DO loadbalancer won't add Lets Encrypt cert for subdomain that DO is managing

March 2, 2019 956 views
Load Balancing Let's Encrypt CentOS

I have a DO load balancer. There’s a subdomain that I want the load balancer to generate a Lets Encrypt SSL certificate for. I’ve created an NS record pointing the subdomain to DO’s name servers. Even though I can manage the subdomain via DO now the load balancer won’t create the cert. It says the domain is not managed by DO.

I contacted DO support and was told that Lets Encrypt will only create certs if the domain itself, not the subdomain, is under DO control. That’s not practical in my situation.

What have folks done in this situation? Have you created your own load balancer, e.g. with Apache httpd?

Thanks.

6 Answers

p.s. I think DO should document this limitation. I had to learn the hard way and by contacting support that my use case wasn’t supported.

Hey friend,

Great question! Thanks for posting it here. My recommendation, in this case, would be to set up a load balancer on a droplet instead of using our pre-made ones. While these tutorials are for Ubuntu 14, not that much has changed:

https://www.digitalocean.com/community/tutorials/how-to-set-up-highly-available-haproxy-servers-with-keepalived-and-floating-ips-on-ubuntu-14-04
https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04

While I love our load balancer service, you’ve clearly identified a use case that they do not stand up to right now, and I find that building your own LB is fairly straight forward. Honestly, they don’t need much in the way of maintenance once set up.

Jarland

by Justin Ellingwood
High availability is a function of system design that allows an application to automatically restart or reroute work to another capable system in the event of a failure. In terms of servers, there are a few different technologies needed to set up a highly available system. ...

Thanks! Hopefully, DO will remove that limitation. Lets Encrypt has no trouble creating certs for subdomains. I can’t understand why DO should require control of DNS for the entire domain.

Just ran into this same situation. I have a subdomain where the DNS is delegated to DO. Can’t create a load balancer with SSL termination because DO doesn’t manage the TLD. Seems silly that I have to spin up more droplets and configure my own load balancer because of a limitation like this.

I believe this would explain my issue … my main domain is hosted on Netlify, who also manages my DNS records. I’m trying to set up a DO droplet on a subdomain to point to my Mautic install. I need the ssl so that I can link Mautic with Zapier.

I have the subdomain set up in DO, along with my Droplet. But DO won’t recognize my domain.

Agree with the comments above that this DNS limitation seems silly (although I don’t fully understand the tech here).

Other than adding more droplets and load balancers (that only seem to increase my cost), any solutions?

Same issue occurs with Spaces CDN. If you try to create a LetsEncrypt certificate with a sub-domain managed by Digital Ocean, it doesn’t allow you to.

This is a limitation of Digital Ocean, not of DNS or LetsEncrypt/ACME. It is possible to use certbot with DNS challenge on a sub-domain hosted on Digital Ocean’s DNS. Perhaps a script could be written that runs the challenges and pushes the new certificate directly to Digital Ocean, while we wait for this feature to be properly implemented.

I’ll report back here if I get around to that.

Have another answer? Share your knowledge.