Add HTTPS Listener to Application Load Balancer

Question

I have an Application Load Balancer (ALB) that uses the default DNS name provided by AWS.

i.e. name of my-loadbalancer in US East is given the DNS name:

my-loadbalancer-1234567890.us-east-1.elb.amazonaws.com

I have a listener over HTTP that works just fine:

http://my-loadbalancer-1234567890.us-east-1.elb.amazonaws.com/

However, when I go to add an HTTPS Listener, I need to provide a certificate that matches the current domain. I can pick something from my ACM store, but they're all for custom domains

I can request a new certificate, but not sure how I'd be able to validate against ***.us-east-1.elb.amazonaws.com

This is a backend service, so I don't need a user friendly domain.

Is there anyway to add HTTPS to a load balancer out of the box?

Answer 1

You can add any ACM certificate you have to a listener, after all this load balancer is a CNAME and would be resolved to your hostname(s) via a DNS record.

However for any ACM certificate you have to be able to verify that you control that domain. As the load balancers domain is owned by Amazon you cannot verify this domain. If you attempt to access the load balancers CNAME directly in the browser it will show as insecure (as the SSL will not be valid for that domain), you will however be able to verify HTTPS works.

The only solution to have a valid HTTPS endpoint will be to use an ACM certificate for a domain you own, and resolve it via that domain name rather than the load balancers CNAME.