64/group_gz | 96 kB 00:00
(8/11): epel/x86_64/updateinfo | 1.0 MB 00:00
(9/11): nodesource/x86_64/primary_db | 40 kB 00:00
(10/11): epel/x86_64/primary_db | 6.9 MB 00:00
(11/11): amzn2-core/2/x86_64/primary_db | 53 MB 00:02
228 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package nodejs.x86_64 2:14.17.0-1nodesource will be installed
--> Finished Dependency Resolution
Dependencies Resolved
Installing:
nodejs x86_64 2:14.17.0-1nodesource nodesource 32 M
Install 1 Package
Total download size: 32 M
Installed size: 91 M
Downloading packages:
nodejs-14.17.0-1nodesource.x86_64.rpm | 32 MB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : 2:nodejs-14.17.0-1nodesource.x86_64 1/1
Verifying : 2:nodejs-14.17.0-1nodesource.x86_64 1/1
Installed:
nodejs.x86_64 2:14.17.0-1nodesource
Complete!
[root@ip- ec2-user]# rm node_v14.sh
rm: remove regular file ‘node_v14.sh’? y
[root@ip- ec2-user]# node -v
v14.17.0
[root@ip-ec2-user]#
I am a frugal guy. I want to ensure I am not wasting money. HOWEVER, I am also forgetful. Sometimes I forget to turn off my instance and have to pay a whole 10 dollars for that month.
I think this should have an optional piece in CloudFormation for an alarm to text you if you leave the instance running too long.
As you can see SNS allows up to 100 free SMS messages, so it aligns with my frugal ways.
https://aws.amazon.com/sns/pricing/
Please implement immediately. Due date: 07/04/2021
Hi,
So I've followed all the steps, CF works no worries, and I can access Foundry on its subdomain over http
, but not https
. I've checked the wiki, but it's not a rate limit or any such.
AWS being the sprawling beast that it is, not sure how best to diagnose this. I'm wondering if it's because my normal site (which is unrelated to Foundry) is served from S3, with CloudFront which has its own SSL cert. As CF is wont to do its SSL cert is configured to cover a subdomain wildcard. Would that perhaps trip up the CF script from creating its own specific subdomain SSL cert?
Thanks, and thanks for providing such a helpful script :)
Edit: I've done some poking around in the EC2 instance.
It looks like the script failed, given that I didn't want it to touch my main domain?
2023-02-04 03:59:59,688:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:
Domain: [redacted]
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for [redacted] - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for [redacted] - check that a DNS record exists for this domain
2023-02-04 03:59:59,689:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2023-02-04 03:59:59,689:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-02-04 03:59:59,689:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-02-04 04:00:00,895:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 9, in <module>
load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1156, in run
certname, lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 135, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
Maybe a chicken-and-egg scenario, where the subdomain wasn't configured in time on setup?
Edit 2: I managed to kickstart the certbot
by finding the line that's normally run by the install script. It went and found the domain this time, restarted the server, and then when I refreshed my VTT domain, it was using SSL. Nice! Maybe some issue with the creation of subdomains when not also configuring the main domain?
I'd help by having a look, but DevOps-y things I always find very tricky to see what's going on, especially with the panopoly of AWS services that are all being intermingled 😅
I went through the setup and it was smooth and easy to setup. However when I attempted to use the S3 bucket in-world to upload content it failed to upload. I checked the AWS.json file in the config folder on the EC2 instance and the secretAccessKey value was not set. It looked to still be set to a default value.
I went into iams and generated a new accesskeyId and secretAccessKey pair for the existing user account, (confirmed it was the right one by matching the existing accesskeyId in the file) and updated the AWS.json file wiith the new pair value. However, even after doing all this and restarting the instance, it still will not work with S3. It writes the following error.
What other areas need to be changed to make this work appropriately?
I read your wiki, and didn't really understand if the approach would work if I already owned a domain (from a registrar not listed here). Could you maybe say how that works or specifically say it doesn't?
Just looking for clarity.
Love your concept and your work.
Can you please include an option for those of us who have NS and a domain setup.
EG let us manually create/specify an address or output a hostname/address that you have read from AWS.
Yes I know this will involve using an Elastic IP
I was able to get your solution working but had to muck around with the lets encrypt stuff.
After stopping and starting the EC2 instance I can no longer connect to foundry. connection just times out
More a question on the patch then an issue. I got an email saying my SSL encryption was set to expire in 19 days, and came here to find that a patch had been released to fix it to allow for auto renewal. I'm not entirely familiar with how Lets Encrypt does their renewals but it seems like they recommend auto renewing 30 days prior to expiration. Does that logic for the patch check regularly even after the 30 day count down begins or do I need to manually renew it this time and then in the future it will catch it at the 30 day mark?
Just looking for confirmation one way or another. Thanks for the amazing work!!
Did I miss something in the instructions?
In looking at the scripts in this repo it looks like this is an NGINX thing. I guess something went wrong there. I can manually setup the proxy I suppose.
zone_id
is appended on the same line as webserver_pass
when the scripts/amazon/dynamic_dns.sh
is run. You should add a newline after webserver_pass
in the cloud formation template so that does not happen...
we could add instructions for this page https://github.com/cat-box/aws-foundry-ssl/wiki/Transferring-Files#mac
along these lines:
https://github.com/stonematt/aws-foundry-ssl/wiki
If something goes wrong with the server or a script like the letsencrypt job fails I'd like to be able to send logs to CloudWatch for easy viewing instead of having to SSH and trawl through them with cli tools. While it should be simple enough to do this manually, having it at least an optional step to do it automatically would be useful especially in cases where we're running multiple servers.
After setting up the CloudFormation the EC2 Instance terminated itself?
I'm pointing my domains to Host Gator and one of them is purchased through Whois, would I be able to create a hosted zone on AWS grabbing the domain from Whois?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.