Question

How to force Managed Kubernetes Load Balancers to renew LetsEncrypt certificates?

I’m using a managed load balancer to route traffic into my Kubernetes cluster. When I created the load balancer it (per the docs) automatically set up the certificate via LetsEncrypt.

Some time later I added an ingress to handle a separate domain (not subdomain). So, while xyz.com was originally registered, and a.xyz.com and b.xyz.com subdomains work as expected, with SSL encryption, when I added the ingress for mno.com the certificate did not cover that domain. Essentially, I need a LetsEncrypt cert that covers multiple domains (a SAN or Subject Alternate Name cert that LetsEncrypt supports).

Notably traffic is correctly routed through the load balancer, just not encrypted (and so throws the ugly error in browsers).

My thought is that if I could force the cert to renew, it would fix itself (fingers crossed). I’m not sure the best way to do this, though, and could not find documentation or questions around it. I could destroy and rebuild the load balancer, but that seems extreme. It’s possible there is an on-cluster secret I could delete that would be detected as deleted and the managed service would create a new cert. But I’m not sure which secret that would be, and randomly binning secrets seems like a bad plan.

Any guidance for this? Thank you!


Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer