Login/Register
AWS-issued (managed) TLS/SSL certificate for ELB/ALB
Asked Answered
Solved amazon-web-servicesssltls1.2amazon-elbaws-application-load-balancer
D

1

9

When I create an ELB (i.e. Application Load Balancer), Amazon gives it a DNS name e.g.:

myalb-1472119708.eu-central-1.elb.amazonaws.com

Now, I would like to terminate TLS/SSL on my ALB, however, I don't want to attach my own certificate (e.g. from the Certificate Manager), I am ok with accessing my application via the default DNS name (of the ALB) through HTTPS:

https://myalb-1472119708.eu-central-1.elb.amazonaws.com

However, with the default configuration I can access my app via HTTP only:

http://myalb-1472119708.eu-central-1.elb.amazonaws.com

Does AWS support this (rhetorical question)? Any plans to add this feature in the near future? Thanks.

UPDATE: After all it's not a hard feature to implement. Moreover, SSL is the de facto standard for running (secure) web apps today. I believe, AWS can issue wildcard certificates for the ELB in every region, e.g.:

*.eu-central-1.elb.amazonaws.com

And then attach it to every ALB by default. Or publish a list of certificates' ARNs for every region. This would free developers from extra effort (buying a domain, registering a certificate in ACM) for their non-production projects.

Dziggetai answered 17/10, 2021 at 9:29 Comment(13)
So do you want to terminate SSL? What is the actual question since you say you are OK with accessing via HTTPS?Tuneless
@ErmiyaEskandary when HTTP is combined with an encryption protocol such as SSL/TLS, it is known as HTTPS. The question is AWS gives my ALB just a DNS name e.g. I can only access it via HTTP, when I would like to access it via HTTPS.Dziggetai
I am aware yes, that's my exact point. Are you looking to add SSL to the ALB domain?Tuneless
Your question is contradictingTuneless
@ErmiyaEskandary See updated question. Hope it's more clear now.Dziggetai
In order to create a Certificate you should own a domain name, and I do NOT want any extra effort.Dziggetai
Ahhhhhhhhhhhhhhhhhhhhhhh OKTuneless
I misunderstood you, yes correct - I'm going to edit the question to make your question clearerTuneless
In that case, your question is a duplicate of https://mcmap.net/q/1316552/-can-i-setup-ssl-on-an-aws-provided-alb-subdomain-without-owning-a-domain/4800344Tuneless
Well if you don't want to have domain, you can't have ssl certificate for ALB. Its so simple. You are stack with HTTP only then.Garvey
@Garvey I disagree with you. Why does AWS give you a default SSL certificate for your Cloudfront distribution or your S3 assets (public website)? But not for the ELB? If they could publish a list of AWS-managed ACM certs ARNs for every region, that would solve this problem right away.Dziggetai
@Dziggetai Sadly, I don't know. I do not work for AWS. This is design choice they make, and you would have to ask AWS.Garvey
I think it's like this. 1) Adding SSL would check a "checkbox" with most clients that demand their stuff is "encrypted". 2) wildcard certs are not that nice to deal with, so in some places AWS just won't ever include this 3) Chrome removed the CA-free but still encrypted (SRP-related) impl so we're stuck with getting the "S" part added ourselves, or use more expensive AWS deploy options. And $$$, apart from the (smaller) risks&costs running SSL termination might be some motive for AWS too.Calumniate
D
9

At the time of this writing, the only way to resolve this is by running your ALB/ELB behind CloudFront, which (unlike ALB) gives you a TLS certificate by default:

User -> CloudFront edge location (HTTPS) -> ALB (HTTP) -> Backend (HTTP)

Although CloudFront incurs extra costs, apart from the ability to cache static content, CloudFront gives you faster TLS termination, which happens at its edge locations, thus reducing latency on the first two TLS handshake roundtrips (2 in theory, but practically 3 in case of low-bandwidth clients).

Dziggetai answered 19/10, 2021 at 13:47 Comment(1)
Nice find! And to think this almost got closed.Calumniate

© 2022 - 2024 — McMap. All rights reserved.