TLS(SSL)-certificates of the load balancer

Last update: September 26 2024

TLS(SSL)-certificates of the load balancer

To work with HTTPS traffic, a TLS(SSL) certificate must be added to the balancer so that the balancer can read HTTPS requests and use HTTP protocol information for proper balancing. Termination of the TLS certificate occurs on the balancer, the balancer transmits the data to the servers via HTTP.

The load balancer works with TLS(SSL)-certificates from the the manager of secrets. You can:

• issue a free Let's Encrypt® certificate including Wildcard (for domain and subdomains);
• add a user certificate The certificates with SAN (single certificate for multiple domains) and Wildcard options are supported.

Certificates with an empty field CN (Common Name) are not supported in load balancers.

When a certificate is reissued or renewed in the manager, it will be automatically renewed on the balancer. Sessions with the old certificate will be terminated and reinstalled with the new certificate within three hours of the certificate renewal. For most protocols, session reinstallation is unnoticeable to end users.

The certificate is added when rule making. In the Control Panel, you can select only one certificate for a rule. If you need to add multiple certificates to a rule, the certificates must be add via Openstack CLI.

Add multiple TLS(SSL)-certificates for the balancer⁠

1. Add TLS(SSL)-certificates in the secret manager — issue Let's Encrypt® certificates or upload custom. Certificates with a blank field CN (Common Name) are not supported in cloud load balancers.

2. Open the OpenStack CLI.

3. Add certificates — Create a new rule for the load balancer or update an existing rule:

   Create a rule

   openstack loadbalancer listener create \
     -v --protocol-port 443 \
     --protocol TERMINATED_HTTPS \
     --name <listener_name> \
     --default-tls-container=<certificate_uuid_1> \
     --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
     -- <loadbalancer>

   Specify:

   • <listener_name> — NAME OF RULE;
   • <certificate_uuid_1>, <certificate_uuid_2> — Certificate IDs. You can copy to control panels: under Cloud platform → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID;
   • <loadbalancer> — ID or name of the balancer. The list can be viewed by openstack loadbalancer list

   Update rule

   openstack loadbalancer listener set \
     --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
     -- <listener>

   Specify:

   • <certificate_uuid_1>, <certificate_uuid_2> — Certificate IDs. You can copy to control panels: under Cloud platform → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID;
   • <listener> — ID or name of the rule. The list can be viewed with openstack loadbalancer listener list