When terminating the SSL at the Load Balancer, how would x.509 certificate authentication work?

rshillington · January 14, 2023, 12:54pm

We’re using x.509 client certificates to authenticate to the emqx. This page in the docs recommends terminating the SSL at the LB. Sounds great. We already do that for a number of other services that are behind an ELB in AWS. However in the case of EMQX we’re using x.509 certificates for authentication, and I don’t see how we can terminate the SSL connection at the LB and still be authenticated by EMQX.

Perhaps I’m missing something?

UPDATE: from this AWS Document it reads:

Network Load Balancers do not support TLS renegotiation or mutual TLS authentication (mTLS). For mTLS support, create a TCP listener instead of a TLS listener. The load balancer passes the request through as is, so you can implement mTLS on the target.

So it seems to me then that the guidance in the EMQX documentation to terminate the SSL at the LB only applies if you’re not doing certificate authentication.

Maverick · January 16, 2023, 6:16am

Sorry, probably it’s causing you confusion because the docs don’t explicitly state this.

Terminating TLS with LB and authenticating with x509 certificates are indeed mutually exclusive.

rshillington · January 16, 2023, 9:10am

Thanks for the quick reply.

Does that mean that we can/should use a trusted certificate (perhaps from LetsEncrypt) for the cert.pem and key.pem but a self-signed cacert.pem

Maverick · January 16, 2023, 9:32am

This should be beyond the blame of Let’s encrypt, generally we recommend using your own CA certificate to issue client certificates.

You can refer to this guide: