SNI validation doesn't work even when Amazon ELBs are configured to do straight TCP passthrough

konklone · 2016-05-04 12:24:33 UTC

I know that Amazon’s ELBs don’t support SNI in general, but they can also be configured to do “TCP pass through” as a layer 4 load balancer. When configured this way, ELBs don’t terminate TLS, but just pass on the encrypted stream to the instances behind the ELB.

I thought that configuring an ELB this way would allow for the SNI validation method to work, but this doesn’t seem to be the case. I haven’t dived into exactly why, and my understanding of layer 4 load balancing with encrypted packets isn’t strong, but I haven’t seen this exact issue mentioned anywhere online with ACME or Let’s Encrypt, so I wanted to document it.

pfg · 2016-05-04 13:16:22 UTC

I was able to issue a certificate using TLS-SNI-01 (via --standalone --standalone-supported-challenges tls-sni-01) with the following ELB config:

{
    "LoadBalancerDescriptions": [
        {
            "Subnets": [
                "subnet-***",
                "subnet-***"
            ],
            "CanonicalHostedZoneNameID": "***",
            "CanonicalHostedZoneName": "***.eu-west-1.elb.amazonaws.com",
            "ListenerDescriptions": [
                {
                    "Listener": {
                        "InstancePort": 443,
                        "LoadBalancerPort": 443,
                        "Protocol": "TCP",
                        "InstanceProtocol": "TCP"
                    },
                    "PolicyNames": []
                }
            ],
            "HealthCheck": {
                "HealthyThreshold": 10,
                "Interval": 30,
                "Target": "HTTP:80/",
                "Timeout": 5,
                "UnhealthyThreshold": 2
            },
            "VPCId": "vpc-***",
            "BackendServerDescriptions": [],
            "Instances": [
                {
                    "InstanceId": "i-***"
                }
            ],
            "DNSName": "***.eu-west-1.elb.amazonaws.com",
            "SecurityGroups": [
                "sg-***"
            ],
            "Policies": {
                "LBCookieStickinessPolicies": [],
                "AppCookieStickinessPolicies": [],
                "OtherPolicies": []
            },
            "LoadBalancerName": "***",
            "CreatedTime": "2016-05-04T12:44:58.420Z",
            "AvailabilityZones": [
                "eu-west-1b",
                "eu-west-1a"
            ],
            "Scheme": "internet-facing",
            "SourceSecurityGroup": {
                "OwnerAlias": "***",
                "GroupName": "launch-wizard-10"
            }
        }
    ]
}

I’m guessing your issue isn’t related to ELB (unless there’s a difference somewhere in our configs). Feel free to post logs if you need any assistance!