Why does AWS's Application Load Balancer require a custom domain when using HTTPS?

Question

If I create a new AWS Application Load Balancer (ALB) using HTTP, then AWS will create a load balancer with a randomly assigned domain name. Why can't AWS do the same thing when I create a new ALB using HTTPS? Instead, when creating a new ALB using HTTPS, AWS requires me to provide a custom domain name and custom certs.

score 7 · Answer 1 · answered Jul 28 '21 at 22:00

7

The reason is that for valid public SSL certificate you require your own domain that you control. You can't register the certificate for the default domain provided by AWS for ALB because this is not your domain.

Having SSL certs is a lot of work, including managing its registration and renewals. I guess AWS does not want to do that, though they provide SSL for CloudFront AWS-provided default domains.

answered Jul 28 '21 at 22:00

Marcin

215,873
14
235
294

1

I see what you're saying. I suppose I'm then wondering why AWS couldn't just provide a certification for that default domain that they provide? – johnnyodonnell Jul 28 '21 at 22:16
1

@johnnyodonnell Its a design decision that AWS made. I guess its not something they want to deal with. Its easier for AWS to let users manage all SSL stuff on the ALB. – Marcin Jul 29 '21 at 00:08

score 1 · Answer 2 · answered Jul 29 '21 at 23:16

As per the docs - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

To use an HTTPS listener, you must deploy at least one SSL/TLS server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets.

The load balancer requires X.509 certificates (SSL/TLS server certificates). Certificates are a digital form of identification issued by a certificate authority (CA). A certificate contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.

When you create a certificate for use with your load balancer, you must specify a domain name.

You could use Amazon's ACM to provision your certs. You will only be charged for the application as mentioned in the docs below - https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html

I understand this piece - I'm wondering why AWS doesn't just do this automatically for a randomly generated domain name. — johnnyodonnell, Jul 30 '21 at 18:27

Why does AWS's Application Load Balancer require a custom domain when using HTTPS?

2 Answers2