How do I configure AWS application load balancers to go beyond the 25 SSL certificate limit

Question

AWS Application load balancers have a 25 SSL certificate installation limit.

I want to configure my elastic beanstalk environment, possibly with multiple load balancers so that I can go beyond this limit and install more certificates, 25 per load balancer. I believe this is a useful question for most SaaS developers.

Has anyone produced a configuration that allows for more than 25 SSL certificates / domains?

One way might be such that for hosts that are not installed on the HTTPS listener on port 443, I might create a rule that forwards to e.g. say port 40443, however, I would need to add a rule for each new SSL certificate/host/tenant. Furthermore, I am unsure whether the browser clients will notice the port change and go to domain.com:40443 rather than hide the port.

Anyway, if you have other solutions I would love to hear.

The limit is per "listener" so I tried to create a new listener on the same port 443 but this is not allowed.

Here is the reference for limits page: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-limits.html

Answer 1

I don't think there is a way to increase the limit right now.

This author did suggest a work around by using multiple ALBs talking to a NLB.

https://cloudonaut.io/more-than-25-ssl-certificates-with-ecs/

Answer 2

Amazon Certificate Manager (ACM), as well as ALB have these strong limitations (1000 certs per ACM, 25 per Load Balancer). We also had this problem, after talking with AWS support we understood that even limit increase won't fit our saas demands. Also supporting multiple ALBs looked like overhead.

As alternative solution I suggest to use nginx as reverse proxy based on EC2, which will proxy requests for all your domains. And you can add any amount of certificates to this nginx machine, handling different domains. The only thing you need to implement - to manage these certificates (e.g. implementing ACME protocol and getting certificates from LetsEncrypt).

Also AWS Marketplace already suggests several ready solutions which implement Automatic Certificate Management (ACM), meaning they will handle all SSL logic for you (cert creation, renewal, proxing requests and signing responses).