For myself, the challenge is that all traffic for the app must be served over HTTPS and since the loadbalancer cannot (as far as I know) be locked down via the security groups it creates a potential hole where plaintext traffic exists. The way I have things set up at the moment is that all HTTP traffic, outside the healthcheck, is intercepted by mod-rewrite and pushed to HTTPS, additionally the application displays custom errors if people try and hit the instance directly, either by its public DNS or the FQDN we punched down for it.

For my own piece of mind and compliance with our security practices I’d prefer that the necessary ports only be open to the ELB so that the plaintext traffic becomes less of an issue. That said, if it is not as much of a pressing issue for yourself I cannot thing of a reason why moving the certs into the balancer would not work.

Why do the certs need to be on the apache instances? When you create the ELB cant you tell associate it with a signed certificate you have already uploaded via:
iam-servercertupload -b public_key_certificate_file -c certificate_chain_file -k privatekey.pem -s certificate_object_name

This way the ELB will handle the overhead associated with SSL, and the apache servers can accept cleartext http to a non secure listening vhost? This will allow the apache server instances to perform better (dont have the mod_ssl overhead)…

So example:
I upload the *.superawesomefurntime.com and *.unicorns-unlimited SSL certs via the cmd above.

the superawesome ELB (using the superawesome cert) will listen on 443 and route to http(unsecure) port 8440 (*.superawesomefuntime.com vhost)
the unicorns ELB (using the unicorns cert) will listen on 443 and route to http(unsecure) port 8441 (*.unicorns-unlimited.com vhost)

I have not tried this yet – any reason why this would not work?

As a ref. the AWS example at http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/index.html?US_SettingUpLoadBalancerHTTPSIntegrated.html says:
“Client connections to the LoadBalancer use HTTPS and connections to the back-end instances are done using plaintext.”

Checks: be sure to turn off or modify firewall, check the amazon firewall, and make sure it is running by checking the Health Check.

I had the Health Check set to HTTP and it was causing an error due to my website setup not using the default website in IIS so no /index.html file could be found.

Good job – Thanks for great information on how to solve my mulitple SSL problem!

Thanks!

We definitely use the command line tools for a lot of things, but I never tried to create an ELB from the CLI tools. We were using the Amazon Control Panel web app to create our load balancers. In the AWS control panel, when you try to create an ELB it will only show you instances that are not already assigned to a load balancer. So we just assumed it couldn’t be done.

Thanks to your post, I created a new ELB using the CLI tools and was able to do just that!

In case anyone is interested, we were previously using this method with a multi-domain certificate: http://blog.revolunet.com/index.php/reseau/administration/hosting-multiple-ssl-vhosts-on-a-single-ipportcertificate-with-apache2