Skip to main content

TLS(SSL)-certificates of the load balancer

To work with HTTPS traffic, a TLS(SSL) certificate must be added to the balancer so that the balancer can read HTTPS requests and use HTTP protocol information for proper balancing. Termination of the TLS certificate occurs on the balancer, the balancer transmits the data to the servers via HTTP.

Certificates with an empty CN (Common Name) field are not supported in load balancers.

If you are using a balancer to work with a Managed Kubernetes cluster, by default the balancer is created without a TLS(SSL)-certificate and is assigned external port 80 to accept traffic. To create a balancer with a TLS(SSL) certificate and assign external port 443 to receive traffic, use the Terminate TLS Connections instruction in the Managed Kubernetes section. For the balancer to work correctly in the cluster, all actions with the balancer must be performed via kubectl.

The load balancer works with TLS(SSL)-certificates from the secret manager. You can:

The certificate is added when you create a rule for HTTP or HTTPS traffic. In the control panel, you can select only one TLS(SSL)-certificate for a rule. Use the OpenStack CLI if you need to add multiple certificates to a rule or add an mTLS certificate.

You can change the certificate after the rule is created:

  • replace the certificate in the load balancer rule;

  • update the user certificate in the secret manager.
    Let's Encrypt® certificates issued in the secret manager are automatically reissued.When a certificate is reissued or renewed in the manager, it will be automatically renewed on the balancer.Sessions with the old certificate will be terminated and reinstalled with the new certificate within three hours of the certificate renewal.For most protocols, session reinstallation is seamless to end users.

Add multiple TLS(SSL)-certificates for the balancer

  1. Upload TLS(SSL)-certificates to the secret manager — issue Let's Encrypt® certificates or add custom ones.Certificates with an empty CN (Common Name) field are not supported in cloud load balancers.

  2. Open the OpenStack CLI.

  3. Add certificates — Create a new rule for the load balancer or update an existing rule:

    openstack loadbalancer listener create \
      -v --protocol-port 443 \
      --protocol TERMINATED_HTTPS \
      --name <listener_name> \
      --default-tls-container=<certificate_uuid_1> \
      --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
      -- <loadbalancer>

    Specify:

    • <listener_name> — rule name;
    • <certificate_uuuid_1>, <certificate_uuid_2> — The IDs of the certificates that you added to the secret manager in step 1. You can copy them to the control panel: in the top menu, click ProductsSecrets Manager → tab Certificates → in the menu of the certificate, select Copy UUID;
    • <loadbalancer> — ID or name of the load balancer. The list can be viewed with the command openstack loadbalancer list.

Add mTLS certificate for balancer

The mTLS protocol differs from TLS by two-way authentication — when establishing a connection, not only the authenticity of the server is checked, but also the authenticity of the incoming request. For this purpose, two certificates are used in each session — for the server in the target group behind the balancer and for the incoming request.

  1. Load the CA certificate that will be used to authenticate incoming requests to the balancer into the secret manager — add it as a custom certificate.

  2. Upload the certificate that will be used to authenticate the server in the target group behind the balancer to the secret manager — issue a Let's Encrypt® certificate or add a custom one.

  3. Open the OpenStack CLI.

  4. Create a rule with an mTLS certificate:

    openstack loadbalancer listener create \
      -v --protocol-port 80 \
      --protocol TERMINATED_HTTPS \
      --name <listener_name> \
      --client-authentication MANDATORY \
      --client-ca-tls-container-ref <certificate_uuid_1> \
      --default-tls-container-ref <certificate_uuid_2> \
      -- <loadbalancer>

    Specify:

    • <listener_name> — rule name;
    • <certificate_uuid_1> — The ID of the CA certificate that you added to the secret manager in step 1. You can copy it from the control panel: in the top menu, click ProductsSecrets Manager → tab Certificates → in the menu of the certificate, select Copy UUID;
    • <certificate_uuid_2> — The ID of the certificate that you added to the secret manager in step 2. You can copy it from the control panel: in the top menu, click ProductsSecrets Manager → tab Certificates → in the menu of the certificate, select Copy UUID;
    • <loadbalancer> — ID or name of the load balancer. The list can be viewed with the command openstack loadbalancer list.

Replace TLS(SSL)-certificate in the balancer rule

If a TLS(SSL) certificate is added to a load balancer rule with HTTPS protocol and it expires, you can replace it by adding another certificate with a new certificate expiration date.

  1. Add a new custom certificate to the secret manager.

  2. In the dashboard, on the top menu, click Products and select Cloud Servers.

  3. Go to BalancersBalancers tab.

  4. Open the balancer page.

  5. Open the rule card.

  6. In the TLS Certificate line, click .

  7. Select a new certificate. Certificates with an empty CN (Common Name) field are not supported in Cloud Load Balancers.

  8. Click .