AWS requires me to add a certificate for CDN but I already have the LE SSL

My website is
It's hosted on AWS Lightsail instance, and I'm trying to configure the free tier of CDN issued by them.
When I start configuring the Network there's the option of HTTP of HTTPS. When I say HTTPS obviously as I already have the SSL, it still forces me to get a certificate in order to use custom domains.
Is there any other way for me to use the current SSL, or is it mandatory to get a new SSL?
I'm new to this and please help. Thanks.


It's easier to just let AWS create another certificate for your domain.

The upside to doing so is that the setup process will be simpler and it will support automatic renewal. That wouldn't be the case if you uploaded your existing Let's Encrypt certificate to the AWS CDN.

It's no problem for multiple certificates to exist at once.


Thanks az but doesn't it cause any conflicts between them? I created an AWS certificate and then when I was checking their cloudfront address it returned a 502 error. Checking online I found that it is related to the SSL which is why I thought of posting here. Maybe I am wrong. I deleted the distribution and want to make everything clear before I create a new one.


I'm not familiar with Lightsail specifically, but for "normal" AWS CloudFront at least, you just get a free certificate from AWS Certificate Manager and apply it to the CloudFront installation. AWS handles the certificate and renewal for you. You can still use Let's Encrypt certificates on your endpoint Lightsail server, to secure the connection between CloudFront and your server.

That is to say, if I understand what you're doing correctly, currently there is one hop:

User → Lightsail server

And you're using Let's Encrypt to get a certificate for the server to secure that hop. But if you add another layer:

User → CloudFront → Lightsail server

There are really two separate connections happening, and even though it's transparent to the end-user you may want to secure both of them instead of just the first one. (Perhaps you don't need to secure the second one, if you trust Amazon's network enough, but if you already have it set up it certainly doesn't hurt and is probably the better practice.) Each connection should have its own certificate and configuration, with CloudFront being configured in AWS and whatever web server you use on your server being configured with whatever Let's Encrypt client you're using.


A little reading material that may help:


Not sure if AWS has changed since I last used it (years ago) but if it hasn’t, there is a bridge mode where you can use the AWS SSL on your domain’s certificate with the LE certificate on your origin server.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.