AWS classic load balancer listener isn't created, then disapears

About

Asked 7/7, 2018 at 18:42 Answered 8/7, 2018 at 14:52

Solved amazon-web-services ssl amazon-elastic-beanstalk amazon-elb

I am trying to add an HTTPS listener to my EBS classic load balancer. I used the CLI upload-certificate tool to upload my cert (using the GUI never resulted in the cert showing up as an option on the load balancer form. No errors, logs, events).

I set up the listener according to AWS docs.

For Listener port, type the incoming traffic port, typically 443.

For Listener protocol, choose HTTPS.

For Instance port, type 80.

For Instance protocol, choose HTTP.

For SSL certificate, choose your certificate.

I choose my cert (Lets Encrypt), save and I see the new listener with a Pending Create tag. It never transitions from that status and if I refresh the page, the record is gone. No error, no logs, no events. Really want to make AWS work but Beanstalk has been extremely buggy. Any suggestions?

Durgy answered 7/7, 2018 at 18:42 Comment(14)

Are you using a single instance environment, or a load balanced environment? – Japonica 7/7, 2018 at 19:3

Load balanced. Single instances don’t give you an option to add LB listeners. – Durgy 7/7, 2018 at 21:8

Are you using aws acm import-certificate or aws iam upload-server-certificate or something else? It also doesn't make sense that uploading via the GUI didn't work. Did you try loading it into Amazon Certificate Manager (ACM)? – Jackqueline 7/7, 2018 at 21:57

I used aws iam upload-server-certificat. I uploaded the certificate using ACM, it worked but the cert would never show up when configuring the classic load balancer. I have seen others report the same, which is where I saw the CLI workaround. – Durgy 7/7, 2018 at 23:45

Using aws acm import-certificate I am able to also see the cert show up in ACM, but like with the GUI, the cert does not show up in the cert drop down on the load balancer Add Listener modal. – Durgy 7/7, 2018 at 23:55

If you are using a load balancer why wouldn't you use the free ACM certificates that auto-renew instead of trying to use the short-lived Let's Encrypt certificates that you will have to continually be re-uploading? – Japonica 8/7, 2018 at 2:12

Would that work if I use a GoDaddy sub domain that points to my EBS with an A record? I was planning on forcing HTTPS from GoDaddy with the htaccess file. Hence the Let’s Encrypt. I will also need to be folder specific in htaccess since /v1 of the product will remain HTTP. I didn’t think I could achieve this with the ACM cert. Thanks. – Durgy 8/7, 2018 at 13:13

The fact that the DNS record exists at GoDaddy is entirely irrelevant to the issue. Yes it will work fine. The htaccess stuff you are talking about is Apache server configuration on the actual EC2 server, which definitely doesn't care where your DNS server is. And if you are installing an SSL certificate on the load balancer, it doesn't matter where the SSL certificate is from (ACM or anything else) it's going to behave the same way from the server/Apache/htaccess perspective. You are confusing a lot of unrelated issues here. – Japonica 8/7, 2018 at 13:23

Gotcha. I will try the ACM route and moving my htaccess from external hosting to EBS or a load balancer config. – Durgy 8/7, 2018 at 13:27

Anyway, have tried now with the ACM cert, and my listener is still not being created :/ – Durgy 8/7, 2018 at 14:42

Wanted to circle back to @MarkB comments regarding an AWS vs LetsEncrypt cert (or any other cert for that matter) as they may send some in the wrong direction. Hosting HTTPS content and directing subdomain traffic to AWS requires a wildcard cert installed both places, which is not possible with ACM, hence LetsEncrypt and eventually a paid cert. There was no confusion of issues, rather an off topic question that should be disregarded. The good news is AWS is rolling out new UIs across EC2, so this may eventually be improved. – Durgy 3/7, 2021 at 5:4

@Durgy AWS ACM absolutely supports wildcard certificates. It sounds like you may be running into a limitation of the Elastic Beanstalk UI? You should think about using a tool like Terraform or CloudFormation instead of relying on the AWS web UI. – Japonica 3/7, 2021 at 15:27

@MarkB Actually, AWS ACM certs cannot be used outside of AWS, for example to protect externally hosted web content. You may be misunderstanding the goal, but we're way off topic. You should check out the accepted answer below, it may clear things up for you. – Durgy 22/7, 2021 at 0:33

@Durgy I never said ACM certs could be used outside of AWS. Not sure how you even got that from my comments. I actually said you were probably running up against limitations of the AWS web user interface, which is what you ended up posting as the answer. – Japonica 22/7, 2021 at 13:2

212

I figured out what I wasn't doing.

On the load balancer settings page, after you click "Add Listener", fill out the details and click "Save Listener", you're actually not done. You have to scroll to the bottom of the page and click "Save" (or "Apply") again. Not the best UI. User should never have to save twice, and at the very least, alert the user they are leaving unsaved changed.

Durgy answered 8/7, 2018 at 14:52 Comment(2)

Even better: "Apply" on the bottom was greyed out and I had no idea why. Just had to reload the page a couple of times and then it suddenly worked... – Mascagni 7/10, 2019 at 16:41

their ui creates a new azure account for me... – Photoneutron 2/6, 2022 at 13:31

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags