Fix AWS NLB TLS Termination Issues

# Fix AWS NLB TLS Termination Issues

You're configuring TLS termination on an AWS Network Load Balancer (NLB) but encountering certificate issues, connection errors, or SSL problems. NLB handles TLS differently than ALB, and there are specific considerations.

Introduction

This article covers troubleshooting steps and solutions for Fix AWS NLB TLS Termination Issues. The error typically occurs in production environments and can cause service disruptions if not addressed promptly.

Symptoms

Common error messages include:

```bash # Describe load balancer aws elbv2 describe-load-balancers \ --names my-nlb \ --query 'LoadBalancers[*].[LoadBalancerName,Type,DNSName]'

# Describe listeners aws elbv2 describe-listeners \ --load-balancer-arn $(aws elbv2 describe-load-balancers --names my-nlb --query 'LoadBalancers[0].LoadBalancerArn' --output text)

# Check certificates aws elbv2 describe-listener-certificates \ --listener-arn <listener-arn> ```

```bash # List certificates aws acm list-certificates

# Describe certificate aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 ```

# Error: Certificate not found for listener

Common Causes

• Configuration misconfiguration
• Missing or incorrect credentials
• Network connectivity issues
• Version compatibility problems
• Resource exhaustion or limits
• Permission or access denied

Understanding NLB TLS Termination

1. 1.NLB supports TLS termination at two levels:
2. 2.TLS listener - Terminates TLS at the load balancer
3. 3.TLS target - Encrypts traffic to targets

Unlike ALB, NLB operates at Layer 4 and has different certificate requirements.

Step-by-Step Fix

Check NLB configuration:

```bash # Describe load balancer aws elbv2 describe-load-balancers \ --names my-nlb \ --query 'LoadBalancers[*].[LoadBalancerName,Type,DNSName]'

# Describe listeners aws elbv2 describe-listeners \ --load-balancer-arn $(aws elbv2 describe-load-balancers --names my-nlb --query 'LoadBalancers[0].LoadBalancerArn' --output text)

# Check certificates aws elbv2 describe-listener-certificates \ --listener-arn <listener-arn> ```

Check ACM certificates:

```bash # List certificates aws acm list-certificates

# Describe certificate aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 ```

Common Issues and Solutions

Issue 1: Certificate Not Found

# Error: Certificate not found for listener

Cause: Certificate must be in the same region as the NLB.

Solution:

```bash # Check certificate region aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \ --query 'Certificate.[CertificateArn,Status]'

# Create certificate in correct region aws acm request-certificate \ --domain-name example.com \ --validation-method DNS \ --region us-east-1

# Add to listener aws elbv2 add-listener-certificates \ --listener-arn <listener-arn> \ --certificates CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 ```

Issue 2: Certificate Validation Pending

# Error: Certificate status is PENDING_VALIDATION

Solution:

```bash # Get validation records aws acm describe-certificate \ --certificate-arn <cert-arn> \ --query 'Certificate.DomainValidationOptions[*].ResourceRecord'

# Add DNS validation record # Example: _acme-challenge.example.com TXT "validation-value"

# Wait for validation aws acm wait certificate-validated --certificate-arn <cert-arn> ```

Issue 3: TLS Listener Creation Failed

# Error: Cannot create TLS listener

Solution:

```bash # Create TLS listener with certificate aws elbv2 create-listener \ --load-balancer-arn <nlb-arn> \ --protocol TLS \ --port 443 \ --certificates CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 \ --default-actions Type=forward,TargetGroupArn=<tg-arn>

# With security policy aws elbv2 create-listener \ --load-balancer-arn <nlb-arn> \ --protocol TLS \ --port 443 \ --certificates CertificateArn=<cert-arn> \ --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \ --default-actions Type=forward,TargetGroupArn=<tg-arn> ```

Issue 4: Backend Connection Issues

# Error: Target health checks failing after TLS configuration

Cause: NLB forwards TLS traffic to targets, but targets expect HTTP.

Solution:

```bash # Option 1: Terminate TLS at NLB, forward TCP to targets aws elbv2 create-listener \ --load-balancer-arn <nlb-arn> \ --protocol TLS \ --port 443 \ --certificates CertificateArn=<cert-arn> \ --default-actions Type=forward,TargetGroupArn=<tg-arn>

# Target group should be TCP aws elbv2 create-target-group \ --name my-targets \ --protocol TCP \ --port 80 \ --vpc-id vpc-12345

# Option 2: TLS passthrough to targets aws elbv2 create-listener \ --load-balancer-arn <nlb-arn> \ --protocol TCP \ --port 443 \ --default-actions Type=forward,TargetGroupArn=<tg-arn>

# Target group with TLS aws elbv2 create-target-group \ --name my-tls-targets \ --protocol TLS \ --port 443 \ --vpc-id vpc-12345 ```

Issue 5: Multiple Certificates (SNI)

