How to properly Terminate SSL using AWS ALB with ACM

  • 23 August 2021
  • 4 replies

  • Known Participant
  • 17 replies API's and all endpoints returning empty response when AWS ACM enabled with ingress 



helm -n ingress-nginx install ingress-nginx ingress-nginx/ingress-nginx \

  --set controller.replicaCount=2 \

  --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:us-east-1:092X09X3X992:certificate/2acb570a-2627-4b66-ac3e-ae2a9cc82a91


help me with how to properly terminate  AWS  ACM ALB  


Best answer by Robert Moucha 24 August 2021, 14:28

View original

4 replies

Userlevel 2

Hello Ashok,

the Nginx Ingress Controller works well with classical AWS ELB (Elastic load balancer). AWS ALB (Application load balancer) should be controlled by

While it is possible to have ALB in front of NGINX ingress controller deployment (see this issue or more detailed blog post), we recommend to use ELB instead, because it is far more easy to configure.

Using ALB directly is not supported as it lacks some functionality (notably regex processing of paths)

Hi @Robert Moucha  Thanks for response 
I have done changes ingress by default throws 404 across services can you please help me 




helm upgrade --install -n ingress-nginx ingress-nginx ingress-nginx/ingress-nginx \
  --set controller.replicaCount=2 \
  --values values-ingress.yaml --wait --timeout 3m \
  --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:us-east-1:01119999222:certificate/2acb570a-2627-4b66-ac3e-ae2a9cc82a41



# helm-charts/helmfile-values/values-ingress.yaml
      http: http
      https: http
      # SSL is terminated on ELB, so HTTP will be used downstram to our services 'http'
      # only 'https' port will use SSL protocol 'https'
      # keep connections open upto 1 hour '3600'
      # Disable TLS1.1 and lower protocols on TLS handshake 'ELBSecurityPolicy-TLS-1-2-2017-01'
    enabled: true


kind: Organization
  # The namespace-unique name of the custom resource
  name: fctstage-org
  # The Organization ID
  id: fctstage
  # The UI-friendly Organization name
  name: "FCTDEV, Corp."
  # The DNS name where the Organization will be accessible
  # The name of the user group for the Organization administrator
  adminGroup: adminGroup
  # The name of the Organization administrator account
  adminUser: admin
  # The salted hash of the administrator password that you generated earlier at Step 1
  adminUserToken: "$5$6iRG6Yc/Ih51I2MN$/IYHZCzihzyOP3uaHs7FaHBnsLv8.dtsKjiMdAJjxc4"
  # An optional `tls` object that describes how the TLS certificate will be handled
  # For more information, see "TLS Configuration of an Organization" further in this article.
  # tls:
  #   # (Required) The name of the Secret where the certificate and the key are stored
  #   secretName: alpha-org-tls
  #   # (Optional) The name of cert-manager's Issuer or ClusterIssuer, if certificates are
  #   # automatically provisioned by cert-manager
  #   issuerName: letsencrypt-prod
  #   # (Optional) The resource that `issuerName` refers to; can be Issuer (default)
  #   # or ClusterIssuer
  #   issuerType: ClusterIssuer


Userlevel 2

Please add the following annotations to respective places in customized-values-gooddata-cn.yaml used for deploying gooddata-cn helm chart:

Keep in mind you need to “merge” these two settings to existing keys.

annotations: nginx

annotations: nginx

This change is necessary for a proper operation with the recent versions of ingress-nginx. We will update documentation for version 1.3 and address this issue in the upcoming release.


Thankyou  @Robert Moucha it resolved the issue :metal_tone1: