AWS request ACM HTTPS certificate for load balancer

2
votes

I am trying to setup HTTPS for my EC2 instance created from Elastic Beanstalk using a certificate from AWS's ACM. According to this article https://colintoh.com/blog/configure-ssl-for-aws-elastic-beanstalk, I need to go to EC2 panel/load balancer and add a new listener rule.

My problem is that for the HTTPS load balancer protocol, when I try to add SSL Certificate, and click "Choose a certificate from ACM (recommended)", there's no ACM certificate available for me.

I know that I will have to request for a new Certificate for this load balancer address, but WHICH VERIFICATION METHOD SHOULD I USE?

As far as I know, there are 2 ways to verify your domain ownership(Email or DNS). I guess email is not an option here because you cannot send an email to a "elb.amazonaws.com" address. But I'm not sure how to verify certificate request by DNS.

And also, I tried to past the load balancer address xxx.xxx.elb.amazonaws.com into ACM to request a certificate for this address, but it says "invalid domain name"

And also, if I were to add custom domain name for my load balancer (for example, create a alias of api.example.com for the load balancer), how can I set up https for that custom domain of api.example.com?

Thanks a lot!

1
amazon-web-servicessslamazon-ec2httpsdns
You can't request an SSL certificate for a domain you don't own. You have to purchase your own domain, point that domain to the load balancer, and then request an SSL certificate for that domain. - Mark B
That's exactly my question. I do have a custom domain. I have set up A record in Route 53 to point to my load balancer. But then what? how do I assign certificate from this point on? Even if I have mydomain.com pointing to my load balancer, when I try to add listener rule to my load balancer, the certificate is still not found. By the way, I have actually got a ACM certificate from AWS by "mydomain.com". But AWS load balancer is not under mydomain.com address. It is elb.amazonaws.com. So how do I assign my certificate to my load balancer? - Marlon Ou
It doesn't matter that the load balancer is "under" elb.amazonaws.com. It is also "under" your custom domain as soon as you point your custom domain to the load balancer. The load balancer will serve the SSL certificate you assign to it, based on the domain name being requested. The first step would be to get it to actually serve requests for your custom domain correctly over HTTP, which should just be a matter of pointing a DNS record at it. Once that works proceed to assign the SSL certificate. - Mark B
@Marlon Is your domain under Route53? - Ashan
@MarkB problem solved! Thanks! - Marlon Ou

1 Answers

3
votes

Problem solved. Need to request certificate in the same region as load balancer. And then point the custom domain(the one used to request for certificate) to load balancer using route 53