Problem
When you try to run Health Checks (UHC) for HTTPS backends that initiate TLS renegotiation, they fail.
An example of such a backend is Windows Server 2019 running IIS with Client Certificates set to Accept in SSL Settings.
Environment
- HTTP/HTTPS Load Balancer
- HTTPS Health Checks
Solution
Create a new site with a different IP:port and port, and disable client certificates. This site will only be used to proxy HC requests to the actual app health endpoint.
WorkaroundAlternatively, using HTTP Health Checks or updating SSL settings of your backend application to ignore Client Certificates.
Cause
UHC can probe HTTPS backends although they do not expect a HelloRequest once the 1st/initial TLS Handshake is completed. Therefore, in this scenario UHC sends an alert and the connection is dropped marking the backend as unhealthy.
UHC behaves this way because TLS renegotiation is disabled by default in Boring SSL. It's set to ssl_renegotiate_never.
UHC behaves this way because TLS renegotiation is disabled by default in Boring SSL. It's set to ssl_renegotiate_never.