"No server name provided" error when traffic is coming from AWS LB

[egor-khanko]

Hey! I have setup that looks like this:

Internet <---SSL---> AWS LB <---Private---> EC2 (Docker)

I want to be able to encrypt traffic between AWS LB and EC2 instance, which is possible according to AWS docs:

The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates.

I've installed my own self-signed certificates as described in kamal's docs.
When AWS LB tries to reach server with health-checks, kamal-proxy error's out:

{"time":"2025-10-20T12:33:01.241684076Z","level":"INFO","msg":"http: TLS handshake error from <private ip>:5438: no server name provided"}
{"time":"2025-10-20T12:33:05.469680017Z","level":"INFO","msg":"http: TLS handshake error from <private ip>:36500: no server name provided"}
{"time":"2025-10-20T12:33:07.24853183Z","level":"INFO","msg":"http: TLS handshake error from <private ip>:13660: no server name provided"}

I am mainly interested in the root cause. I have few options:

1. My certificates are generated incorrectly
2. AWS LB does not send server name in it's TLS handshake (possibly checked here)

Similar discussion has been opened, but no response was provided: #58
Happy to provide more debugging info if needed.

Thanks!

[kevinmcconnell]

@egor-khanko it sounds like option 2: the AWS LB is not using SNI to supply the server name. The current Kamal Proxy release will only serve TLS traffic when using SNI.

I actually ran into the same problem myself recently, and have been testing a simple fix for it which seems to work quite well. I'll try to get a new release out soon with this solution, and I expect that will solve the problem for you.

(The patch I've been testing simple defaults to the first configured server name when there's no SNI. That seems fine for many cases, but we could make this more explicit by exposing it as a --default-tls-server-name option.)

[egor-khanko]

@kevinmcconnell This patch would be very helpful, thank you!
Now I'm thinking whether I can ask AWS to supply SNI. As stated in RFC 3546 SNI is an "extension", so seems like it's not mandatory.
But AWS advertises that it does support SNI for "Application" LB (that I have) here, as the same time in announcement they state that it is enabled only when multiple certificates are added. Maybe I'm reading it wrong, and they only use it to select their own certificates, but don't pass SNI information further. I'll ask them about it.

Initial issue solved with a fix, so happily closing discussion!
I'll reply back if I get more into from AWS.
Thanks!