I am trying to add an SSL certificate (from AWS Certificate Manager) to my elastic beanstalk instance.
Following Instructions:
When I follow the instructions below I receive: Updating load balancer named: awseb-e-7-AWSEBLoa-1B1GTXIBDDIFV failed Reason: Listeners can't talk to InstancePort 80 with secure and insecure protocols at the same time (Service: AmazonElasticLoadBalancing; Status Code: 409; Error Code: InvalidConfigurationRequest; Request ID: d0fc694a-3d06-485c-a60a-0fd625ba95a9; Proxy: null)
I have followed the AWS instructions here (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html):
On the Modify load balancer page, the procedure varies depending on the type of load balancer associated with your environment.
- Classic Load Balancer
- Choose Add listener.
- In the Classic Load Balancer listener dialog box, configure the following settings:
- For Listener port, type the incoming traffic port, typically 443.
- For Listener protocol, choose HTTPS.
- For Instance port, type 80.
- For Instance protocol, choose HTTP.
- For SSL certificate, choose your certificate.
- Choose Add
Disabling the existing port 80 listener:
When I disable the port 80 listener add the new listener at the same time I receive: Updating load balancer named: awseb-e-7-AWSEBLoa-1B1GTXIBDDIFV failed Reason: Server Certificate not found for the key: arn:aws:acm:us-east-1:730082756200:certificate/a875f89b-ea03-4904-bcb4-3295750cf3b8 (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: CertificateNotFound; Request ID: 9717eb12-f72d-46cc-88bd-59f1cae7fad7; Proxy: null)
The certificate is in "Pending Validation" on AWS Certificate Manager and is on the same us-east-1 region as Elastic Beanstalk.
Additional Background
My website mysubdomain.mysite.io is hosted on lightsail and has it's own SSL configured just fine.
My subsubdomain.mysubdomain.mysite.io is hosted on ELB is the subject of this question.
Here's a step-by-step walkthrough of how I resolved the issues:
SSL Certificate
Pending Validation: The SSL certificate in AWS Certificate Manager was initially in "Pending Validation" status.
DNS Validation: To validate the SSL certificate, I added a CNAME record in my DNS settings as per the AWS Certificate Manager's instructions. Successful Validation: After adding the required CNAME record, the certificate status switched to "Success," indicating it was ready for use.
Elastic Load Balancer (ELB) Initial Listener Configuration: I tried adding a listener to the ELB for HTTPS traffic on port 443, forwarding to instances on port 80 over HTTP. Errors: I encountered errors during this process: First error: Can't have secure and insecure protocols on the same InstancePort 80. Second error: Certificate not found for the key.
Successful Listener Addition: After successfully validating the SSL certificate, I was able to add the listener for port 443 without any issues.
DNS Zone: My domain, mysubdomain.mysite.io, already had a DNS zone configured in AWS LightSail.
Adding a CNAME Record: I added a CNAME record in LightSail to map subsubdomain.mysubdomain.mysite.io to my Elastic Beanstalk URL (my-elb.eba-cf63dng7.us-east-1.elasticbeanstalk.com).
DNS Propagation: Using nslookup, I confirmed that the DNS had propagated and the subdomain now correctly pointed to the IPs of my ELB.
Final Checks
Connection Resolving: Initially, my domain wasn't resolving, but it started to after DNS propagation and correct DNS settings.