# Need to support multiple domains

Solution:

```bash # Add multiple certificates to listener (SNI) aws elbv2 add-listener-certificates \ --listener-arn <listener-arn> \ --certificates CertificateArn=<cert-arn-1> CertificateArn=<cert-arn-2>

# Default certificate (first one added) aws elbv2 modify-listener \ --listener-arn <listener-arn> \ --certificates CertificateArn=<default-cert-arn> ```

Issue 6: Security Policy Issues

# Error: Weak cipher suites, TLS version issues

Solution:

```bash # List available policies aws elbv2 describe-ssl-policies \ --query 'SslPolicies[*].[Name,SupportedProtocols]'

# Use modern policy aws elbv2 modify-listener \ --listener-arn <listener-arn> \ --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06

# Available policies: # - ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended) # - ELBSecurityPolicy-TLS13-1-2-Res-2021-06 (FIPS compliant) # - ELBSecurityPolicy-FS-1-2-Res-2020-10 (forward secrecy) ```

Issue 7: Health Check Over TLS

# Health checks failing with TLS targets

Solution:

# Configure health check for TLS targets
aws elbv2 modify-target-group \
  --target-group-arn <tg-arn> \
  --health-check-protocol HTTPS \
  --health-check-port 443 \
  --health-check-path /health \
  --health-check-interval-seconds 30 \
  --health-check-timeout-seconds 10 \
  --healthy-threshold-count 2 \
  --unhealthy-threshold-count 2

Issue 8: Client IP Preservation

# Need client IP at target

Solution:

```bash # NLB preserves client IP by default for TCP/UDP # For TLS, enable proxy protocol if needed

# Target group with proxy protocol v2 aws elbv2 modify-target-group-attributes \ --target-group-arn <tg-arn> \ --attributes Key=proxy_protocol_v2.enabled,Value=true ```

Complete NLB TLS Configuration

Terraform Example

```hcl # Certificate resource "aws_acm_certificate" "main" { domain_name = "example.com" validation_method = "DNS" }

# NLB resource "aws_lb" "main" { name = "my-nlb" internal = false load_balancer_type = "network" subnets = aws_subnet.public[*].id }

# Target Group resource "aws_lb_target_group" "main" { name = "my-targets" port = 80 protocol = "TCP" vpc_id = aws_vpc.main.id

health_check { enabled = true healthy_threshold = 2 interval = 30 port = "traffic-port" protocol = "TCP" unhealthy_threshold = 2 } }

# TLS Listener resource "aws_lb_listener" "https" { load_balancer_arn = aws_lb.main.arn port = 443 protocol = "TLS"

certificate_arn = aws_acm_certificate.main.arn ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"

default_action { type = "forward" target_group_arn = aws_lb_target_group.main.arn } }

# TCP Listener (optional, for HTTP redirect at target) resource "aws_lb_listener" "http" { load_balancer_arn = aws_lb.main.arn port = 80 protocol = "TCP"

default_action { type = "forward" target_group_arn = aws_lb_target_group.main.arn } } ```

CloudFormation Example

```yaml AWSTemplateFormatVersion: '2010-09-09'

Resources: Certificate: Type: AWS::CertificateManager::Certificate Properties: DomainName: example.com ValidationMethod: DNS

NetworkLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: my-nlb Type: network Subnets: - subnet-12345 - subnet-67890

TargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: my-targets Port: 80 Protocol: TCP VpcId: vpc-12345 HealthCheckProtocol: TCP

HTTPSListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref NetworkLoadBalancer Port: 443 Protocol: TLS Certificates: - CertificateArn: !Ref Certificate SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06 DefaultActions: - Type: forward TargetGroupArn: !Ref TargetGroup ```

Verification

```bash # Test TLS connection openssl s_client -connect my-nlb-123456.elb.us-east-1.amazonaws.com:443

# Test with curl curl -v https://my-nlb-123456.elb.us-east-1.amazonaws.com

# Check certificate echo | openssl s_client -connect my-nlb-123456.elb.us-east-1.amazonaws.com:443 2>/dev/null | openssl x509 -noout -text

# Test health checks aws elbv2 describe-target-health \ --target-group-arn <tg-arn>

# Check listener aws elbv2 describe-listeners \ --load-balancer-arn <nlb-arn> ```

Prevention

1. 1.[ ] Certificate is in same region as NLB
2. 2.[ ] Certificate is validated (not PENDING_VALIDATION)
3. 3.[ ] Certificate ARN is correct in listener
4. 4.[ ] Security policy supports required TLS versions
5. 5.[ ] Target group protocol matches listener configuration
6. 6.[ ] Health checks configured correctly
7. 7.[ ] Security groups allow traffic (if using targets with SGs)
8. 8.[ ] Multiple certificates added for SNI if needed
9. 9.[ ] DNS configured to point to NLB
10. 10.[ ] Test with openssl/curl to verify TLS handshake

Related Articles

• [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
• [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
• [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
• [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
• [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS NLB TLS Termination Issues", "description": "Step-by-step guide to fix AWS NLB TLS termination issues. Configure certificates, resolve SSL errors, and set up secure load balancing.", "url": "https://www.fixwikihub.com/fix-aws-nlb-tls-termination", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-27T10:19:00.000Z", "dateModified": "2026-04-27T10:19:00.000Z" } </script>