Unable to update the default certificate on application load balancer using AWS cli


I have generated a certificate for a domain using letsencrypt and imported it in acm using aws cli. However when I try to update the default certificate on the loadbalancer, I get below error. I can see that the certificate has been imported into the acm. Please let me know if I am missing anything. Also, I did verify that the loadbalancer is present in the right region. I am not sure why I am getting below error.

An error occurred (LoadBalancerNotFound) when calling the SetLoadBalancerListenerSSLCertificate operation: There is no ACTIVE Load Balancer named 'loadbalancer-name'

Here are my steps -

  1. Generate certificate for my domain 'abc.domain.co
    certbot certonly --dns-route53 --dns-route53-propagation-seconds 60 -d abc.domain.co --agree-tos --no-bootstrap --preferred-challenges dns-01
  2. Import certificate into ACM -
    aws acm import-certificate --certificate fileb:///etc/letsencrypt/live/abc.domain.co/cert.pem --certificate-chain fileb:///etc/letsencrypt/live/abc.domain.co/chain.pem --private-key fileb:///etc/letsencrypt/live/abc.domain.co/privkey.pem
  3. Update the ssl listener on the loadbalancer -
    aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name loadbalancer --load-balancer-port 443 --ssl-certificate-id arn:aws:acm:us-west-1:8443XXXXXXX:certificate/xxxxx-ab3b-4036-b65e-f6cee35735a8 --region us-west-1
1 Answer

Thank you for the detailed description.

For ALB, you have to use elbv2 API. As described in [1], use the modify-listener [2] command to replace the default certificate, for example:

aws elbv2 modify-listener \
    --listener-arn arn:aws:elasticloadbalancing:us-west-1:8443XXXXXXX:listener/app/my-load-balancer/50dc6c495c0c9188/0467ef3c8400ae65 \
    --certificates CertificateArn=arn:aws:acm:us-west-1:8443XXXXXXX:certificate/xxxxx-ab3b-4036-b65e-f6cee35735a8 \
    --region us-west-1

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#replace-default-certificate

[2] https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener.html

answered 2 months ago
  • Thanks for your answer, weidi. I was able to update the listener using the command you shared :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions