[ac2u]

If you can afford to have a service handle it, (like cloudflare in another commenter's reply which provides a service especially for this) go for that.

Otherwise, I've played around with OpenResty for doing this on top of nginx with on the fly letsencrypt certs. This isn't my post, but it's the same thing.

https://medium.com/@vibhoragrawal/how-to-setup-ssl-on-the-fl...

Of course now you have to own your own ops for your load balancers, but you could always scale up the nginx instances and put them behind a NLB instead of an ALB.

[erinmez]

Thanks a lot for the approach. Now I recall we had a Lua/nginx setup a couple of years ago similar to this and it was actually really low maintenance (wasn't on AWS though). I need to check the monetary aspect of the Cloudflare approach, but for best effort "Free" plans this could be a cheap option on AWS.