AWS SSL certificate with Elastic Beanstalk: HTTPS site not reachable


When I associate an AWS certificate with my Elastic Beanstalk app and visit the domain using https, I get ‘This site can’t be reached, refused to connect.’ I can visit the site using http.

I created a security certificate with AWS’s ACM. I added my domain name,, along with additional names that were sub domains to the certificate. In my app’s environment ‘Loading balancing’ section I set this up:

enter image description here

I setup the SecurityGroup named awseb-e-abc123-stack-* for my environment as follows:
enter image description here

There is another security group named awseb-e-abc123-stack-AWSEBLoadBalancerSecurityGroup-*, which is as follows. It has the same name tag as the above group, which is the same as my environment name:

enter image description here

It seems, though, that the entries of the “AWSEBLoadBalancerSecurityGroup” security group does nothing, as removing all the entries still allows HTTP traffic to work.

In .elasticbeanstalk\securelistener.config, I have the following

It seems, though, if I add a syntax error in this file, the deployment still succeeds.

Here is the output of curl -vL https://<my domain>:

I used a separate domain name register to setup my domain name, and set up my domain’s DNS A records IP address equal to my Elastic IP.


I had mentioned above that changing the rules of the load balancer security group does nothing. This was because my EC2 instances’s security group was pointing to the instance’s security group, not the security group of the load balancer. When I pointed the EC2’s security group to the load balancer’s security group, the security group’s rules are execercized. I verified this by removing all the rules from the load balancer security group, and seeing that no requests are accepted. However, if I add back the HTTP and HTTPS rules to the load balancer security group but remove all the rules from the instance security group, all HTTP requests are going through. This is NOT expected behavior because the load balancer is supposed to forward traffic to the instance. What seems to be happening is (1) the instance and load balancer security groups are not at all related to the instance and load balancer and (2) no traffic is going to the load balancer.

Is there anything else I’m missing?

[edit 2]

I misread gkrizek’s comment. If I use the public DNS of the load balancer, I am able connect using either HTTP or HTTPS. I am able to connect to both versions using telnet. So instead of creating an A record that set to my Elastic IP, I created a CNAME record set to the load balancer. Now I am able to browse to both and Two questions:

  • Is it OK to use the load balancer’s public DNS in the CNAME record? I can’t use the * URL because it could change, so I’m wondering if the same situation applies here
  • How can I secure (no sub domain). It seems like with this method, it is impossible to have since I cannot create an A record with an domain name.


The issue is that you have to create a CNAME record with your domain and use the load balancer DNS name as the address. If you use the Elastic IP, the requests will not go to the load balancer.

To answer my last questions:

  • AWS says this is OK
  • You cannot directly do this because AWS does not allow you to assign an Elastic IP to a load balancer. What you can do is have a URL record that redirects to

Leave a Reply