Unable to update the default certificate on application load balancer using AWS cli


I have generated a certificate for a domain using letsencrypt and imported it in acm using aws cli. However when I try to update the default certificate on the loadbalancer, I get below error. I can see that the certificate has been imported into the acm. Please let me know if I am missing anything. Also, I did verify that the loadbalancer is present in the right region. I am not sure why I am getting below error.

An error occurred (LoadBalancerNotFound) when calling the SetLoadBalancerListenerSSLCertificate operation: There is no ACTIVE Load Balancer named 'loadbalancer-name'

Here are my steps -

  1. Generate certificate for my domain 'abc.domain.co
    certbot certonly --dns-route53 --dns-route53-propagation-seconds 60 -d abc.domain.co --agree-tos --no-bootstrap --preferred-challenges dns-01
  2. Import certificate into ACM -
    aws acm import-certificate --certificate fileb:///etc/letsencrypt/live/abc.domain.co/cert.pem --certificate-chain fileb:///etc/letsencrypt/live/abc.domain.co/chain.pem --private-key fileb:///etc/letsencrypt/live/abc.domain.co/privkey.pem
  3. Update the ssl listener on the loadbalancer -
    aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name loadbalancer --load-balancer-port 443 --ssl-certificate-id arn:aws:acm:us-west-1:8443XXXXXXX:certificate/xxxxx-ab3b-4036-b65e-f6cee35735a8 --region us-west-1
1 Antwort

Thank you for the detailed description.

For ALB, you have to use elbv2 API. As described in [1], use the modify-listener [2] command to replace the default certificate, for example:

aws elbv2 modify-listener \
    --listener-arn arn:aws:elasticloadbalancing:us-west-1:8443XXXXXXX:listener/app/my-load-balancer/50dc6c495c0c9188/0467ef3c8400ae65 \
    --certificates CertificateArn=arn:aws:acm:us-west-1:8443XXXXXXX:certificate/xxxxx-ab3b-4036-b65e-f6cee35735a8 \
    --region us-west-1

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#replace-default-certificate

[2] https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener.html

beantwortet vor 2 Jahren
  • Thanks for your answer, weidi. I was able to update the listener using the command you shared :)

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen