How to create Let's Encrypt Cert and apply to Google Cloud Load Balance


#1

Hi All,

Currently I have create a Google Cloud SSH load balance with self-certificate and works perfectly. Now I would like to create a Let’s Encrypt cert and apply to my LB, how should I start? My current connection is as below

image

Q1) I would like to install the create cert in my cert server, however the domain is bind to my load balance IP, so is it i need to create another “Instance Group3” and add my Cert Server to “Instance Group3” then connect to my LB?

Q2) If I connect Cert Server to LB, during the Let’s Encrypt installation there is verification steps, how can I make sure the verification request send back to my Cert server? As I have another 2 instance group (Instance Group 1 and Instance Group 2)

Thank you.

Regards,
KC


#2

Have you considered validating the domain over DNS instead of HTTP? That way, the entire certificate issuance process is relatively infrastructure-agnostic.

There are plenty of Let’s Encrypt clients that support automatic DNS validation via Cloudflare.

As for deploying the certificate, you will need to run an installation hook script to deploy the generated certificate to the load balancer.

This would depend on what Let’s Encrypt client you use.


#3

Hi _az,

Could you kindly provide steps or guide to do so? As I am very new to this SSL things.

Thank you.


#4

There’s lots of ways to issue a Let’s Encrypt certificate using DNS validation and Cloudflare. You can Google it. I’ll link this one, using certbot-auto, that I wrote, but you can use anything. You’ll need to install certbot-auto on whatever machine you’re going to issue the certificate from, before you get started.

That’s the easy part. At the end of it, you’ll have a certificate sitting in /etc/letsencrypt/live/ on the server.

From there, you need to get it to your Google Cloud load balancer. I don’t use Google Cloud so I can’t actually help you there, but it seems like you’ll need to write a script that does two things (as documented in the link I already showed you):

  1. Upload the certificate to the LB using the gcloud compute ssl-certificates create command
  2. Update your load balancer to switch to the new certificate you just uploaded: gcloud compute target-https-proxies update

You can optionally also pass this script to certbot-auto as a --deploy-hook and it will automatically run it every time the certificate renews.


#5

Thanks for your quick reply _az.

By creating Let’s Encrypt using certificate, is it I still need to connect my cert server to LB? Or just left my cert server be a standalone server?

Remark: My instance running in Debian GNU/Linux 8 and already installed certbot-auto.


#6

If you use the DNS challenge, then the LB and Cert Server are pretty much irrelevant for the validation process. This is because the validation process would instead happen by automatically updating TXT records in Cloudflare, which you can do from anywhere.


#7

If you were using both Google Cloud DNS and Load Balancer you could just use this hook with dehydrated.

With CloudFlare for DNS you would have to create your own hook combining the deploy hook from the GLB hook above with the authorization hooks from the bash cloudflare hook.

If you’re using the CloudFlare CDN (i.e. the orange cloud is turned on) it is much easier to use their Origin CA, unless you want the flexibility to move away from CloudFlare later.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.