Wildcard certficate renewal route53 plugin


#1

Does route53 plugin change contents of existing certs on servers when renewing process . This is regarding wildcard certificate .


#2

Hi @sltux

if you create a certificate, it’s done. Then the certificate cannot be changed.

You can replace a certificate, install a new.

But you can’t change an existing certificate.


#3

@JuergenAuer

In my requirement all servers required to both terminate and offload ssl (dedicated dns record for individual server and AWS elbs }. issue is how to keep ssl cert static all the time . Is it possible with route53 plugin ( wildcard certs) . if cert renews automatically without changing contents of certs will make this possible ,


#4

If I understand you correctly, that is impossible.
A renewed cert is a completely new cert.
[there will never be another cert exact to a previous one]

That said, graceful reloads should allow web servers to finish serving clients connected via the previous cert. And connect all new requests via the new cert.


#5

@rg305 ,

Noted. Restarting web server is not the trouble its uploading certs on multiple servers and multiple ELBs. Let me know if you have a suggestion /Solution. Thanks for the info .


#6

To partly answer that, you can automate uploading certificates to ELBs using the AWS API.

You can also have your ELBs use certificates issued by Amazon’s CA with ACM. AWS supports automatically renewing them (if you set it up right) without extra effort.


#7

You are correct . but ACM doesnt cover webserver .


#8

That’s true, but you can use Let’s Encrypt on your EC2 instances and ACM certificates on your ELBs and other covered services.


#9

Nice idea . I missed this . Thanks.