Can AWS Certificate Manager (ACM) Certificates be used on Elastic Load Balancer Instances in Regions other than us-east-1?

amazon-web-services ssl-certificate elastic-beanstalk
7,586

Solution 1

Not as of now, no.

The answer to the question is slightly hidden, under an entirely different question in the ACM FAQ:

Q: Can I use the same certificate in more than one AWS Region?

It depends on whether you’re using Elastic Load Balancing or Amazon CloudFront. If you want to use a certificate with Elastic Load Balancing for the same site (the same fully qualified domain name, or FQDN, or set of FQDNs) in a different Region (when ACM is available in additional Regions), you will be required to request a new certificate for each Region in which you plan to use it. Certificates issued in the US East (Northern Virginia) Region and associated with an Amazon CloudFront distribution are distributed to the geographic locations configured for your distribution. (emphasis added)

https://aws.amazon.com/certificate-manager/faqs/

From that, we can safely conclude that the service can't be used for ELBs outside us-east-1, until such time as the service is deployed in the respective regions.

The AWS Global Infrastructure pages show the service only being available (as of this writing) in us-east-1.

The apparent discrepancy between in-region-only availability for ELB, compared with global availability with CloudFront, is explained by the fact that us-east-1 is the region that houses the infrastructure that actually controls the provisioning of all CloudFront edge locations.

Solution 2

This now works, I requested a certificate from Certificate Manager and assigned to my US West (Oregon) Elastic Load Balancer. I added an EC2 instance to the ELB and had the ELB point to port 80 on the EC2 instance, not port 443 (this is some what faster I suppose). The ELB will then encrypt the connection between the user and the EC2 instance.

Share:
7,586

Related videos on Youtube

MusikPolice
Author by

MusikPolice

Updated on September 18, 2022

Comments

  • MusikPolice
    MusikPolice almost 2 years

    Amazon has recently announced their new AWS Certificate Manager (ACM) service. This looks promising, but it is currently only supported in the us-east-1 region.

    I have existing resources in the us-west-2 region. Is it possible for me to create a certificate using ACM, and then use it on an ELB instance in us-west-2? Or do I have to wait for Amazon to roll the service out to other regions? The documentation is frustratingly vague on this point.

    (Possibly) Related questions:

  • brice
    brice about 8 years
    Finding this earlier would have saved me a lot of time. I read through the documentation, but the wording was ambiguous enough to make me think I might be mistake. The limitation is a real shame.
  • Michael - sqlbot
    Michael - sqlbot about 8 years
    @brice I'm sure they will be launching it in other regions in a reasonable period of time. I've been using this in us-west-2 by using CloudFront, which -- because of the bandwidth pricing structure -- is essentially zero cost. The CF cache can be disabled. If you need SSL between CloudFront and the ELB or instance, you can use a wildcard cert you already have on hand, or get a cheap cert from, say, Gandi (no affiliation, but they give you a free 1 year cert for each domain you register), to use on the back-end connection. Or run HTTP between CF and EC2, but HTTPS to the browser.
  • brice
    brice about 8 years
    Thanks @Michael, Your suggestion worked great. I'm still testing to make sure that cloudfront isn't interfering with the requests, but it looks like that was a winner.
  • Michael - sqlbot
    Michael - sqlbot about 8 years
    I had that concern initially, @brice but so far it's behaved perfectly -- be mindful of forwarding cookies, query strings, and headers appropriately and I wouldn't expect issues. When you get more comfortable with the idea, then try adding cache behaviors matching static file paths like *.css with cookies, query strings, and appropriate headers not forwarded, enable automatic content compression, and save bandwidth while improving page loads.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can I use the new free SSL/TLS AWS certificates without ELB or Beanstalk on plain EC2?
Getting "SSL_connect returned=1 errno=0 state=error: certificate verify failed" when connecting to S3
AWS Elastic Beanstalk Degrades every time I update - Stays down
AWS EB and RDS: Invalid storage size for engine name mysql and storage type gp2
Full end to end encryption with AWS Elastic Load Balancer, Nginx and SSL
Elastic Beanstalk .ebextensions config script not running on Windows deployment
Where should migrations be run on elasticbeanstalk deployment process?
ElasticBeanstalk permissions needed to deploy new version via AWS CLI
How to know the reason why an environment turns RED health in Elastic Beanstalk?
Is it possible to get metadata about the Elastic Beanstalk environment from the EC2 instance