Certificate for DNS name of Global Accelerator in Application Load Balance

Question

Hey,

Is it possible to request a certificate from AWS Certificate Manager (ACM) for the DNS name of a Global Accelerator?

I have created a HostedZone with the DNS name (e.g., XXXXXXXXXXXXXXXXX.awsglobalaccelerator.com), and the respective CNAME record that ACM requires:

CNAME name:

YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.XXXXXXXXXXXXXXXXX.awsglobalaccelerator.com.

that has a value

YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.XXXXXXXXXX.acm-validations.aws.

Using the Route53 tester, reveals that everything is fine with the record, at least. However, even after more than an hour, the Certificate is still pending validation.

My goal is to use Application Load Balancer (ALB) with an HTTPS listener as a target for the Global Accelerator, but also would like to use Static IPs to enable access from clients, which are behind a firewall.

Thanks!

Answer

Global Accelerator does not perform SSL termination and you cannot install HTTPS cert on it.
You SSL cert is to be installed on the ALB.

For the domain you manage, either create a DNS A record that resolves to AGA IP, or a DNS CNAME to AGA FQDN. 
If you do not have a domain, you can [purchase one](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html) from Amazon Route 53, and use it to request free SSL cert for your ALB.

Answer

Hello.  
The domain "awsglobalaccelerator.com" is a domain managed by AWS, so an SSL certificate cannot be issued.  
You will need to issue a certificate for the domain you manage.

Certificate for DNS name of Global Accelerator in Application Load Balance

Relevant content