We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How to Use Let's Encrypt with DigitalOcean Load Balancers

PostedMay 8, 2018 4.4k views Let's Encrypt Load Balancing DigitalOcean

DigitalOcean has a mission to provide the simplest cloud infrastructure for developers. With that in mind, the Load Balancer aims to balance both simplicity and enough performance and features so that the majority of applications can make use of the product.

In this article, we'll focus on how to create free SSL certificates using Let's Encrypt to secure connections to the Load Balancer.

Let's Encrypt and DigitalOcean Load Balancers at a Glance

  • Cost: Free. There is no additional cost to use Let's Encrypt with DigitalOcean Load Balancers. For current Load Balancer pricing, see An Introduction to DigitalOcean Load Balancers.

  • Regional Availability: You can use Let's Encrypt certificates with Load Balancers in all DigitalOcean regions and data centers.

  • Supported Protocols:: You can use certificates with both HTTPS and HTTP/2.

  • Certificate Renewal: Load Balancer Let's Encrypt Certificates are fully managed and automatically renewed on your behalf every 60 days.

Limits:

  • DNS must be managed on DigitalOcean.

    Let's Encrypt Certificate are issued for domain names, not IP addresses. To manage DNS records and Let's Encrypt on Load Balancers on your behalf, the DNS records must be managed on DigitalOcean. You can learn more about setting up DNS in An Introduction to DigitalOcean DNS and How to Point to DigitalOcean Nameservers from Common Domain Registrars

  • SSL termination only.

    DigitalOcean does not install or maintain certificates on our unmanaged services. Because SSL passthrough requires certificates on the Droplets themselves, and because Droplets are not managed by DigitalOcean, automatic certificate management isn't available. How To Configure SSL Passthrough on DigitalOcean Load Balancers explains how to use Let's Encrypt with SSL passthrough.

  • Wildcard certificates are not supported.

    Let's Encrypt added wildcard certificate support in March of 2018. These wildcard certificates are not supported, and Let's Encrypt continues to recommend non-wildcard certificates for most use cases.

  • Let's Encrypt imposes rate limits.

    Let's Encrypt imposes the following rate limits to ensure fair usage:

    • 20 certificates per registered domain per week
    • 100 names per certificate
    • 5 duplicate domain certificates per week

There are more details available on the Let's Encrypt rate limits page.

Setting Up Load Balancers and Let's Encrypt

Setting up your domain name, Droplets, Load Balancer, and Let's Encrypt certificates in the following order will give you the most direct route to success.

Move Your DNS to DigitalOcean

You can use Load Balancers and Droplets by IP address, without assigning a domain name. To use Let's Encrypt certificates, however, you'll need a domain that uses DigitalOcean's name servers and whose DNS records are managed in the DigitalOcean Control Panel.

We recommend transferring domains in this order:

  1. Add the domain in the DigitalOcean Control Panel.
  2. Recreate your existing DNS records on DigitalOcean, if any.
  3. Change your domain's name servers with your registrar.

When you're done, test the new records are working as expected.

Set up Your Droplets, Load Balancer, and Domain Names

There are several ways you can set up these components, but generally, we recommend this order:

  1. Create, tag, and test the Droplets you plan to balance.
  2. Create a Load Balancer and add the Droplets. Test again.
  3. Create the DNS record(s) you plan to use with the certificate, pointing them at the Load Balancer.
  4. Edit the Load Balancer and add the HTTPS or HTTP2 forwarding rule.

When you've added the rule, test that you successfully access your site at the domains securely.

Creating a New Certificate

Let's Encrypt certificates are created and added to your Load Balancer when you add a forwarding rule for HTTPS or HTTP/2. You can create certificates for A, CNAME and AAAA records.

You can configure forwarding rules from the main Create Load Balancer Screen or from an individual Load Balancer's Settings page.

To create a certificate, select either HTTPS or HTTP2 from the Load Balancer's New rule menu.

New Rule with HTTPS2 highlighted
When you do, a new certificate dropdown menu appears.

Then, choose +New certificate. The base domain is selected by default.
New Certificate Dialogue

Then choose the domain:
Choose the domain

Select the domain(s) and name the certificate. The name can contain alphanumeric characters, dashes, and periods only.
Generate Certificate is activated when the name for the certificate is entered

When you select the base domain, a new A record is automatically created that points to the Load Balancer. If you already have an A record in place, this means you will have two A records: one pointing to the original location and one pointing to the Load Balancer.

Records for subdomains are not created or changed automatically, so if they do not already point at the Load Balancer, you'll need to update them on the Networking section's Domains tab.

When you're ready, click Generate Certificate. While the certificate is being issued, a (pending) status is displayed:
Certificate is pending, Save is not active

Once the certificate has been created, the pending status is removed, and you can save the forwarding rule.
Certificate has been created. Save is active.

As soon as you save the the forwarding rule, it is active and you can begin testing. If your certificate does not complete, see the Troubleshooting section for tips.

The "+Add a New Domain" Option

If you have pointed your domain at DigitalOcean's name servers but you have not yet added it in the Control Panel, you can also choose to +Add a New Domain. This will automatically import your domain to the Control Panel, add DNS records, and create the certificates.

We strongly recommend that you add your domain to the DigitalOcean Control Panel prior to changing name servers with your registrar. This helps you avoid disruptions in service by creating matching records on DigitalOcean before you make the name server change, which can take up to 48 hours to take effect.

In addition, making changes in this order eliminates the unlikely possibility that another DigitalOcean account could add your domain and create records, potentially disrupting your web site, mail, or other services.

If you wish to continue:

  1. Choose Add a new certificate.

  2. Choose +Add new domain. You'll receive a warning that you need to update your Name Servers with your registrar, and be given a choice of Going Back or Continuing.

  3. Enter your domain name.

When you generate the certificate, this domain will be imported into the Control Panel for you. The base domain is selected by default and cannot be deselected. An A record pointing to the Load Balancer's IP address will be automatically created.

  1. Optionally, create and add one or more subdomains to the certificate. CNAME records that reference the A record of the base domain will be automatically created.

  2. Name the certificate. The name can contain alphanumeric characters, dashes, and periods only.

  3. Click Generate Certificate. A pending status will be displayed until the certificate has been issued.

  4. Once the certificate has been issued, Save the forwarding rule.

Using, Managing, and Deleting Existing Certificates

Existing certificates, both Let's Encrypt and custom, appear in the Certificate dropdown list.

Selecting an existing certificate

You can assign any existing certificates in the HTTPS and HTTP/2 forwarding rules.

To delete an existing certificate from the dropdown menu, remove it from your account:

  1. Open your User menu.
  2. Click Settings.
  3. Click Security.
  4. In the Certificates section, open the More menu of the certificate.
  5. Click Delete.

It will be permanently deleted within a few seconds.

Note:

  • When a certificate is in use, it cannot be deleted. You can delete the forwarding rule or edit it so that it no longer uses the certificate, then return to the Certificates tab of your user account and delete the certificate.

  • A certificate cannot be deleted until it has either been successfully issued or has failed all the retries.

Troubleshooting

If your certificate isn't issued on the first try, we will automatically retry at 20 minute intervals up to 3 times. After that, we'll send email to your account's address letting you know that the certificate creation failed.

Next Steps

Learn more about DigitalOcean Load Balancers:

Learn more about Let's Encrypt:

15 Comments

Creative Commons License