- Usage and options
- Manage certificates
- Renew certificates
Let’s Encrypt enables you to request and setup certificates automatically on your load balancer setup.
The implementation is not a stock part of our load balancer setups. We add this feature on request. Please send a request to email@example.com if you are interested.
Let’s Encrypt supports up to 100 (sub)domains per certificate. There is no limitation regarding the amount of certificates.
Wildcard certificates from Let’s Encrypt are not supported.
Let’s Encrypt will to verify the (sub)domain you want to create a certificate for, therefore an A- or CNAME- record for the (sub)domain is required to point to the
failover address of the load balancer. If you are unsure about this please contact firstname.lastname@example.org.
The Let’s Encrypt implementation can only be used on the primary load balancer. There is an automated sync to the secondary (standby) load balancer. The usage on the secondary load balancer is not possible.
You have access to the following options, the help can always be shown by executing
nine-manage-letsencrypt register <email> nine-manage-letsencrypt certificate list nine-manage-letsencrypt certificate create <domain> nine-manage-letsencrypt certificate remove <domain> nine-manage-letsencrypt certificate renew-expiring nine-manage-letsencrypt alias add <alias> <domain> nine-manage-letsencrypt alias remove <alias> <domain>
To request Let’s Encrypt certificates you need to register at the Let’s Encrypt API. You need to provide a valid email address here.
This email address will be used to send notifications when there is a problem with renewing a certificate. You therefore should use an email address that is used and fetched on a regular basis.
The registration can be done via command line:
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt register email@example.com
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate list
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate create lb.nine.ch
The deletion of a certificate removes the vhost and revokes the certificate at Let’s Encrypt.
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate remove lb.nine.ch
An existing certificate can be expanded by up to 100 (sub)domains or aliases. After adding an alias, a new validation cycle will be triggered and a new certificate will be issued.
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias add www.nine.ch lb.nine.ch
Remove alias from certificate
You can also remove a formerly created alias. After removal of an alias, there will be a new certificate issued that no longer contains the deleted alias.
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias remove www.nine.ch lb.nine.ch
Let’s Encrypt certificates are valid for 90 days and are automatically renewed 30 days before expiration. If there are errors while renewing expiring certificates, Let’s Encrypt will send you a notification to the registered email address.
The following are the most common reasons that lead to a failing renewal:
- (sub)domain does not point to the
failover addressor there is no A- or CNAME-record
- The request is processed by a CDN (for example Cloudflare or Akamai) or an external load balancer is not forwarding the plain request. Please make sure that requests to
/.well-known/acme-challenge/are forwarded unmodified
The automatic renewal happens once a day. If it is necessary to renew certificates immediately, you can force the renewal by executing
sudo nine-manage-letsencrypt certificate renew-expiring.
Usually, it is not necessary to take care of the renewal by yourself.