This topic describes how to associate multiple certificates with an HTTPS listener of an Application Load Balancer (ALB) instance to distribute requests destined for different domain names to different NGINX services deployed on backend servers.

Scenario

After ALB receives an HTTPS request, ALB matches the requested domain name against the certificates that you uploaded. If one of the certificates is matched, ALB sends the request to a backend server based on the forwarding rule that you configured for the domain name and then returns the corresponding certificate to the client. If no certificate is matched, ALB sends the request to a backend server in the default server group and returns the default certificate to the client. The following configurations are used in this example:
  • The default certificate: default. The default server group: RS1.
  • The domain name example1.com is associated with the additional certificate example1. Requests destined for example1.com are forwarded to RS1.
  • The domain name example.org is associated with the additional certificate example2. Requests destined for example.org are forwarded to RS2.
Access multiple domain names

Prerequisites

  • An ALB instance is created. For more information, see Create an ALB instance.
  • RS1 and RS2 are created. For more information, see Create and manage a server group.
  • An Elastic Compute Service (ECS) instance is added to each server group. In this example, ECS01 is added to RS1 and ECS02 is added to RS2. Different NGINX services are deployed on the ECS instances.
  • Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information about how to apply for a certificate, see Submit a certificate application. The following certificates are used in this example:
    • The default certificate.
    • The extended certificate example1 that is associated with the domain name example.com.
    • The extended certificate example2 that is associated with the domain name example.org.

Background information

The number of additional certificates that can be associated with an ALB instance: 10 for a basic ALB instance and 25 for a standard ALB instance. The default certificate is not included in this quota.

Step 1: Create an HTTPS listener

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.
  3. On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
  4. On the Configure Listener wizard page, set the following parameters and click Next.
    For more information about the other parameters and how to create an HTTPS listener, see Add an HTTPS listener.
    • Select Server Certificate: In this example, the default certificate is selected.
    • Select Server Group: In this example, RS1 is selected.

Step 2: Add an additional certificate

  1. On the Instances page, find the ALB instance that you want to manage and click its ID.
  2. On the Listener tab, find the HTTPS listener that you created and click Manage Certificate in the Actions column.
  3. On the Certificates tab, click Add Extended Validation Certificate.
  4. In the Add Extended Validation Certificate dialog box, select the certificate example1, and click OK. Repeat this step to add the extended certificate example2.

Step 3: Create forwarding rules

  1. On the Instances page, find the ALB instance that you want to manage and click its ID.
  2. On the Listener tab, find the HTTPS listener that you created and click View/Modify Forwarding Rule in the Actions column.
  3. On the Forwarding Rules tab, click Add New Rule.
  4. Configure forwarding rules based on the following information and click OK:
    • Set the Domain Name parameter to example.com and the Forward parameter to RS1. Set the weight of the server group to 100.
    • Set the Domain Name parameter to example.org and the Forward parameter to RS2. Set the weight of the server group to 100.
    Note
    • ECS instances in a server group that has a higher weight receive more requests. In this example, the default weight 100 is used.
    • Valid values: 1 to 100.

Step 4: Create CNAME records

Create CNAME records to map example.com and example.org to the publicly accessible domain name of the ALB instance.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.
  3. Find the ALB instance that you want to manage and copy the domain name.
  4. To create a CNAME record, perform the following operations:
    1. Log on to the Alibaba Cloud DNS console.
    2. On the Manage DNS page, click Add Domain Name.
    3. In the Add Domain Name dialog box, enter the domain name of your host and click OK.
      Important Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
    4. In the Actions column of the domain name that you want to manage, click Configure.
    5. On the DNS Settings page, click Add Record.
    6. In the Add Record panel, set the following parameters and click Confirm.
      ParameterDescription
      TypeSelect CNAME from the drop-down list.
      HostEnter the prefix of the domain name of your host.
      ISP LineSelect Default.
      ValueEnter the CNAME. The CNAME is the domain name of the ALB instance.
      TTLSelect the time-to-live (TTL) value of the record on the DNS server. In this example, the default value is used.
      Note
      • Newly created CNAME records immediately take effect. The time that is required for a modified CNAME record to take effect is determined by the TTL value. The default TTL value is 10 minutes.
      • If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name.

Step 5: Test connectivity

Enter example.com and example.org in the address bar of a browser to check whether you can access ALB. In this example, NGINX is used to set up two static websites on ECS01 and ECS02.
  • In the address bar of the browser, enter the domain name example.com, which is associated with the additional certificate example1. If you can access the domain name, it indicates that the request is sent to ECS01 in RS1 based on the forwarding rule that you configured. Test result:ECS01 test result
  • In the address bar of the browser, enter the domain name example.org, which is associated with the additional certificate example2. If you can access the domain name, it indicates that the request is sent to ECS02 in RS2 based on the forwarding rule that you configured. Test result:ECS02 test result