Question

Issues with DO Kubernetes, Load Balancers and SSL

Hi.

I’m having issues with the Load Balancer in my Cluster/services.

I have created a certificate through the DO Control Panel (using Let’s Encrypt), used doctl compute certificate list to get the ID and attached to the service.beta.kubernetes.io/do-loadbalancer-certificate-id annotation from my Service.

It worked as it should. SSL responds correctly, but if I need to change the certificate from my LB, nothing happens. I put the ID from another certificate into the do-loadbalancer-certificate-id annotation but after saving, the old ID is still attached. If I remove, the certificate ID comes back.

I can’t find a way to change or revert the Certificate ID without deleting and creating a new Load Balancer, which it’s bad because my production app (for example) stops responding while the DNS doesn’t propagate yet.

As a workaround, I could create another service/LB with the correct certificate, but it’s a bit odd to do this.

Anyone had an issue like this?

Thanks!


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
November 13, 2024

Hey Lucas!

From what you described, it looks like you’re using the annotation service.beta.kubernetes.io/do-loadbalancer-certificate-id to set the certificate for your Load Balancer. The behavior you’re seeing—where the old certificate ID remains even after updating the annotation—might be because the certificate ID is tied to the specific Load Balancer instance, and simply changing the annotation may not force a reload of the configuration.

The good news is that DigitalOcean recently introduced an alternative annotation that might be more stable for your use case. So instead of using service.beta.kubernetes.io/do-loadbalancer-certificate-id, try using service.beta.kubernetes.io/do-loadbalancer-certificate-name.

As per the official documentation here:

service.beta.kubernetes.io/do-loadbalancer-certificate-name (available in DOKS 1.26 and later): Specifies the certificate name used for the HTTPS protocol. We recommend using this annotation because the name of a Let’s Encrypt certificate does not change when it rotates, but the ID changes each time. The name of the certificate must be unique within an account. To list available certificates and their names, install doctl and run doctl compute certificate list.

Basically, this annotation uses the certificate’s name instead of the ID, which is helpful because:

  • The ID changes every time a Let’s Encrypt certificate is renewed, but the name remains the same.
  • Using the certificate name ensures that updates are automatically picked up without needing to change the ID.

Here’s how you can adjust your Service definition:

kind: Service
apiVersion: v1
metadata:
  name: https-with-cert
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-protocol: "https"
    service.beta.kubernetes.io/do-loadbalancer-certificate-name: "your-certificate-name"
    service.beta.kubernetes.io/do-loadbalancer-disable-lets-encrypt-dns-records: "false"
spec:
  type: LoadBalancer
  selector:
    app: nginx-example
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 80

The main change is that you will be using the certificate name, the Load Balancer should automatically recognize the renewed certificate without you needing to update the annotation every time the certificate is rotated.

If the above solution doesn’t work immediately, you might need to:

  1. Temporarily create a new Load Balancer with the updated certificate.
  2. Switch over your traffic to the new Load Balancer.

For more details on using the annotations, check out the DigitalOcean docs here:

DigitalOcean Load Balancer Annotations

Let me know if this helps!

- Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.