I did this for a small number of custom domains, which means I didn’t automate the procedure, and it worked within the constraints of the max number of certificates (25?) supported by an ALB.
In my case we had to dispatch requests for each custom domain to a specific app, so we used a proxy (nginx) app in-between to route the requests, but if you only have one app that serves all custom domains, then replace “proxy app” in the following procedure by “main app”:
Go to the AWS console > EC2 > Load balancers
Select the convox ALB, go to the Listeners tab, then edit the default Rules (for both 80 and 443 ports) to point to the target group of the
proxy app. This makes sure any incoming requests for an unknown host end up on the
proxy app, without the need to define target group rules for each custom domain. This only needs to be done once, just after the proxy app is initially created in convox.
Whenever you need to add a new custom certificate, select the convox ALB, go to the Listeners tab, then edit the certificates associated with port 443. Assuming the certificate for the custom domain is already in ACM, click the
+ button to select and add it. Done!
The last point could be automated if required, and the change to the ALB (point 2) survives any update to the convox rack.
If you need to handle a lot more custom domains than what ALB allows, then you either need to use SNI certificates with many domain names, or possibly setup an NLB + proxy app (which would terminate the SSL connection) in front of the convox ALB.