- Newest
- Most votes
- Most comments
To add an SSL certificate (ACM) to Elastic Beanstalk with a Network Load Balancer (NLB), you need to make some adjustments to your configuration. The issue you're encountering is because Network Load Balancers operate at the transport layer (Layer 4) and only support TCP and TLS protocols, not HTTP or HTTPS directly.
Here's how you can configure it correctly:
-
First, ensure that your ACM certificate is available in the same region as your Elastic Beanstalk environment.
-
Modify your configuration file (e.g., https-nlb.config) as follows:
option_settings:
aws:elbv2:listener:443:
ListenerEnabled: 'true'
Protocol: TLS
SSLCertificateArns: arn:aws:acm:region:account-id:certificate/certificate-id
aws:elasticbeanstalk:environment:process:https:
Port: '443'
Protocol: TCP
Note the changes:
- The listener protocol is set to TLS (not HTTPS)
- The process protocol is set to TCP (not HTTPS)
- Replace the placeholder in SSLCertificateArns with your actual ACM certificate ARN
-
The Network Load Balancer will handle the TLS termination, and then forward the decrypted traffic to your instances using TCP.
-
Your application should be configured to listen on port 443 for the incoming TCP traffic.
-
If you need to handle HTTP traffic as well, you can add another listener for port 80:
aws:elbv2:listener:80:
ListenerEnabled: 'true'
Protocol: TCP
aws:elasticbeanstalk:environment:process:http:
Port: '80'
Protocol: TCP
Remember that with a Network Load Balancer, you're responsible for SSL/TLS handling at the application level if needed, as the NLB doesn't process the HTTP layer.
By making these adjustments, you should be able to successfully add your SSL certificate to your Elastic Beanstalk environment using a Network Load Balancer while maintaining the static IP address benefit.
Sources
Configuring a Network Load Balancer - AWS Elastic Beanstalk
Configuring HTTPS Termination at the load balancer - AWS Elastic Beanstalk
Server certificates - AWS Elastic Beanstalk
Hi John,
you can use the below settings to use an SSL certificate via ACM via ACM to ensure we can use port 443 with a valid certificate?
option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' aws:elasticbeanstalk:environment:process:https: Port: '443' SSLCertificateArns: <ARN>
Sharing the Reference urls https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-nlb.html https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbv2-listener
Please let me know if you need any additional help.
Hi Vinod,
I created a config file in the root directory- .ebextensions/https-nlb.config option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' SSLCertificateArns: ************* aws:elasticbeanstalk:environment:process:https: Port: '443'
Getting this error now: Invalid option value: 'null' (Namespace: 'aws:elbv2:listener:443', OptionName: 'SSLCertificateArns'): SSL options are not supported for Network Load Balancers.
I am still getting errors after updating my settings to: option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' Protocol: TLS SSLCertificateArns: ********* aws:elasticbeanstalk:environment:process:https: Port: '443' Protocol: TCP
Hi John,
Can you try using the below one , In the meanwhile May i know any specific reason u have used NLB here instead of ALB
option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' aws:elasticbeanstalk:environment:process:https: Port: '443'
Hi John,
Error indicates that in your configuration files you are using https instead of TCP, Network Load Balancers operate at the transport layer (Layer 4) and only support TCP and TLS protocols, not HTTP or HTTPS directly.
can you please modify the configurations accordingly and redeploy the same and do let us know if you are still facing any issues.
Hi, I already fixed that error by adding a TLS protocol, the issue now is how do I use an SSL certificate via ACM to ensure we can use port 443 with a valid certificate?
Relevant content
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 10 months ago
Hi Vinod, We need a static IP for a 3rd party integration that only allows a static IP to be whitelisted. That's why I used an NLB instead of an ALB.