Back to home

Let's Encrypt on Load Balancer

  1. Introduction
  2. Usage and options
  3. Registration
  4. Manage certificates
    1. Create certificates
    2. Delete certificates
    3. Expand certificates
  5. Renew certificates

Introduction

Let’s Encrypt enables you to request and setup certificates automatically on your load balancer setup.

The implementation is not a stock part of our load balancer setups. We add this feature on request. Please send a request to support@nine.ch if you are interested.

Let’s Encrypt supports up to 100 (sub)domains per certificate. There is no limitation regarding the amount of certificates.

Wildcard certificates from Let’s Encrypt are not supported.

Prerequisites

Let’s Encrypt will to verify the (sub)domain you want to create a certificate for, therefore an A- or CNAME- record for the (sub)domain is required to point to the failover address of the load balancer. If you are unsure about this please contact support@nine.ch.

Usage and options

The Let’s Encrypt implementation can only be used on the primary load balancer. There is an automated sync to the secondary (standby) load balancer. The usage on the secondary load balancer is not possible.

You have access to the following options, the help can always be shown by executing nine-manage-letsencrypt --help:

  nine-manage-letsencrypt register <email>
  nine-manage-letsencrypt certificate list
  nine-manage-letsencrypt certificate create <domain>
  nine-manage-letsencrypt certificate remove <domain>
  nine-manage-letsencrypt certificate renew-expiring
  nine-manage-letsencrypt alias add <alias> <domain>
  nine-manage-letsencrypt alias remove <alias> <domain>

Registration

To request Let’s Encrypt certificates you need to register at the Let’s Encrypt API. You need to provide a valid email address here.

This email address will be used to send notifications when there is a problem with renewing a certificate. You therefore should use an email address that is used and fetched on a regular basis.

The registration can be done via command line:

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt register devops@domain.ch

Manage certificates

List certificates

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate list

Create certificates

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate create lb.nine.ch

Delete certificates

The deletion of a certificate removes the vhost and revokes the certificate at Let’s Encrypt.

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate remove lb.nine.ch

Expand certificates

An existing certificate can be expanded by up to 100 (sub)domains or aliases. After adding an alias, a new validation cycle will be triggered and a new certificate will be issued.

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias add www.nine.ch lb.nine.ch

Remove alias from certificate

You can also remove a formerly created alias. After removal of an alias, there will be a new certificate issued that no longer contains the deleted alias.

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias remove www.nine.ch lb.nine.ch

Renew certificates

Let’s Encrypt certificates are valid for 90 days and are automatically renewed 30 days before expiration. If there are errors while renewing expiring certificates, Let’s Encrypt will send you a notification to the registered email address.

The following are the most common reasons that lead to a failing renewal:

  • (sub)domain does not point to the failover address or there is no A- or CNAME-record
  • The request is processed by a CDN (for example Cloudflare or Akamai) or an external load balancer is not forwarding the plain request. Please make sure that requests to /.well-known/acme-challenge/ are forwarded unmodified

The automatic renewal happens once a day. If it is necessary to renew certificates immediately, you can force the renewal by executing sudo nine-manage-letsencrypt certificate renew-expiring.

Usually, it is not necessary to take care of the renewal by yourself.

Didn't find what you were looking for?

Contact our support:

+41 44 637 40 40 Support Portal support@nine.ch