Hi, since convox ssl update <process>:<port> <certificate> --app <app> --wait will give:
ERROR: command not valid for generation 2 applications
We’ve updated our SSL certificate “manually” in AWS console by adding a new certificate to the ALB with the same domain name, which then has been correctly picked up by AWS and it is now effectively the cert that is being used in our app.
Which leaves us with these two questions however:
Having added the certificate manually, will this become an issue in a future app deploy and/or rack update?
How can we tell convox to detect the correct certificate, since convox ssl --app <app> command still lists the “old” certificate?
No, but my best guess is that ALBs work differently than perhaps how previously used ELBs in that, you don’t “assign” a specific cert to the load balancer instead it picks the “best one” from a list of certs available + target groups + domains configured, etc.
Once we’ve issued a new cert, then a new build would make sure to update the CloudFormation template, so no convox ssl --app <app> was necessary.
P.S.: Still I am not sure how to update convox’s internal certs which rely on email validation (i.e., *.convox.site ones)