How to Set Up Let's Encrypt Certificates

Setting up your domain name, Droplets, Load Balancer, and Let’s Encrypt certificates in the following order will give you the most direct route to success.

Move Your DNS to DigitalOcean

You can use Load Balancers and Droplets by IP address, without assigning a domain name. To use Let’s Encrypt certificates, however, you’ll need a domain that uses DigitalOcean’s name servers and whose DNS records are managed in the DigitalOcean Control Panel.

We recommend transferring domains in this order:

  1. Add the domain in the DigitalOcean Control Panel.
  2. Recreate your existing DNS records on DigitalOcean, if any.
  3. Change your domain’s name servers with your registrar.

When you’re done, test the new records are working as expected.

Set up Your Droplets, Load Balancer, and Domain Names

There are several ways you can set up these components, but generally, we recommend this order:

  1. Create, tag, and test the Droplets you plan to balance.
  2. Create a Load Balancer and add the Droplets. Test again.
  3. Create the DNS record(s) you plan to use with the certificate, pointing them at the Load Balancer.
  4. Edit the Load Balancer and add the HTTPS or HTTP2 forwarding rule.

When you’ve added the rule, test that you successfully access your site at the domains securely.

Let’s Encrypt Certificates

Let’s Encrypt certificates are created and added to your Load Balancer when you add a forwarding rule for HTTPS or HTTP/2. You can create certificates for A, CNAME and AAAA records.

You can configure forwarding rules from the main Create Load Balancer Screen or from an individual Load Balancer’s Settings page.

To create a certificate, select either HTTPS or HTTP2 from the Load Balancer’s New rule menu.

New Rule with HTTPS2 highlighted When you do, a new certificate dropdown menu appears.

Then, choose +New certificate. The base domain is selected by default. New Certificate Dialogue

Then choose the domain: Choose the domain

Select the domain(s) and name the certificate. The name can contain alphanumeric characters, dashes, and periods only. Generate Certificate is activated when the name for the certificate is entered

When you select the base domain, a new A record is automatically created that points to the Load Balancer. If you already have an A record in place, this means you will have two A records: one pointing to the original location and one pointing to the Load Balancer. To avoid multiple A records, de-select the base domain.

Records for subdomains are not created or changed automatically, so if they do not already point at the Load Balancer, you’ll need to update them on the Networking section’s Domains tab.

When you’re ready, click Generate Certificate. While the certificate is being issued, a (pending) status is displayed. Once the certificate has been created, the pending status is removed, and you can save the forwarding rule.

Certificate has been created. Save is active.

As soon as you save the the forwarding rule, it is active and you can begin testing. If your certificate does not complete, see the Troubleshooting section for tips.

The “+Add a New Domain” Option

If you have pointed your domain at DigitalOcean’s name servers but you have not yet added it in the Control Panel, you can also choose to +Add a New Domain. This will automatically import your domain to the Control Panel, add DNS records, and create the certificates.

We strongly recommend that you add your domain to the DigitalOcean Control Panel prior to changing name servers with your registrar. This helps you avoid disruptions in service by creating matching records on DigitalOcean before you make the name server change, which can take up to 48 hours to take effect.

In addition, making changes in this order eliminates the unlikely possibility that another DigitalOcean account could add your domain and create records, potentially disrupting your web site, mail, or other services.

If you wish to continue:

  1. Choose Add a new certificate.

  2. Choose +Add new domain. You’ll receive a warning that you need to update your Name Servers with your registrar, and be given a choice of Going Back or Continuing.

  3. Enter your domain name.

When you generate the certificate, this domain will be imported into the Control Panel for you. The base domain is selected by default and cannot be deselected. An A record pointing to the Load Balancer’s IP address will be automatically created.

  1. Optionally, create and add one or more subdomains to the certificate. CNAME records that reference the A record of the base domain will be automatically created.

  2. Name the certificate. The name can contain alphanumeric characters, dashes, and periods only.

  3. Click Generate Certificate. A pending status will be displayed until the certificate has been issued.

  4. Once the certificate has been issued, Save the forwarding rule.