TLS(SSL)-certificates of the load balancer

TLS(SSL)-certificates of the load balancer

To work with HTTPS traffic, a TLS(SSL) certificate must be added to the balancer so that the balancer can read HTTPS requests and use HTTP protocol information for proper balancing. Termination of the TLS certificate occurs on the balancer, the balancer transmits the data to the servers via HTTP.

The load balancer works with TLS(SSL)-certificates from the secret manager. You can:

• issue a free Let's Encrypt® certificate including Wildcard (for domain and subdomains);
• add a custom certificate Certificates with SAN (single certificate for multiple domains) and Wildcard options are supported.

Certificates with an empty CN (Common Name) field are not supported in load balancers.

When a certificate is reissued or renewed in the manager, it will be automatically renewed on the balancer. Sessions with the old certificate will be terminated and reinstalled with the new certificate within three hours of the certificate renewal. For most protocols, session reinstallation occurs unnoticed by end users.

The certificate is added when the rule is created. In the control panel, you can select only one certificate for a rule. If you need to add multiple certificates to a rule, the certificates must be added through the OpenStack CLI.

Add multiple TLS(SSL)-certificates for the balancer⁠

1. Add TLS(SSL)-certificates in the secret manager — issue Let's Encrypt® certificates or download custom ones. Certificates with an empty CN (Common Name) field are not supported in cloud load balancers.

2. Open the OpenStack CLI.

3. Add certificates — Create a new rule for the load balancer or update an existing rule:

   Create a rule

   openstack loadbalancer listener create \
     -v --protocol-port 443 \
     --protocol TERMINATED_HTTPS \
     --name <listener_name> \
     --default-tls-container=<certificate_uuid_1> \
     --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
     -- <loadbalancer>

   Specify:

   • <listener_name> — rule name;
   • <certificate_uuuid_1>, <certificate_uuid_2> — Certificate IDs. Can be copied into control panel: in the top menu click Products → Secrets Manager → tab Certificates → in the menu of the certificate, select Copy UUID;
   • <loadbalancer> — ID or name of the load balancer. The list can be viewed with the command openstack loadbalancer list.

   Update rule

   openstack loadbalancer listener set \
     --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
     -- <listener>

   Specify:

   • <certificate_uuuid_1>, <certificate_uuid_2> — Certificate IDs. Can be copied into control panel: in the top menu click Products → Secrets Manager → tab Certificates → in the menu of the certificate, select Copy UUID;
   • <listener> — The ID or name of the rule. The list can be viewed with the command openstack loadbalancer listener list.