1

I've reviewed the Lightsail load balancer and unlike ACM, you cannot add wildcard SSL's.

For example on ACM, this can done:

example.com
*.example

And then attached to an EC2 Loadbalancer.

But for Lightsail, the wild card is not accepted. When we issue only on the apex domain to the load balancer:

example.com

When we resolve demo.example.com, we get a cert invalid error.

As we don't know ahead of time the sub-domains in use, and the limit of 9 is too few, is there a workaround?

Colin
  • 675
  • 1
  • 11
  • 32

1 Answers1

3

I came up with a solution but I can't say for sure it is the only one.

TL;DR - Use an EC2 Load Balancer and add it's target as your LighSail instance. To this load balancer attach a standard ACM certificate. Don't use the LightSail load balancer at all.

Outline Steps

  1. Launch a load balancer in EC2 and attach your LightSail instance as a target (Remember to use the private IP of your LightSail instance and check your security settings, zone and region prior to set up)
  2. Open ACM and provision your certificate. To protect your entire domain, you will require two entries on this cert i.e. example.com and *.example.com
  3. Validate the certificate (DNS etc) and attach it to the load balancer in EC2.
JJS
  • 6,431
  • 1
  • 54
  • 70
Colin
  • 675
  • 1
  • 11
  • 32
  • 4
    This is the only way to solve the problem currently as we don't support wildcard certs on Lightsail. But I've let the product team know about your request so we can track it. – Mike Coleman Jun 07 '19 at 01:42
  • 1
    I started creating an EC2 load balancer in the same region as my Lightsail VPS, but at step 4 of the configuration, Register Targets, I don't see the Lightsail machine. I see "No instances available.". @MikeColeman: any progress with allowing the Lightsail load balancer to user certificates from ACM? – Dan Dascalescu Apr 17 '20 at 08:01
  • 3
    @DanDascalescu I don't have anything to announce at this point, but I'll PING them again and give them your feedback. – Mike Coleman Apr 18 '20 at 13:02
  • @MikeColeman Would you mind giving the team a ping again, please? Load balancing for wildcard SSL is absolutely crucial, especially for WordPress Multisite users like myself. The EC2 solution above is good for now, but it would be ideal to do it via the Lightsail interface. – Dwayne Charrington Nov 11 '21 at 13:32
  • @MikeColeman this seems to still be lacking. I'd love to be able to do this. Currently says "Domain's left-most label cannot be *" – JJS Apr 13 '22 at 12:25
  • Sorry for not responding - I left Amazon in August of 2020 so don't have access to the team. – Mike Coleman Mar 03 '23 at 07:36