Question

DO loadbalancer won't add Lets Encrypt cert for subdomain that DO is managing

Posted March 2, 2019 4.2k views
CentOSLoad BalancingLet's Encrypt

I have a DO load balancer. There’s a subdomain that I want the load balancer to generate a Lets Encrypt SSL certificate for. I’ve created an NS record pointing the subdomain to DO’s name servers. Even though I can manage the subdomain via DO now the load balancer won’t create the cert. It says the domain is not managed by DO.

I contacted DO support and was told that Lets Encrypt will only create certs if the domain itself, not the subdomain, is under DO control. That’s not practical in my situation.

What have folks done in this situation? Have you created your own load balancer, e.g. with Apache httpd?

Thanks.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
8 answers

I just found a workaround.

Spaces lets you create subdomain certs with Let’s Encrypt. Those subdomain certs will show up in the dropdown list on the Load Balancer. You basically can create a subdomain cert (for a CDN), save it, then remove it. The cert will still exist and will be available as an option in the load balancer dropdown.

It seems DO indeed has this ability but they forgot to add it to the Load Balancer cert creation dialog.

Hey friend,

Great question! Thanks for posting it here. My recommendation, in this case, would be to set up a load balancer on a droplet instead of using our pre-made ones. While these tutorials are for Ubuntu 14, not that much has changed:

https://www.digitalocean.com/community/tutorials/how-to-set-up-highly-available-haproxy-servers-with-keepalived-and-floating-ips-on-ubuntu-14-04
https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04

While I love our load balancer service, you’ve clearly identified a use case that they do not stand up to right now, and I find that building your own LB is fairly straight forward. Honestly, they don’t need much in the way of maintenance once set up.

Jarland

by Justin Ellingwood
High availability is a function of system design that allows an application to automatically restart or reroute work to another capable system in the event of a failure. In terms of servers, there are a few different technologies needed to set up a highly available system. ...

p.s. I think DO should document this limitation. I had to learn the hard way and by contacting support that my use case wasn’t supported.

Same issue occurs with Spaces CDN. If you try to create a LetsEncrypt certificate with a sub-domain managed by Digital Ocean, it doesn’t allow you to.

This is a limitation of Digital Ocean, not of DNS or LetsEncrypt/ACME. It is possible to use certbot with DNS challenge on a sub-domain hosted on Digital Ocean’s DNS. Perhaps a script could be written that runs the challenges and pushes the new certificate directly to Digital Ocean, while we wait for this feature to be properly implemented.

I’ll report back here if I get around to that.

If you are managing the root domain using Digital Ocean, when you use that root domain and add a subdomain to that certificate, DO will Edit the root domain’s A record to point to the load balancer’s public IP. You can change the value of the root domain to whatever and change it back just before renewal, and always leave the subdomain’s A record pointing to the load balancer but this is not close to being ideal.

Thanks! Hopefully, DO will remove that limitation. Lets Encrypt has no trouble creating certs for subdomains. I can’t understand why DO should require control of DNS for the entire domain.

Just ran into this same situation. I have a subdomain where the DNS is delegated to DO. Can’t create a load balancer with SSL termination because DO doesn’t manage the TLD. Seems silly that I have to spin up more droplets and configure my own load balancer because of a limitation like this.

I believe this would explain my issue … my main domain is hosted on Netlify, who also manages my DNS records. I’m trying to set up a DO droplet on a subdomain to point to my Mautic install. I need the ssl so that I can link Mautic with Zapier.

I have the subdomain set up in DO, along with my Droplet. But DO won’t recognize my domain.

Agree with the comments above that this DNS limitation seems silly (although I don’t fully understand the tech here).

Other than adding more droplets and load balancers (that only seem to increase my cost), any solutions?

Submit an Answer