Issues with DO Kubernetes, Load Balancers and SSL

Question

Hi.

I’m having issues with the Load Balancer in my Cluster/services.

I have created a certificate through the DO Control Panel (using Let’s Encrypt), used doctl compute certificate list to get the ID and attached to the service.beta.kubernetes.io/do-loadbalancer-certificate-id annotation from my Service.

It worked as it should. SSL responds correctly, but if I need to change the certificate from my LB, nothing happens. I put the ID from another certificate into the do-loadbalancer-certificate-id annotation but after saving, the old ID is still attached. If I remove, the certificate ID comes back.

I can’t find a way to change or revert the Certificate ID without deleting and creating a new Load Balancer, which it’s bad because my production app (for example) stops responding while the DNS doesn’t propagate yet.

As a workaround, I could create another service/LB with the correct certificate, but it’s a bit odd to do this.

Anyone had an issue like this?

Thanks!

Bobby · Answer

Hey Lucas!

From what you described, it looks like you’re using the annotation service.beta.kubernetes.io/do-loadbalancer-certificate-id to set the certificate for your Load Balancer. The behavior you’re seeing—where the old certificate ID remains even after updating the annotation—might be because the certificate ID is tied to the specific Load Balancer instance, and simply changing the annotation may not force a reload of the configuration.

The good news is that DigitalOcean recently introduced an alternative annotation that might be more stable for your use case. So instead of using service.beta.kubernetes.io/do-loadbalancer-certificate-id, try using service.beta.kubernetes.io/do-loadbalancer-certificate-name.

As per the official documentation here:

service.beta.kubernetes.io/do-loadbalancer-certificate-name (available in DOKS 1.26 and later): Specifies the certificate name used for the HTTPS protocol. We recommend using this annotation because the name of a Let’s Encrypt certificate does not change when it rotates, but the ID changes each time. The name of the certificate must be unique within an account. To list available certificates and their names, install doctl and run doctl compute certificate list.

Basically, this annotation uses the certificate’s name instead of the ID, which is helpful because:

The ID changes every time a Let’s Encrypt certificate is renewed, but the name remains the same.
Using the certificate name ensures that updates are automatically picked up without needing to change the ID.

Here’s how you can adjust your Service definition:

kind: Service
apiVersion: v1
metadata:
  name: https-with-cert
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-protocol: "https"
    service.beta.kubernetes.io/do-loadbalancer-certificate-name: "your-certificate-name"
    service.beta.kubernetes.io/do-loadbalancer-disable-lets-encrypt-dns-records: "false"
spec:
  type: LoadBalancer
  selector:
    app: nginx-example
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 80

The main change is that you will be using the certificate name, the Load Balancer should automatically recognize the renewed certificate without you needing to update the annotation every time the certificate is rotated.

If the above solution doesn’t work immediately, you might need to: