Bug: Cannot revert Load Balancer listener from HTTPS to HTTP


Cross-posting from EC2 forum because I didn't get an answer there/didn't realize this forum existed; thanks in advance!


I'm using Elastic Beanstalk to host a blog.

I've been trying to get SSL to work with my site (I'm fairly new at this), and tried changing my load balancer listener for port 80 from HTTP to HTTPS, and assigned it an SSL policy/certificate.

So far as I can tell, I should have left it at HTTP, and made a new HTTPS listener for port 443.

I've now created the 443 listener, but when I try to revert the port 80 listener to HTTP, it seems that its SSL policy isn't revoked, and my deployment then fails.

(I'm doing this all through the console, if that means anything.)

Full error text:
Updating Load Balancer listener named: arn:aws:elasticloadbalancing:us-east-2:568619617198:listener/app/awseb-AWSEB-BGY87CMBM7AQ/71287eccc4917daa/60053071296ea6dc failed Reason: An SSL policy cannot be specifed for HTTP listeners (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: ValidationError; Request ID: 8bc28987-41e1-11e9-8772-b72561796199)

Some folks on github had a similar issue, but seemingly through the command line:
aws_alb_listener does not remove ssl_policy when changing to HTTP #1851

Their workaround was to delete the noncompliant listener and make a new one, but for some reason when I try to edit my port 80 listener the 'remove' option is greyed out.

My site is currently bricked, so your help is much appreciated--thank you!!

asked 4 years ago131 views
2 Answers

So I've tried using 'eb config' instead of the console to get at the configuration files and manually remove the port 80 listener's security policy; the deployment still crashes, but now with a different error. (I've tried updating the listener that uses both port '80' and port 'default'.)

I'm now told the deployment fails because the listener I'm trying to update cannot be found:

2019-03-10 22:41:04 ERROR Updating Load Balancer listener named: arn:aws:elasticloadbalancing:us-east-2:568619617198:listener/app/awseb-AWSEB-BGY87CMBM7AQ/71287eccc4917daa/60053071296ea6dc failed Reason: Listener 'arn:aws:elasticloadbalancing:us-east-2:568619617198:listener/app/awseb-AWSEB-BGY87CMBM7AQ/71287eccc4917daa/60053071296ea6dc' not found (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: ListenerNotFound; Request ID: 90f30e7e-4385-11e9-beb8-014ba4c8b6d7)

When I go into the online management console, a listener configured to use port 80 is clearly listed in the listener table. It would seem that what the management console/the eb config file show differs from what the environment is actually running, which is concerning. (And very frustrating.)

Thanks so much for your help!

answered 4 years ago

So in a very round-about way, I did finally manage to reset the listener on port 80.

The only operation that wouldn't crash a deployment was disabling the listener through the console.

From there, I used 'eb config' in terminal to remove the security policy and change the protocol from HTTPS back to HTTP.

This worked, but the listener was still disabled.

I could not reenable the listener, either through console or command line; the error I ran into was that the operation was trying to producing a duplicate listener, triggering a rollback.

I decided one more time to try to just outright delete the listener through the command line. (This action was not possible through the console.)

I had tried a day or two ago to remove listeners using 'aws elb' to no avail; I finally realized that my application was making use of the new load balancer, not the classic one--so I switched to trying 'aws elbv2'. (Rookie mistake.)

For others running into this problem:

First run 'describe-load-balancers', making note of the arn you receive.

Using that arn, run 'describe-listeners'. Make note of the listener arn.

Now run 'delete-listener', passing in the arn you just found.

Now, we need to get the listener back.

Run 'eb config'. Even though we just deleted the listener, it's still described in the config file.

Set 'enabled' to 'true'. Save out of config file.

Configuration update should trigger; removed listener no longer causes the duplicate error, and the reconfiguration should succeed, recreating the listener with the proper attributes.

Check in the console to make sure the listener for 80 exists, is set to HTTP, doesn't carry a security policy, and is enabled.

End of a three-day headache.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions