Trusted CA's for https gRPC chirpstack endpoints

So far I have been using a single NS and AS server for chirpstack, communicating directly on their own gRPC ports. But for HA I want to setup a gRPC capable load balancer on AWS for the network server.

Unfortunately AWS requires HTTPS encryption for any HTTP/2 based load balancing (so including gRPC), probably because browsers require it anyway, so they may as well (even if the HTTP/2 and gRPC standards don’t require it). So my question is how chirpstack AS trusts the CA of the grpc network server endpoint. In the network server setup in the AS ui, I can set a CA cert, TLS cert and TLS key. I don’t particularly want to use tls client side certificates if it’s not needed. I would be happy to only setup TLS certificates on the load balancer. That would only require the application server to trust the network server’s CA, without needing to specify it’s own certificates.
So is that possible, and if so, how is the CA trust determined? Is there an internal CA bundle that is used (from the major browser vendors?). Or does it use Linux’s internal trusted CA certificates from /etc/ssl? Or is it mandatory to specify the CA cert, and also make TLS client certificate and keys in chirpstack if the network server is behind an HTTPS enabled load balancer?

I don’t know for sure, but, being that you’re trying to load balance the network server, you’d have to use a network load balancer type (not using standard http ports, so an alb won’t work), and I don’t believe it’s possible to specify http as the type for a network load balancer. Again, I’m not certain, but, I am trying to do pretty much the same thing, and came across your post, so, hopefully, you’ve either figured it out and can enlighten me as to how you solved it, or, I can keep trying… thanks. BTW, you should be able to import a self signed tls cert into ACM, and use that on your load balancer