Skip to main content

Let's Encrypt on Load Balancers

For Load Balancer Setups only

This article describes how to set up Let's Encrypt certificates on a load balancer.

For any other type of web server, please consult the article nine-manage-vhosts with Let's Encrypt.

nine-manage-letsencrypt enables you to request and setup Let's Encrypt certificates automatically on your load balancer.

Let's Encrypt supports up to 100 (sub)domains per certificate. There is no limitation regarding the amount of certificates.

Wildcard certificates from Let's Encrypt are not supported.

Prerequisites

Let's Encrypt will verify the (sub)domain you want to create a certificate for, therefore the A- or CNAME- record for the (sub)domain is required to point to the failover address of the load balancer. If you are unsure about this, please contact .

Usage and options

nine-manage-letsencrypt can only be used on the primary load balancer. There is an automated sync to the secondary (standby) load balancer. The usage on the secondary load balancer is not possible.

The help can be shown by executing nine-manage-letsencrypt --help. The following options are available:

  nine-manage-letsencrypt register <email>
nine-manage-letsencrypt certificate list
nine-manage-letsencrypt certificate create <domain>
nine-manage-letsencrypt certificate remove <domain>
nine-manage-letsencrypt certificate renew-expiring
nine-manage-letsencrypt alias add <alias> <domain>
nine-manage-letsencrypt alias remove <alias> <domain>

Registration

To request Let's Encrypt certificates, you need to register at the Let's Encrypt API. You have to provide a valid email address.

This email address will be used to send notifications when there is an issue with renewing a certificate. You therefore should use an email address that is checked regularly.

The registration can be done via command line:

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt register devops_AT_domain.ch

Manage certificates

List certificates

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate list

Create certificates

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate create lb.nine.ch

Delete certificates

The deletion of a certificate removes the vhost and revokes the certificate.

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate remove lb.nine.ch

Expand certificates

An existing certificate can be expanded by up to 100 (sub)domains or aliases. After adding an alias, a new validation cycle will be triggered and a new certificate will be issued.

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias add www.nine.ch lb.nine.ch

Remove alias from certificate

You can also remove a formerly created alias. After removal of an alias, there will be a new certificate issued that no longer contains the deleted alias.

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias remove www.nine.ch lb.nine.ch

Renew certificates

Let's Encrypt certificates are valid for 90 days and are automatically renewed 30 days before expiration. If there are errors while renewing expiring certificates, Let's Encrypt will send you a notification to the registered email address.

The following are the most common reasons that lead to a failing renewal:

  • The (sub)domain does not point to the failover address or there is no A- or CNAME-record.
  • The request is processed by a CDN (for example Cloudflare or Akamai) or an external load balancer is not forwarding the plain request. Please make sure that requests to /.well-known/acme-challenge/ are forwarded unmodified.

The automatic renewal happens once a day. If it is necessary to renew certificates immediately, you can force a renewal:

www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate renew-expiring

Usually, it is not necessary to take care of the renewal by yourself.