DigitalOcean

Report this

What is the reason for this report?
Question

How to force Managed Kubernetes Load Balancers to renew LetsEncrypt certificates?

Posted on December 1, 2022
DigitalOcean Managed Load Balancers
DigitalOcean Managed Kubernetes
nford

By nford

I’m using a managed load balancer to route traffic into my Kubernetes cluster. When I created the load balancer it (per the docs) automatically set up the certificate via LetsEncrypt.

Some time later I added an ingress to handle a separate domain (not subdomain). So, while xyz.com was originally registered, and a.xyz.com and b.xyz.com subdomains work as expected, with SSL encryption, when I added the ingress for mno.com the certificate did not cover that domain. Essentially, I need a LetsEncrypt cert that covers multiple domains (a SAN or Subject Alternate Name cert that LetsEncrypt supports).

Notably traffic is correctly routed through the load balancer, just not encrypted (and so throws the ugly error in browsers).

My thought is that if I could force the cert to renew, it would fix itself (fingers crossed). I’m not sure the best way to do this, though, and could not find documentation or questions around it. I could destroy and rebuild the load balancer, but that seems extreme. It’s possible there is an on-cluster secret I could delete that would be detected as deleted and the managed service would create a new cert. But I’m not sure which secret that would be, and randomly binning secrets seems like a bad plan.

Any guidance for this? Thank you!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
JonsJava
JonsJava
October 12, 2025

To use the cert-manager, you need a few things set up, that it seems you have set up.

  • Ingress class (if this wasn’t set up, you wouldn’t have the certs you already have)
  • ingress (if this wasn’t set up, again, no SSL cert)
  • In the ingress, you have tls set. If this wasn’t, you wouldn’t get a cert To add a new cert, you either need to add the new domain to the TLS, and have it point to the same ingress, or create a new ingress, point it to the new IP, and configure the TLS block.

Once you’ve done that (look at what you already have. I use OpenLens when I don’t want to stare at the terminal all day), give it up to ~30 minutes and check with this command:

kubectl get certificates

If Ready isn’t true, that means there’s an error. You can then review the status with kubectl get certificate CERT_NAME changing CERT_NAME to the cert name you want to check.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.