From ce2c3f1ecebc2a92edf8eb694feeb03f203f54d6 Mon Sep 17 00:00:00 2001 From: blkgrlcto Date: Wed, 11 Feb 2026 10:51:53 -0500 Subject: [PATCH 1/4] Update external-port-range.mdx --- .../networking/external-port-range.mdx | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/src/content/docs/aws/capabilities/networking/external-port-range.mdx b/src/content/docs/aws/capabilities/networking/external-port-range.mdx index 7f689030..a87c1cee 100644 --- a/src/content/docs/aws/capabilities/networking/external-port-range.mdx +++ b/src/content/docs/aws/capabilities/networking/external-port-range.mdx @@ -104,3 +104,33 @@ services: By customizing the `GATEWAY_LISTEN` and `EXTERNAL_SERVICE_PORTS_START`/`EXTERNAL_SERVICE_PORTS_END` values for each instance, you can ensure that they operate on distinct port ranges, preventing any conflicts and enabling smooth execution of multiple LocalStack instances. Please make sure to set `MAIN_CONTAINER_NAME` for following usages of the LocalStack CLI to specify which instance of LocalStack you want to address with the specific CLI command. + +## TLS Certificate Coverage for `localhost.localstack.cloud` +LocalStack provides TLS certificates for the `localhost.localstack.cloud` domain, which allows secure HTTPS access to service endpoints using region-specific hostnames such as: +```arduino +https://s3.us-east-1.localhost.localstack.cloud:4566 +``` +These certificates enable proper hostname validation for supported AWS regions when using HTTPS with SDKs, the AWS CLI, browsers, and other tools. + +### Supported Regions + +Due to certificate authority and infrastructure limitations, TLS certificates are currently only issued for a subset of AWS regions. If you attempt to use an unsupported region, you may encounter TLS errors such as: + +```vbnet +SSL: CERTIFICATE_VERIFY_FAILED +hostname mismatch +x509: certificate is not valid for any names +``` +The full list of supported regions is available here: +- `us-east-1` +- `us-east-2` +- `us-west-1` +- `us-west-2` +- `eu-central-1` +- `eu-west-1` + +### Why this limitation exists + +TLS certificates must explicitly include supported hostnames. Because each region requires hostname coverage, and certificate authorities impose size and validation constraints, it is currently not possible to include all AWS regions in the LocalStack certificate. + +We are actively working to expand coverage where technically feasible. From 50de355dc0d1b33d5ba669495a6cf2d6c76a20e2 Mon Sep 17 00:00:00 2001 From: blkgrlcto Date: Wed, 11 Feb 2026 12:04:48 -0500 Subject: [PATCH 2/4] added new page - added new page HTTPS/TLS support - removed TLS reference in External port range age - added note to overview linking to new page --- .../networking/external-port-range.mdx | 29 --------------- .../networking/https-tls-support.mdx | 36 +++++++++++++++++++ .../aws/capabilities/networking/index.mdx | 4 +++ 3 files changed, 40 insertions(+), 29 deletions(-) create mode 100644 src/content/docs/aws/capabilities/networking/https-tls-support.mdx diff --git a/src/content/docs/aws/capabilities/networking/external-port-range.mdx b/src/content/docs/aws/capabilities/networking/external-port-range.mdx index a87c1cee..1fc870e9 100644 --- a/src/content/docs/aws/capabilities/networking/external-port-range.mdx +++ b/src/content/docs/aws/capabilities/networking/external-port-range.mdx @@ -105,32 +105,3 @@ services: By customizing the `GATEWAY_LISTEN` and `EXTERNAL_SERVICE_PORTS_START`/`EXTERNAL_SERVICE_PORTS_END` values for each instance, you can ensure that they operate on distinct port ranges, preventing any conflicts and enabling smooth execution of multiple LocalStack instances. Please make sure to set `MAIN_CONTAINER_NAME` for following usages of the LocalStack CLI to specify which instance of LocalStack you want to address with the specific CLI command. -## TLS Certificate Coverage for `localhost.localstack.cloud` -LocalStack provides TLS certificates for the `localhost.localstack.cloud` domain, which allows secure HTTPS access to service endpoints using region-specific hostnames such as: -```arduino -https://s3.us-east-1.localhost.localstack.cloud:4566 -``` -These certificates enable proper hostname validation for supported AWS regions when using HTTPS with SDKs, the AWS CLI, browsers, and other tools. - -### Supported Regions - -Due to certificate authority and infrastructure limitations, TLS certificates are currently only issued for a subset of AWS regions. If you attempt to use an unsupported region, you may encounter TLS errors such as: - -```vbnet -SSL: CERTIFICATE_VERIFY_FAILED -hostname mismatch -x509: certificate is not valid for any names -``` -The full list of supported regions is available here: -- `us-east-1` -- `us-east-2` -- `us-west-1` -- `us-west-2` -- `eu-central-1` -- `eu-west-1` - -### Why this limitation exists - -TLS certificates must explicitly include supported hostnames. Because each region requires hostname coverage, and certificate authorities impose size and validation