Load Balancer TLS(SSL) Certificates

To work with HTTPS traffic, you must add a TLS(SSL) certificate to the load balancer so that it can read HTTPS requests and use HTTP protocol information for proper load balancing. TLS certificate termination occurs on the load balancer, which then forwards data to servers via HTTP.

Certificates with an empty CN (Common Name) field are not supported in load balancers.

If you use a load balancer for a Managed Kubernetes cluster, by default the load balancer is created without a TLS(SSL) certificate, and external port 80 is assigned to receive traffic. To create a load balancer with a TLS(SSL) certificate and assign external port 443 to receive traffic, use the Terminate TLS connections guide in the Managed Kubernetes section. For the load balancer to work correctly in the cluster, all actions with the load balancer must be performed via kubectl.

A load balancer works with TLS(SSL) certificates from the Certificate Manager. You can:

issue a free Let's Encrypt® certificate, including Wildcard (for a domain and subdomains);
add a custom certificate; certificates with SAN options (one certificate for multiple domains) and Wildcard are supported.

A certificate is added when creating a rule for HTTP or HTTPS traffic. In the Control panel, you can select only one TLS(SSL) certificate for a rule. Use the OpenStack CLI if you need to add multiple certificates to a rule or add an mTLS certificate.

You can change the certificate after creating a rule:

replace the certificate in a load balancer rule;
update a custom certificate in the Certificate Manager.
Let's Encrypt® certificates issued in the Certificate Manager are reissued automatically. When a certificate is reissued or updated in the manager, it is automatically updated on the load balancer. Sessions with the old certificate will be terminated and re-established with the new certificate within three hours of the certificate update. For most protocols, the re-establishment of sessions is transparent to end users.

Add multiple TLS(SSL) certificates for a load balancer

Upload TLS(SSL) certificates to the Certificate Manager — issue Let's Encrypt® certificates or add custom ones. Certificates with an empty CN (Common Name) field are not supported in cloud load balancers.
Open the OpenStack CLI.
Add certificates — create a new load balancer rule or update an existing one:
- Create rule
- Update rule
openstack loadbalancer listener create \ -v --protocol-port 443 \ --protocol TERMINATED_HTTPS \ --name <listener_name> \ --default-tls-container=<certificate_uuid_1> \ --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \ -- <loadbalancer>
Specify:
- <listener_name> — the rule name; ;
- <certificate_uuid_1>, <certificate_uuid_2> — IDs of the certificates you added to the Certificate Manager in step 1. You can copy them in the Control panel: in the top menu, click Products → Certificate Manager → in the certificate's menu, click Copy UUID;
- <loadbalancer> — the load balancer ID or name. You can view the list using the openstack loadbalancer list.
openstack loadbalancer listener set \ --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \ -- <listener>
Specify:
- <certificate_uuid_1>, <certificate_uuid_2> — IDs of the certificates you added to the Certificate Manager in step 1. You can copy them in the Control panel: in the top menu, click Products → Certificate Manager → in the certificate's menu, click Copy UUID;
- <listener> — the rule ID or name. You can view the list using the openstack loadbalancer listener list.

Add an mTLS certificate for a load balancer

The mTLS protocol differs from TLS due to mutual authentication — when establishing a connection, both the server's authenticity and the incoming request's authenticity are verified. For this, two certificates are used in each session — for the server in the target group behind the load balancer and for the incoming request.

Upload the CA certificate that will be used to authenticate incoming requests to the load balancer to the Certificate Manager — add it as a custom certificate.
Upload the certificate that will be used to authenticate the server in the target group behind the load balancer to the Certificate Manager — issue a Let's Encrypt® certificate or add a custom one.
Open the OpenStack CLI.
Create a rule with an mTLS certificate:
```
openstack loadbalancer listener create \
  -v --protocol-port 80 \
  --protocol TERMINATED_HTTPS \
  --name <listener_name> \
  --client-authentication MANDATORY \
  --client-ca-tls-container-ref <certificate_uuid_1> \
  --default-tls-container-ref <certificate_uuid_2> \
  -- <loadbalancer>
```
Specify:
- <listener_name> — the rule name; ;
- <certificate_uuid_1> — the ID of the CA certificate you added to the Certificate Manager in step 1. You can copy it in the Control panel: in the top menu, click Products → Certificate Manager → in the certificate's menu, click Copy UUID;
- <certificate_uuid_2> — the ID of the certificate you added to the Certificate Manager in step 2. You can copy it in the Control panel: in the top menu, click Products → Certificate Manager → in the certificate's menu, click Copy UUID;
- <loadbalancer> — the load balancer ID or name. You can view the list using the openstack loadbalancer list.

Replace a TLS(SSL) certificate in a load balancer rule

If a load balancer rule using the HTTPS protocol has a TLS(SSL) certificate that is about to expire, you can replace it by adding a different certificate with a new expiration date.

Control panel
OpenStack CLI

Add a new custom certificate to the Certificate Manager.
In the Control panel, on the top menu, click Products and select Cloud Servers.
Go to the Load Balancers section → Load Balancers tab.
Open the load balancer page.
Open the rule card.
In the TLS certificate row, click .
Select a new certificate. Certificates with an empty CN (Common Name) field are not supported in cloud load balancers.
Click .