9

AWS Application load balancers have a 25 SSL certificate installation limit.

I want to configure my elastic beanstalk environment, possibly with multiple load balancers so that I can go beyond this limit and install more certificates, 25 per load balancer. I believe this is a useful question for most SaaS developers.

Has anyone produced a configuration that allows for more than 25 SSL certificates / domains?

One way might be such that for hosts that are not installed on the HTTPS listener on port 443, I might create a rule that forwards to e.g. say port 40443, however, I would need to add a rule for each new SSL certificate/host/tenant. Furthermore, I am unsure whether the browser clients will notice the port change and go to domain.com:40443 rather than hide the port.

Anyway, if you have other solutions I would love to hear.

The limit is per "listener" so I tried to create a new listener on the same port 443 but this is not allowed.

Here is the reference for limits page: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-limits.html

Bahadir Balban
  • 117
  • 1
  • 4
  • 2
    have you solved this issue? I am also in similar situation and planning to use multidomain ssl on the application load balancer. – sandeep krishna Nov 20 '19 at 10:47
  • 2
    I spoke to an AWS solutions architect and I was told to install more load balancers on the same elastic beanstalk environment. The way you handle this is, the load balancers will still send workloads to the same web server groups. The 25 set of domains for that load balancer will point at the unique load balancer address. E.g. per 25 domains, you have to provide a different ALB address to point to. There is no automated way to set this up in elastic beanstalk. You need a cloud formation stack or experiment with the EBS configuration. I haven't done it myself yet. – Bahadir Balban Nov 21 '19 at 20:26
  • 1
    https://laravel-news.com/unlimited-custom-domains-vapor Have you tried this? if you are using Laravel, it would be solution. – LoveCoding Sep 26 '20 at 04:59

5 Answers5

2

Certificates per Application Load Balancer can now be increased in the console via "Support Center" or the "Service Quotas" (source).

Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Arguskay99
  • 21
  • 4
1

I don't think there is a way to increase the limit right now.

This author did suggest a work around by using multiple ALBs talking to a NLB.

https://cloudonaut.io/more-than-25-ssl-certificates-with-ecs/

Lee Jensen
  • 2,151
  • 2
  • 21
  • 23
1

Amazon Certificate Manager (ACM), as well as ALB have these strong limitations (1000 certs per ACM, 25 per Load Balancer). We also had this problem, after talking with AWS support we understood that even limit increase won't fit our saas demands. Also supporting multiple ALBs looked like overhead.

As alternative solution I suggest to use nginx as reverse proxy based on EC2, which will proxy requests for all your domains. And you can add any amount of certificates to this nginx machine, handling different domains. The only thing you need to implement - to manage these certificates (e.g. implementing ACME protocol and getting certificates from LetsEncrypt).

Also AWS Marketplace already suggests several ready solutions which implement Automatic Certificate Management (ACM), meaning they will handle all SSL logic for you (cert creation, renewal, proxing requests and signing responses).

ilnur_safin
  • 51
  • 3
0

Why do you need so many SSL certificates? Did you try WildCast SSL certificate?
https://en.wikipedia.org/wiki/Wildcard_certificate

Justin
  • 1,050
  • 11
  • 26
  • Im not sure about the case of the person who asked first. But imagine that you are managing a CMS SaaS, and you allow your client to use their own Domain, also you want to allow HTTPS (Google and all the internet are moving to required HTTPS) – eveevans Feb 25 '20 at 04:19
  • Can't use a wildcard if you are serving different domains from the same load balancer. – Bahadir Balban Feb 25 '20 at 04:58
0

We had to think also about this question as we got 25 certificates limitation and potentially we want to support 10 000 certificates.

Found a nice application in AWS which allows to create large amount of certificates based on free letsencrypt

They also support load balancer and Global Accelerator integration, and multi-instance

Kilo SSL Pro - Multi-Instance SSL Certificate Management server

safinilnur
  • 199
  • 1
  • 4