Replacing cert doesn't work

[greenboxal]

I'm having a very weird issue when adding a new ingress.

I have an ALB which had two certificates on it:

• *.domain1.com
• api.domain2.com

After I created a new ingress on domain3.com, I happened to have a certificate in ACM that could handle *.domain1.com, *.domain2.com and *.domain3.com. Here comes the weird part:

The new ingress for something.domain3.com doesn't have a valid wildcard certificate associated with the ALB, making it return a certificate error. It seems that new certificate wasn't applied to the listeners on the ALB:

But in the tags in the cloudformation stack, I have the following:

Even weirder, the CF stack itself points to only two of theses:

        "HTTPSListenerCertificate": {
            "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
            "Properties": {
                "Certificates": [
                    {
                        "CertificateArn": "arn:aws:acm:us-west-2:088757392028:certificate/252e51e6-65ac-4a72-b619-bcfabbb7678f"
                    },
                    {
                        "CertificateArn": "arn:aws:acm:us-west-2:088757392028:certificate/c67cb815-a741-42ac-9785-d4bbc60dbc76"
                    }
                ],
                "ListenerArn": {
                    "Ref": "HTTPSListener"
                }
            }
        },

The issue itself is that arn:aws:acm:us-west-2:088757392028:certificate/c67cb815-a741-42ac-9785-d4bbc60dbc76 (the big wildcard certificate) wasn't applied to the ALB.

Has anyone seems something like this? It seems like the ingress controller did the right thing (except for not updating the tags maybe), and CF didn't update the ALB. Any lights here?

[greenboxal]

Just correlated this with #162, seems like that was the issue.