By Lucas Souza
Hi.
I’m having issues with the Load Balancer in my Cluster/services.
I have created a certificate through the DO Control Panel (using Let’s Encrypt), used doctl compute certificate list
to get the ID and attached to the service.beta.kubernetes.io/do-loadbalancer-certificate-id
annotation from my Service.
It worked as it should. SSL responds correctly, but if I need to change the certificate from my LB, nothing happens. I put the ID from another certificate into the do-loadbalancer-certificate-id
annotation but after saving, the old ID is still attached. If I remove, the certificate ID comes back.
I can’t find a way to change or revert the Certificate ID without deleting and creating a new Load Balancer, which it’s bad because my production app (for example) stops responding while the DNS doesn’t propagate yet.
As a workaround, I could create another service/LB with the correct certificate, but it’s a bit odd to do this.
Anyone had an issue like this?
Thanks!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hey Lucas!
From what you described, it looks like you’re using the annotation service.beta.kubernetes.io/do-loadbalancer-certificate-id
to set the certificate for your Load Balancer. The behavior you’re seeing—where the old certificate ID remains even after updating the annotation—might be because the certificate ID is tied to the specific Load Balancer instance, and simply changing the annotation may not force a reload of the configuration.
The good news is that DigitalOcean recently introduced an alternative annotation that might be more stable for your use case. So instead of using service.beta.kubernetes.io/do-loadbalancer-certificate-id
, try using service.beta.kubernetes.io/do-loadbalancer-certificate-name
.
As per the official documentation here:
service.beta.kubernetes.io/do-loadbalancer-certificate-name
(available in DOKS 1.26 and later): Specifies the certificate name used for the HTTPS protocol. We recommend using this annotation because the name of a Let’s Encrypt certificate does not change when it rotates, but the ID changes each time. The name of the certificate must be unique within an account. To list available certificates and their names, install doctl and rundoctl compute certificate list
.
Basically, this annotation uses the certificate’s name instead of the ID, which is helpful because:
Here’s how you can adjust your Service definition:
kind: Service
apiVersion: v1
metadata:
name: https-with-cert
annotations:
service.beta.kubernetes.io/do-loadbalancer-protocol: "https"
service.beta.kubernetes.io/do-loadbalancer-certificate-name: "your-certificate-name"
service.beta.kubernetes.io/do-loadbalancer-disable-lets-encrypt-dns-records: "false"
spec:
type: LoadBalancer
selector:
app: nginx-example
ports:
- name: https
protocol: TCP
port: 443
targetPort: 80
The main change is that you will be using the certificate name, the Load Balancer should automatically recognize the renewed certificate without you needing to update the annotation every time the certificate is rotated.
If the above solution doesn’t work immediately, you might need to:
For more details on using the annotations, check out the DigitalOcean docs here:
Let me know if this helps!
- Bobby
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.