Is it possible to configure then Duo Access Gateway to not do it’s own SSL redirect/termination? I am currently trying to enable this on AWS behind an ALB using AWS managed SSL certificates (from ACM). The problem is you can only attach them to resources managed by AWS, but you cannot export the actual private key information.
Obviously this would leave a potentially unencrypted path between the LB and DAG, but those can be secured in other ways. For example in AWS, we could use a security group rules to only allow access via the Load Balancer.