Configuring a secure Load Balancer with Let's Encrypt – Support Guides

Learn how to configure a secure Public Cloud Load Balancer with Let's Encrypt.

Our Public Cloud Load Balancer is based on OpenStack Octavia and is fully integrated into the Public Cloud universe.

After setting up your Load Balancer, you can configure it with a certificate to process HTTPS connections.

Requirements

A Public Cloud project in your OVHcloud account
Preparing your environment for using the OpenStack API
OpenStack Octavia client and OpenStack Barbican setup
A Load Balancer running in your project

If you are not yet familiar with creating a Load Balancer, please follow our Getting started with Load Balancer on Public Cloud guide before you continue with this tutorial.

Instructions

Creating an instance for Let's Encrypt

You can create an instance in your project in the region where your Load Balancer is located. Read about the details in our guide if necessary. The d2-2 instance type will be sufficient for this operation. We recommend that you use Ubuntu as your operating system.

Once you have created your instance, you can refer to the Let's Encrypt documentation to install Certbot.

Attaching a Floating IP address to a Load Balancer

This is how to attach a Floating IP address to a Load Balancer:

openstack floating ip create Ext-Net
openstack floating ip set --port <my_load_balancer_vip_port_id> <floating_ip>

To retrieve the VIP port ID of your Load Balancer, use openstack loadbalancer show my_load_balancer.

Please note that you must add an A record in the DNS Zone of your domain name that points to the Floating IP.

Configuring your Load Balancer

In this step, create a first Listener that will listen on port 80 (HTTP) and will take care of redirecting HTTP to HTTPS. It will also contain a redirection rule to the Let's Encrypt instance for certificate verification.

openstack loadbalancer listener create --protocol-port 80 --protocol HTTP --name http-listener my_load_balancer

openstack loadbalancer pool create --name pool-letsencrypt --lb-algorithm ROUND_ROBIN --listener http-listener --protocol HTTP

openstack loadbalancer member create --subnet-id my_subnet --address <private_ip_letsencrypt_instance>  --protocol-port 80 pool-letsencrypt

We will now create the redirection rules:

openstack loadbalancer l7policy create --action REDIRECT_TO_POOL --redirect-pool pool-letsencrypt --name letsencrypt-redirection http-listener --position 1
openstack loadbalancer l7rule create --compare-type STARTS_WITH --type PATH --value /.well-known/acme-challenge letsencrypt-redirection

Generating a certificate

From the Let's Encrypt instance, you can now launch the certificate generation.

ubuntu@letsencrypt:~$ sudo certbot certonly -d <domain.tld> --standalone -m <email> --agree-tos

Once the process is completed, your certificate will be located in /etc/letsencrypt/live/domain.tld. You will then need to merge the certificate with its certificate private key:

ubuntu@letsencrypt:~$ sudo cat /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/letsencrypt/live/domain.tld/privkey.pem | sudo tee /etc/ssl/domain.tld.pem

Now that you have your certificate, you can add a Secure Listener and associate a pool and its members with it:

ubuntu@letsencrypt:~$ sudo openssl pkcs12 -export -inkey /etc/ssl/domain.tld.pem -in /etc/ssl/domain.tld.pem -out /etc/ssl/domain.tld.p12

You have to download this file directly to your local device to send it to OpenStack Barbican ("Secret as a Service").

openstack secret store --name='LetsEncrypt-cert-domain.tld' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < domain.tld.p12)"

Configuring the secure Listener on the Load Balancer

With your certificate now created, you can add a secure Listener:

openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name https-listener --default-tls-container=$(openstack secret list | awk '/ LetsEncrypt-cert-domain.tld / {print $2}') my_load_balancer

openstack loadbalancer pool create --name pool-tls --lb-algorithm ROUND_ROBIN --listener https-listener --protocol HTTP

openstack loadbalancer member create --subnet-id my_subnet --address <private_ip_instance_1> --protocol-port 80 pool-tls

openstack loadbalancer member create --subnet-id my_subnet --address <private_ip_instance_2> --protocol-port 80 pool-tls

You can now securely access your Load Balancer with Let's Encrypt. Be aware that you will need to renew the certificate every three months.

Go further

For more information and tutorials, please see our other Public Cloud support guides or explore the guides for other OVHcloud products and services.