By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Application Load Balancer https listener unsecure

0

I use terraform to provision my infra structure. Here is how the certificate and ALB are created. Code to create SSL Cert:

resource "aws_acm_certificate" "api_subdomain_domain_certificate" {
  domain_name       = aws_route53_zone.api_sub_domain.name
  validation_method = "DNS"

  tags = local.common_tags
}
resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.api_subdomain_domain_certificate.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = aws_route53_zone.api_sub_domain.zone_id 
}

resource "aws_acm_certificate_validation" "ecs_domain_certificate_validation" {
  certificate_arn         = aws_acm_certificate.api_subdomain_domain_certificate.arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}

Code to create alb and attach listeners:

resource "aws_lb" "ecs_cluster_alb" {
  name            = "${local.name}-alb"
  internal        = false
  security_groups = [aws_security_group.lb_security_group.id]
  # subnets         = [split(",", join(",", data.terraform_remote_state.infrastructure.outputs.public_subnets))]
  subnets         = [for s in data.aws_subnet.default_vpc_subnets : s.id] #dobt

  tags = local.common_tags
}
resource "aws_lb_listener" "ecs_alb_https_listener" {
  load_balancer_arn = aws_lb.ecs_cluster_alb.arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
  certificate_arn   = aws_acm_certificate.api_subdomain_domain_certificate.arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.ecs_default_target_group.arn
  }

  depends_on = [aws_lb_target_group.ecs_default_target_group]
}

This certificate gets provisioned successfully and when i try to access the website using poc-api.eXXXXXXX.com it shows https and works as expected. But when i try to access it via the Load Balancer DNS I get the warning as below:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for poc-app-poc-XXXXXXXXXXX.ap-south-1.elb.amazonaws.com. The certificate is only valid for poc-api.eXXXXXXX.com.

My question is how can I get the Load Balancer DNS to also show https and work as when I access through Domain Name poc-api.eXXXXXXX.com.

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Route 53AWS Certificate ManagerApplication Load BalancerDomain Name System (DNS)Terraform
Language
English
ravishranjan
asked a year ago355 views
1 Answer
2

Add a subject alternative name to the certificate.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate#subject_alternative_names

resource "aws_acm_certificate" "api_subdomain_domain_certificate" {
  domain_name       = aws_route53_zone.api_sub_domain.name
  validation_method = "DNS"
  subject_alternative_names = [ "poc-app-poc-XXXXXXXXXXX.ap-south-1.elb.amazonaws.com." ]
  tags = local.common_tags
}
profile pictureAWS
EXPERT
iBehr
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content