Linode Node Balancer


#1

Hi,

I would like to use letsencrypt with linodes node balancer. What I need to do is generate keys for my domain and copy and paste them into SSL Settings part. The problem is I can’t generate it on a node balancer since I don’t have SSH access to it.

tnx


Setting up Let’s Encrypt to Work With a Linode NodeBalancer
#2

Hey @vedran,

In this case, you wouldn’t generate the cert on the NodeBalancer. You can use any Linode (or another server) to generate everything. Once complete, you would then save the certs into the NodeBalancer configuration page.

I hope that helps.

-Ricardo


#3

maybe Linode should add Letsencrypt support on their NodeBalancers ? :slight_smile:


#4

Just got to add your certs. All valid SSL certificates are supported =)


#5

oh i mean to the point of auto renewal support :slight_smile:


#6

I know that, but how can I do that?

I see that there is a manual plugin http://letsencrypt.readthedocs.org/en/latest/using.html#manual, but it doesn’t tell much how does it work.


#7

Not certain if you can do it with the linode loadbalancers (not used them) but I’ve got it working with the webroot plugin. I’ve got each http domain configured to proxy all requests starting with /.well-known to a common server/directory - which happens to be the one running the LE client.

That way when I request the cert it then works & all I have to do is copy the certs to the end apache’s - in this instance it would be the loadbalancer.

So, can the balancers do that?


#8

Linode nodebalancer is a “service” and if you would like to use SSL, you need to copy your certificates to a form and submit it. It looks like this:

and I would need to generate certificate and private key for a domain that is pointing on a node balancer but not any server.

My question is: can I generate, somehow, a certificate for some domain (mine is movieo.me) on a localhost computer or another server.


#9

You can run the client anywhere you like, as long as you’re able to serve challenge files on the domains you’d like to get a certificate for.

Let’s say you want a certificate for www.example.com and example.com. You would call the client like this:
./letsencrypt-auto certonly -a manual -d example.com -d www.exampe.com --server https://acme-v01.api.letsencrypt.org/directory

At some point the client will pause and ask you to copy the challenge files to /.well-known/acme-challenge/{random_token}. How you do that depends on your setup - if your load balancer sits in front of a couple of apache web servers, for example, you would just copy the files to all of their web roots, so that the load balancer picks them up once the CA server requests them.

Think of it this way: Let’s Encrypt doesn’t care about the load balancer. All it cares about is that a GET request to http://example.com/.well-known/acme-challenge/{random_token} is successful and contains the challenge token. How you achieve that is up to you and depends on your setup.


#10

@vedran, you can generate everything on another machine if that machine is able to run the Let’s Encrypt client. You might want to use the manual plugin, which will give you instructions on what to change on the web server in order to satisfy the CA’s proof-of-domain-control challenges. This makes sense because the changes can’t be made automatically if the Let’s Encrypt client is running on a different machine, but if you have access to both machines, you can make the changes yourself when instructed to.


#11

Thanks to all but especially @pfg that is the exact thing what I needed. I was able to generate certs limitedly.

Thanks again guys :smiley:


#12

I’m still looking to solve the automatic generation issue, but I made a post creating steps on how to generate certs behind a NodeBalancer.