DO loadbalancer won't add Lets Encrypt cert for subdomain that DO is managing

I have a DO load balancer. There’s a subdomain that I want the load balancer to generate a Lets Encrypt SSL certificate for. I’ve created an NS record pointing the subdomain to DO’s name servers. Even though I can manage the subdomain via DO now the load balancer won’t create the cert. It says the domain is not managed by DO.

I contacted DO support and was told that Lets Encrypt will only create certs if the domain itself, not the subdomain, is under DO control. That’s not practical in my situation.

What have folks done in this situation? Have you created your own load balancer, e.g. with Apache httpd?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

p.s. I think DO should document this limitation. I had to learn the hard way and by contacting support that my use case wasn’t supported.

I just found a workaround.

Spaces lets you create subdomain certs with Let’s Encrypt. Those subdomain certs will show up in the dropdown list on the Load Balancer. You basically can create a subdomain cert (for a CDN), save it, then remove it. The cert will still exist and will be available as an option in the load balancer dropdown.

It seems DO indeed has this ability but they forgot to add it to the Load Balancer cert creation dialog.

Same issue occurs with Spaces CDN. If you try to create a LetsEncrypt certificate with a sub-domain managed by Digital Ocean, it doesn’t allow you to.

This is a limitation of Digital Ocean, not of DNS or LetsEncrypt/ACME. It is possible to use certbot with DNS challenge on a sub-domain hosted on Digital Ocean’s DNS. Perhaps a script could be written that runs the challenges and pushes the new certificate directly to Digital Ocean, while we wait for this feature to be properly implemented.

I’ll report back here if I get around to that.