How to enable SSL Renegotiation on ALB to accept a self signed certificate?

Question

Our architecture currently has an ALB fronting some containers in Fargate.
The ALB uses self signed certificate to support SSL connections from clients, then it routes traffic via HTTP to the application inside the Fargate container.
Now, we need to change that architecture so that the ALB creates a new SSL connection to the backend application.
I see that I can set the ALB's targets to use HTTPS / 443 and I can also set the backend app to accept traffic on 443.
Given that the backend app will have its own self signed cert, then for the purposes of this part of the traffic flow, the ALB represents the client and would need to accept the certificate served by the backend app.  
How/where do I configure the ALB's trust store to accept that certificate?

rePost-User-8075085 · Accepted Answer

Shortly after posting question I found this documentation   https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version.
In the Routing configuration section it essentially says that the ALB will accept ANY SSL certificate on traffic between ALB and backend application

> The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired.

secondabhi_aws · Answer

Please refer this [thread](https://repost.aws/questions/QU97HoG_YMQxO1LXTj76ui-w/traffic-between-alb-and-backend-ec2-instance-needs-to-be-encrypted), it has the same ask, you should be able to achieve this quite easily.

Hope you find this useful.

Abhishek

How to enable SSL Renegotiation on ALB to accept a self signed certificate?

Relevant content