Menu
Hi I have problem setting multiple certificates for ALB listener. Here is fragment of my CF template:
DiscoveryListenerHTTPS:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn:
- DiscoveryLoadBalancer
- DiscoveryLoadBalancerTargetGroup
Properties:
Certificates:
- CertificateArn: !Ref CertificateArn1
- CertificateArn: !Ref CertificateArn2
and response is:
Up to '1' certificate ARNs can be specified, but '2' were specified (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: TooManyCertificates; Request ID: XXXXXXXXX)
243
AWS::ElasticLoadBalancingV2::Listener. RSS. Filter View. All. Specifies a listener for an Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.
You can install multiple SSL certificates on a domain, but first a word of caution. A lot of people want to know whether you can install multiple SSL certificates on a single domain. The answer is yes.
We recommend that you use AWS Certificate Manager (ACM) to create or import certificates for your load balancer. ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. To deploy a certificate on your load balancer, the certificate must be in the same Region as the load balancer.
Multiple AWS SSL Certifications on Elastic Load Balancer (ELB) AWS support multiple TLS/SSL certificates on Application Load Balancers (ALB) using Server Name Indication (SNI). We can now host multiple TLS secure applications, each with its own TLS certificate, behind a single load balancer.
ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. To deploy a certificate on your load balancer, the certificate must be in the same Region as the load balancer. For more information, see Request a public certificate or Importing certificates in the AWS Certificate Manager User Guide.
AWS support multiple TLS/SSL certificates on Application Load Balancers (ALB) using Server Name Indication (SNI). We can now host multiple TLS secure applications, each with its own TLS certificate, behind a single load balancer. In order to use SNI, all we need to do is bind multiple certificates to the same secure listener on the load balancer.
EDIT : improved answer thanks to @chris-pollard and @adamkgray answers
This works for me, you can specify multiple SSL certificates for an HTTPS listener.
For HTTPS, you are not allowed to specify directly multiple certificates on the AWS::ElasticLoadBalancingV2::Listener resource. Instead you have to create a AWS::ElasticLoadBalancingV2::ListenerCertificate resource in your template for additional certificates.
Here is an example of a listener by 443 port using a default certificate and then a certificate list with at least one certificate and associated to the listener that was previously created:
Listener443:
DependsOn:
- LoadBalancer
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Certificates:
- CertificateArn: !Ref CertificateARN
LoadBalancerArn: !Ref LoadBalancer
DefaultActions:
- Type: fixed-response
FixedResponseConfig:
ContentType: text/plain
MessageBody: "Not Found"
StatusCode: 404
Port: 443
Protocol: HTTPS
CertificatesList:
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- CertificateArn: !Ref CertificateARN2
ListenerArn: !Ref Listener443
Came here looking for the same answer. Found that the answer was not clearly laid out in the comments/answers, so I'm gonna do that. Although you can specify multiple SSL certificates for an HTTPS listener, you are not allowed to specify multiple certificates on the HTTPS listener resource directly in the CFN template. You have to create another resource in your template for additional certificates like this:
AdditionalListenerCertificates:
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- CertificateArn: !Join
- ":"
- - "arn:aws:acm"
- !Ref AWS::Region
- !Ref AWS::AccountId
- !Join ["/", ["certificate", "<you-certificate-id>"]]
ListenerArn: !Ref HTTPSListener
It's a little clunky; the CF template for creating the listener only sets the default cert.
You should be able to add additional certs to the listener with this object: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenercertificate.html
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
