(@aws-cdk/aws-elasticloadbalancingv2): when using 3 certificates, only 2 get applied

[andreialecu]

This is a weird one. We have a load balancer that has several wildcard certificates:

• *.domain.com (1)
• *.staging.domain.com (2)
• *.prod.domain.com (3)

We had just the first two, and recently added the third one (prod) via a cdk stack update. When the stack updated, only certs 1 and 3 got attached. Cert 2 disappeared.

Reproduction Steps

The stack looks like this:

import * as certmgr from "@aws-cdk/aws-certificatemanager";
import * as elbv2 from "@aws-cdk/aws-elasticloadbalancingv2";
import { ListenerAction } from "@aws-cdk/aws-elasticloadbalancingv2";
import * as route53 from "@aws-cdk/aws-route53";
import * as cdk from "@aws-cdk/core";
import { VpcStack } from "./vpc-stack";

export class ApplicationLoadBalancerStack extends cdk.Stack {
  listener: elbv2.ApplicationListener;
  lb: elbv2.ApplicationLoadBalancer;
  constructor(
    scope: cdk.App,
    id: string,
    props: cdk.StackProps,
    { vpcStack, certificateArn }: { vpcStack: VpcStack; certificateArn: string }
  ) {
    super(scope, id, props);

    const lb = new elbv2.ApplicationLoadBalancer(this, "LB", {
      vpc: vpcStack.vpc,
      internetFacing: true,
    });

    const listener = lb.addListener("Listener", { port: 443 });
    listener.addAction("DefaultRedirect", {
      action: ListenerAction.redirect({ host: "domain.com" }),
    });

    const zone = route53.HostedZone.fromLookup(this, "HostedZone", {
      domainName: "domain.com",
    });

    const stagingCertificate = new certmgr.Certificate(
      this,
      "StagingCertificate",
      {
        domainName: "*.staging.domain.com",
        validation: certmgr.CertificateValidation.fromDns(zone),
      }
    );

    const secondaryProductionCertificate = new certmgr.Certificate(
      this,
      "SecondaryProductionCertificate",
      {
        domainName: "*.prod.domain.com",
        validation: certmgr.CertificateValidation.fromDns(zone),
      }
    );

    const certificate = certmgr.Certificate.fromCertificateArn(
      this,
      "Certificate",
      certificateArn
    );

    // from docs: If you do not provide any options for this method, it redirects HTTP port 80 to HTTPS port 443.
    lb.addRedirect();

    listener.addCertificates("SSLCert", [
      certificate,
      stagingCertificate,
      secondaryProductionCertificate,
    ]);

    this.listener = listener;
    this.lb = lb;
  }
}

What did you expect to happen?

All 3 certs should be applied to the load balancer.

What actually happened?

Only 2 certs got applied. One disappeared.

When the prod cert got added, the staging certificate mysteriously disappeared from the load balancer.

I have verified via the AWS Console that only *.domain.com and *.prod.domain.com were attached to the 443 port. The top section also shows something like HTTPS:443 (2 certificates)

Environment

• CDK CLI Version : 1.90.1
• Framework Version: 1.90.1
• Node.js Version: 15.9.0
• OS : macOS Big Sur 11.2
• Language (Version): typescript 4.0.5

Other

This may be a CloudFormation bug of some sort, because the generated stack in synth does include both certificates:

LBListenerSSLCert177C324A:
    Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
    Properties:
      Certificates:
        - CertificateArn:
            Ref: StagingCertificate2A1D28EF
        - CertificateArn:
            Ref: SecondaryProductionCertificateDC0CBA63
      ListenerArn:
        Ref: LBListener49E825B4
    Metadata:
      aws:cdk:path: ...-All-ALB/LB/Listener/SSLCert/Resource

I have also opened an issue in AWS Support as case id 8052756621

In the mean time I manually added the certificate to the load balancer to get unblocked.

---

This is 🐛 Bug Report

[njlynch]

Thanks for the bug report, and for the repro steps!

I believe this is a duplicate of #13150, so closing this one out and tracking the status in that issue.

For what it's worth, it appears from the description in that issue that support came back saying that even though ListenerCertificate.Certificates is an array, only one certificate can be included in the list, and instead multiple ListenerCertificate objects should be generated.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.