TLS(SSL)-certificates of the load balancer
To work with HTTPS traffic, a TLS(SSL) certificate must be added to the balancer so that the balancer can read HTTPS requests and use HTTP protocol information for proper balancing. Termination of the TLS certificate occurs on the balancer, the balancer transmits the data to the servers via HTTP.
The load balancer works with TLS(SSL)-certificates from the the manager of secrets. You can:
- issue a free Let's Encrypt® certificate including Wildcard (for domain and subdomains);
- add a user certificate The certificates with SAN (single certificate for multiple domains) and Wildcard options are supported.
Certificates with an empty field CN
(Common Name) are not supported in load balancers.
When a certificate is reissued or renewed in the manager, it will be automatically renewed on the balancer. Sessions with the old certificate will be terminated and reinstalled with the new certificate within three hours of the certificate renewal. For most protocols, session reinstallation is unnoticeable to end users.
The certificate is added when rule making. In the Control Panel, you can select only one certificate for a rule. If you need to add multiple certificates to a rule, the certificates must be add via Openstack CLI.
Add multiple TLS(SSL)-certificates for the balancer
-
Add TLS(SSL)-certificates in the secret manager — issue Let's Encrypt® certificates or upload custom. Certificates with a blank field
CN
(Common Name) are not supported in cloud load balancers. -
Add certificates — Create a new rule for the load balancer or update an existing rule:
Create a rule
Update rule
openstack loadbalancer listener create \
-v --protocol-port 443 \
--protocol TERMINATED_HTTPS \
--name <listener_name> \
--default-tls-container=<certificate_uuid_1> \
--sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
-- <loadbalancer>Specify:
<listener_name>
— NAME OF RULE;<certificate_uuid_1>
,<certificate_uuid_2>
— Certificate IDs. You can copy to control panel: under Cloud platform → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID;<loadbalancer>
— ID or name of the balancer. The list can be viewed byopenstack loadbalancer list
openstack loadbalancer listener set \
--sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
-- <listener>Specify:
<certificate_uuid_1>
,<certificate_uuid_2>
— Certificate IDs. You can copy to control panel: under Cloud platform → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID;<listener>
— ID or name of the rule. The list can be viewed withopenstack loadbalancer listener list