1

Can we do automated cert renewals for APIGW or ELB (certs managed via ACM) without downtime (zero downtime) ?

Assumptions: The ACM Cert and AWS Service are eligible for automated renewals and there are no gaps/issues on the domain validation side. In fact, Let's assume that ACM has already obtained the renewed cert.

kiran01bm
  • 682
  • 7
  • 18

1 Answers1

1

If you have an ACM generated certificate this will automatically be renewed and rolled out ahead of time to each resource that has it applied.

ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This includes both public and private certificates issued by using ACM. If possible, ACM renews your certificates automatically with no action required from you.

You cannot trigger the renewals for these certificates, in fact they are created with a 13 month expiry with ACM renewing the certificate at 12 months (with 1 month left until expiry).

If you upload your own certificates to ACM you will need apply to each resource, however there is no downtime whilst this applies to the resource. To avoid downtime from an expired SSL ensure you roll this out ahead of time.

You can validate the status of your ACM certificate, for more details on its renewal process.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • So my question was ex: In case of a ELB the LB instances need some sort of a refresh i.e Instances with New Certs created to replace Instances with Old Certs whilst allowing in-flight requests to finish gracefully ? I couldn't find any Docs where they clarify this explicitly.. – kiran01bm Jul 02 '20 at 07:07
  • There are multiple nodes for ELBs, it will apply the certificate gracefully and presumably recycle the previous nodes. There is no interruption at all :) – Chris Williams Jul 02 '20 at 07:08
  • Thank you.. "There is no interruption at all" --> Is this based on your experience or is it officially stated in any AWS doco.. ? – kiran01bm Jul 02 '20 at 07:39
  • This is both based on my experience and this statement `ACM can also help you avoid downtime due to misconfigured, revoked, or expired certificates by managing renewals` – Chris Williams Jul 02 '20 at 07:45
  • I had problems when I re-import my custom certificate on ACM. By my monitoring the application load balancer had some requests with status 400 that stoped on ALB. – Guilherme Chafy Mar 08 '22 at 21:28