constraints, it is currently not possible to include all AWS regions in the LocalStack certificate. - -We are actively working to expand coverage where technically feasible. diff --git a/src/content/docs/aws/capabilities/networking/https-tls-support.mdx b/src/content/docs/aws/capabilities/networking/https-tls-support.mdx new file mode 100644 index 00000000..90a46e16 --- /dev/null +++ b/src/content/docs/aws/capabilities/networking/https-tls-support.mdx @@ -0,0 +1,36 @@ +--- +title: HTTPS/TLS Support +description: Overview of TLS certificate coverage for the `localhost.localstack.cloud` domain and supported AWS regions for secure HTTPS access to LocalStack service endpoints +template: doc +sidebar: + order: 7 +--- +## Introduction +LocalStack provides TLS certificates for the `localhost.localstack.cloud` domain, which allows secure HTTPS access to service endpoints using region-specific hostnames such as: +```arduino +https://s3.us-east-1.localhost.localstack.cloud:4566 +``` +These certificates enable proper hostname validation for supported AWS regions when using HTTPS with SDKs, the AWS CLI, browsers, and other tools. + +### Supported Regions + +Due to certificate authority and infrastructure limitations, TLS certificates are currently only issued for a subset of AWS regions. If you attempt to use an unsupported region, you may encounter TLS errors such as: + +```vbnet +SSL: CERTIFICATE_VERIFY_FAILED +hostname mismatch +x509: certificate is not valid for any names +``` +The full list of supported regions is available here: +- `us-east-1` +- `us-east-2` +- `us-west-1` +- `us-west-2` +- `eu-central-1` +- `eu-west-1` + +### Why this limitation exists + +TLS certificates must explicitly include supported hostnames. Because each region requires hostname coverage, and certificate authorities impose size and validation constraints, it is currently not possible to include all AWS regions in the LocalStack certificate. + +We are actively working to expand coverage where technically feasible. diff --git a/src/content/docs/aws/capabilities/networking/index.mdx b/src/content/docs/aws/capabilities/networking/index.mdx index c6dc4aaa..be5c610a 100644 --- a/src/content/docs/aws/capabilities/networking/index.mdx +++ b/src/content/docs/aws/capabilities/networking/index.mdx @@ -49,6 +49,10 @@ For example, setting the `endpoint_url` parameter with an [AWS SDK](/aws/integra } ]} /> +:::note +TLS certificates for `localhost.localstack.cloud` support only certain AWS regions. See [TLS Certificate Coverage](/aws/capabilities/networking/https-tls-support) for details. +::: + ## [Using transparent endpoint injection](/aws/capabilities/networking/transparent-endpoint-injection) For example, you have a Lambda function that needs to access LocalStack resources. From 1695103e810f7ecdcf44e0d3f838b42fbef7adc7 Mon Sep 17 00:00:00 2001 From: Quetzalli Date: Thu, 12 Feb 2026 13:22:39 -0800 Subject: [PATCH 3/4] spacing fixes Added information about TLS certificates for secure HTTPS access and hostname validation for AWS regions. --- .../docs/aws/capabilities/networking/https-tls-support.mdx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/content/docs/aws/capabilities/networking/https-tls-support.mdx b/src/content/docs/aws/capabilities/networking/https-tls-support.mdx index 90a46e16..903bf972 100644 --- a/src/content/docs/aws/capabilities/networking/https-tls-support.mdx +++ b/src/content/docs/aws/capabilities/networking/https-tls-support.mdx @@ -5,8 +5,11 @@ template: doc sidebar: order: 7 --- + ## Introduction + LocalStack provides TLS certificates for the `localhost.localstack.cloud` domain, which allows secure HTTPS access to service endpoints using region-specific hostnames such as: + ```arduino https://s3.us-east-1.localhost.localstack.cloud:4566 ``` @@ -21,7 +24,9 @@ SSL: CERTIFICATE_VERIFY_FAILED hostname mismatch x509: certificate is not valid for any names ``` + The full list of supported regions is available here: + - `us-east-1` - `us-east-2` - `us-west-1` From 405e01a5b10f3dd738b64a85f423c6b9ae6f27ca Mon Sep 17 00:00:00 2001 From: Quetzalli Date: Thu, 12 Feb 2026 13:23:52 -0800 Subject: [PATCH 4/4] punctuation --- .../docs/aws/capabilities/networking/https-tls-support.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/aws/capabilities/networking/https-tls-support.mdx b/src/content/docs/aws/capabilities/networking/https-tls-support.mdx index 903bf972..bededcbc 100644 --- a/src/content/docs/aws/capabilities/networking/https-tls-support.mdx +++ b/src/content/docs/aws/capabilities/networking/https-tls-support.mdx @@ -1,6 +1,6 @@ --- title: HTTPS/TLS Support -description: Overview of TLS certificate coverage for the `localhost.localstack.cloud` domain and supported AWS regions for secure HTTPS access to LocalStack service endpoints +description: Overview of TLS certificate coverage for the `localhost.localstack.cloud` domain and supported AWS regions for secure HTTPS access to LocalStack service endpoints. template: doc sidebar: order: 7