Thanks for the reply! Having certs on ACM is a lot better since you can even forget about ECS Fargate and S3. You can provision certs for any domain (wild card included) and not worry about a thing. The problem is that, you’re not able to use these certs anywhere outside of AWS managed products etc ELB, Cloudfront, since you cannot obtain private keys.
What my post is trying to acomplish is having the certs on instance which is actually using them too etc Wordpress web server. This is not an idle instance that produces certificates.
Your approach is creative, however adds a layer of unecessary complexity, as well as reduced security due to private key being stored in multiple locations, and possibly even bigger management overhead.
If money was no issue, I’d have ELB in front of my EC2, which terminates AWS managed ACM certs. But that’s extra 15 to 20 dollars a month. Which was pointless for my project, because I could have the same outcome for half the money.
Of course bussiness / production solution would have to be more resilient.