SNI validation doesn't work even when Amazon ELBs are configured to do straight TCP passthrough


I know that Amazon’s ELBs don’t support SNI in general, but they can also be configured to do “TCP pass through” as a layer 4 load balancer. When configured this way, ELBs don’t terminate TLS, but just pass on the encrypted stream to the instances behind the ELB.

I thought that configuring an ELB this way would allow for the SNI validation method to work, but this doesn’t seem to be the case. I haven’t dived into exactly why, and my understanding of layer 4 load balancing with encrypted packets isn’t strong, but I haven’t seen this exact issue mentioned anywhere online with ACME or Let’s Encrypt, so I wanted to document it.


I was able to issue a certificate using TLS-SNI-01 (via --standalone --standalone-supported-challenges tls-sni-01) with the following ELB config:

    "LoadBalancerDescriptions": [
            "Subnets": [
            "CanonicalHostedZoneNameID": "***",
            "CanonicalHostedZoneName": "***",
            "ListenerDescriptions": [
                    "Listener": {
                        "InstancePort": 443,
                        "LoadBalancerPort": 443,
                        "Protocol": "TCP",
                        "InstanceProtocol": "TCP"
                    "PolicyNames": []
            "HealthCheck": {
                "HealthyThreshold": 10,
                "Interval": 30,
                "Target": "HTTP:80/",
                "Timeout": 5,
                "UnhealthyThreshold": 2
            "VPCId": "vpc-***",
            "BackendServerDescriptions": [],
            "Instances": [
                    "InstanceId": "i-***"
            "DNSName": "***",
            "SecurityGroups": [
            "Policies": {
                "LBCookieStickinessPolicies": [],
                "AppCookieStickinessPolicies": [],
                "OtherPolicies": []
            "LoadBalancerName": "***",
            "CreatedTime": "2016-05-04T12:44:58.420Z",
            "AvailabilityZones": [
            "Scheme": "internet-facing",
            "SourceSecurityGroup": {
                "OwnerAlias": "***",
                "GroupName": "launch-wizard-10"

I’m guessing your issue isn’t related to ELB (unless there’s a difference somewhere in our configs). Feel free to post logs if you need any assistance!