Skip to main content
TLS(SSL)-certificates of the load balancer
Last update:

TLS(SSL)-certificates of the load balancer

To work with HTTPS traffic, a TLS(SSL) certificate must be added to the balancer so that the balancer can read HTTPS requests and use HTTP protocol information for proper balancing. Termination of the TLS certificate occurs on the balancer, the balancer transmits the data to the servers via HTTP.

The load balancer works with TLS(SSL)-certificates from the the manager of secrets. You can:

Certificates with an empty field CN (Common Name) are not supported in load balancers.

When a certificate is reissued or renewed in the manager, it will be automatically renewed on the balancer. Sessions with the old certificate will be terminated and reinstalled with the new certificate within three hours of the certificate renewal. For most protocols, session reinstallation is unnoticeable to end users.

The certificate is added when rule making. In the Control Panel, you can select only one certificate for a rule. If you need to add multiple certificates to a rule, the certificates must be add via Openstack CLI.

Add multiple TLS(SSL)-certificates for the balancer

  1. Add TLS(SSL)-certificates in the secret manager — issue Let's Encrypt® certificates or upload custom. Certificates with a blank field CN (Common Name) are not supported in cloud load balancers.

  2. Open the OpenStack CLI.

  3. Add certificates — Create a new rule for the load balancer or update an existing rule:

    openstack loadbalancer listener create \
    -v --protocol-port 443 \
    --protocol TERMINATED_HTTPS \
    --name <listener_name> \
    --default-tls-container=<certificate_uuid_1> \
    --sni-container-refs <certificate_uuid_1> <certificate_uuid_2> \
    -- <loadbalancer>

    Specify:

    • <listener_name> — NAME OF RULE;
    • <certificate_uuid_1>, <certificate_uuid_2> — Certificate IDs. You can copy to control panel: under Cloud platformThe manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID;
    • <loadbalancer> — ID or name of the balancer. The list can be viewed by openstack loadbalancer list