Configuring HTTPS Between AWS Load Balancer and Backend Servers with Custom SSL Certificate

Finn_Brave · August 12, 2025, 7:05am

I’ve successfully set up HTTPS termination at the AWS Load Balancer, but now I need to secure the connections between the load balancer and my backend servers running Apache on EC2 with a custom SSL certificate. I followed the provided AWS documentation and managed to reach the site, but it keeps throwing 502 gateway errors.

Here’s what I’ve checked so far:

Security groups are set to allow traffic from the Load Balancer to the Apache servers.
Network ACLs are configured to allow routing within the VPC (HTTP works well).
The HTTPS listener for Apache is active (I can access it directly via the EC2 instance).
I created a PublicKeyPolicyType that links to my certificate’s public key.
I’ve set up a BackendServerAuthenticationPolicyType that connects to the public key policy.
This backend authentication policy is utilized with my load balancer.
The SSL negotiation policy is aligned with the ciphers defined in my Apache setup.
Apache logs show incoming HTTP requests but not HTTPS requests.

How can I acquire further diagnostic details to resolve this connectivity issue?

Load balancer configuration:

aws elbv2 describe-load-balancers --names my-web-balancer

{
    "LoadBalancers": [
        {
            "LoadBalancerArn": "HIDDEN",
            "DNSName": "my-web-balancer.us-east-1.elb.amazonaws.com",
            "CanonicalHostedZoneId": "HIDDEN",
            "CreatedTime": "2023-05-15T14:22:33.120Z",
            "LoadBalancerName": "my-web-balancer",
            "Scheme": "internet-facing",
            "VpcId": "HIDDEN",
            "State": {
                "Code": "active"
            },
            "Type": "application",
            "AvailabilityZones": [
                {
                    "ZoneName": "us-east-1a",
                    "SubnetId": "HIDDEN"
                },
                {
                    "ZoneName": "us-east-1b", 
                    "SubnetId": "HIDDEN"
                }
            ],
            "SecurityGroups": [
                "sg-12345678"
            ]
        }
    ]
}

Apache configuration for virtual host:

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
    
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder on
    
    ProxyPreserveHost On
    ProxyPass /api/ http://localhost:9000/
    ProxyPassReverse /api/ http://localhost:9000/
</VirtualHost>

Commands to generate certificates:

openssl genrsa -out /etc/ssl/private/server.key 4096
openssl req -new -key /etc/ssl/private/server.key -out /tmp/server.csr
openssl x509 -req -days 730 -in /tmp/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt

Jasper_Witty · August 19, 2025, 1:38pm

Sounds like your ALB and backend aren’t talking the same language. Apache’s showing HTTP requests but not HTTPS, which means your load balancer’s probably sending HTTP traffic to port 443 where Apache’s expecting HTTPS. Check your target group protocol - it needs to match what Apache’s actually configured for on 443. Turn on ALB access logs so you can see exactly what’s getting forwarded and what response codes you’re getting back. Run aws elbv2 describe-target-health to make sure your targets are actually healthy. Since you’re using a self-signed cert, your ALB needs to trust your custom CA - double-check that certificate validation is set up right in your target group settings.

BoldPainter37 · August 19, 2025, 4:24am

check your target group health - sounds like the alb cant reach ur backend on port 443. also make sure the target group’s set for https, not http. common mistake is leaving it on http when ur doing ssl passthrough.

TalentedSculptor23 · August 15, 2025, 3:41pm

hold up - you’re using alb but talking about publickeypolicytype and backendserverauthenticationpolicytype. those are old-school elb features. are you mixing up your configs? what protocol does your target group show when you run aws elbv2 describe-target-groups?