I use terraform to provision my infra structure. Here is how the certificate and ALB are created.
Code to create SSL Cert:
resource "aws_acm_certificate" "api_subdomain_domain_certificate" {
domain_name = aws_route53_zone.api_sub_domain.name
validation_method = "DNS"
tags = local.common_tags
}
resource "aws_route53_record" "cert_validation" {
for_each = {
for dvo in aws_acm_certificate.api_subdomain_domain_certificate.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = aws_route53_zone.api_sub_domain.zone_id
}
resource "aws_acm_certificate_validation" "ecs_domain_certificate_validation" {
certificate_arn = aws_acm_certificate.api_subdomain_domain_certificate.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}
Code to create alb and attach listeners:
resource "aws_lb" "ecs_cluster_alb" {
name = "${local.name}-alb"
internal = false
security_groups = [aws_security_group.lb_security_group.id]
# subnets = [split(",", join(",", data.terraform_remote_state.infrastructure.outputs.public_subnets))]
subnets = [for s in data.aws_subnet.default_vpc_subnets : s.id] #dobt
tags = local.common_tags
}
resource "aws_lb_listener" "ecs_alb_https_listener" {
load_balancer_arn = aws_lb.ecs_cluster_alb.arn
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
certificate_arn = aws_acm_certificate.api_subdomain_domain_certificate.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.ecs_default_target_group.arn
}
depends_on = [aws_lb_target_group.ecs_default_target_group]
}
This certificate gets provisioned successfully and when i try to access the website using poc-api.eXXXXXXX.com
it shows https
and works as expected.
But when i try to access it via the Load Balancer DNS
I get the warning as below:
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for poc-app-poc-XXXXXXXXXXX.ap-south-1.elb.amazonaws.com. The certificate is only valid for poc-api.eXXXXXXX.com.
My question is how can I get the Load Balancer DNS
to also show https
and work as when I access through Domain Name poc-api.eXXXXXXX.com
.