Let's Encrypt on Load Balancers
nine-manage-letsencrypt enables you to request and setup Let's Encrypt certificates automatically on your load balancer.
Let's Encrypt supports up to 100 (sub)domains per certificate. There is no limitation regarding the amount of certificates.
Wildcard certificates from Let's Encrypt are not supported.
Prerequisites
Let's Encrypt will verify the (sub)domain you want to create a certificate for, therefore the A- or CNAME- record for the (sub)domain is required to point to the failover address of the load balancer. If you are unsure about this, please contact Support.
Usage and options
nine-manage-letsencrypt can only be used on the primary load balancer. There is an automated sync to the secondary (standby) load balancer. The usage on the secondary load balancer is not possible.
The help can be shown by executing nine-manage-letsencrypt --help. The following options are available:
nine-manage-letsencrypt register <email>
nine-manage-letsencrypt certificate list
nine-manage-letsencrypt certificate create <domain>
nine-manage-letsencrypt certificate remove <domain>
nine-manage-letsencrypt certificate renew-expiring
nine-manage-letsencrypt alias add <alias> <domain>
nine-manage-letsencrypt alias remove <alias> <domain>
Registration
To request Let's Encrypt certificates, you need to register at the Let's Encrypt API. You have to provide a valid email address.
This email address will be used to send notifications when there is an issue with renewing a certificate. You therefore should use an email address that is checked regularly.
The registration can be done via command line:
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt register devops_AT_domain.ch
Manage certificates
List certificates
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate list
Create certificates
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate create lb.nine.ch
Delete certificates
The deletion of a certificate removes the vhost and revokes the certificate.
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate remove lb.nine.ch
Expand certificates
An existing certificate can be expanded by up to 100 (sub)domains or aliases. After adding an alias, a new validation cycle will be triggered and a new certificate will be issued.
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias add www.nine.ch lb.nine.ch
Remove alias from certificate
You can also remove a formerly created alias. After removal of an alias, there will be a new certificate issued that no longer contains the deleted alias.
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt alias remove www.nine.ch lb.nine.ch
Renew certificates
Let's Encrypt certificates are valid for 90 days and are automatically renewed 30 days before expiration. If there are errors while renewing expiring certificates, Let's Encrypt will send you a notification to the registered email address.
The following are the most common reasons that lead to a failing renewal:
- The (sub)domain does not point to the
failover addressor there is no A- or CNAME-record. - The request is processed by a CDN (for example Cloudflare or Akamai) or an external load balancer is not forwarding the plain request. Please make sure that requests to
/.well-known/acme-challenge/are forwarded unmodified.
The automatic renewal happens once a day. If it is necessary to renew certificates immediately, you can force a renewal:
www-data@nine-lb01:~ $ sudo nine-manage-letsencrypt certificate renew-expiring
Usually, it is not necessary to take care of the renewal by yourself.