SSL certificates of the load balancer
SSL certificates of the load balancer
Add multiple SSL certificates for the balancer
-
Upload SSL certificates to the secrets manager. Certificates with an empty
CN
(Common Name) field are not supported in load balancers. -
Add Certificates — Create a new Listener for the load balancer or upgrade an existing one:
- Создать слушатель
- Обновить слушатель
openstack loadbalancer listener create \
-v --protocol-port 443 \
--protocol TERMINATED_HTTPS \
--name <listener_name> \
--default-tls-container=<certificate_uuid_1> \
--sni-container-refs <certificate_uuid_1> <certificate_uuid_2> -- <loadbalancer>Specify:
<listener_name>
is the listener's name;<certificate_uuid_1>
,<certificate_uuid_2>
— Certificate IDs. You can look in control panel: under Cloud Platform → Secrets Manager → Certificates tab → select Copy UUID from the ( ) certificate menu;<loadbalancer>
— balancer ID or name, can be viewed withopenstack loadbalancer list
openstack loadbalancer listener set \
--sni-container-refs <certificate_uuid_1> <certificate_uuid_2> -- <listener>Specify:
<certificate_uuid_1>
,<certificate_uuid_2>
— Certificate IDs. You can look in control panel: under Cloud Platform → Secrets Manager → Certificates tab → select Copy UUID from the ( ) certificate menu;<listener>
— listener ID or name, can be viewed withopenstack loadbalancer listener list
Replace SSL Certificate
If an SSL(TLS)-certificate is added to a load balancer rule with HTTPS protocol and it expires, you can replace it by adding another certificate with a new certificate expiration date.
carefully
We do not recommend updating the certificate through secrets manager. In this case, you will need to perform an emergency switchover balancer amphora through technical support.
- Control panel
- OpenStack CLI
- In Control Panel, go to Cloud Platform → Balancers.
- Open the balancer card → SSL Certificate tab.
- Click Replace Certificate.
- Select a new certificate. Certificates with an empty
CN
(Common Name) field are not supported in load balancers. - Click Replace Certificate.
-
Replace the certificate on the Listener:
openstack loadbalancer listener set \
--default-tls-container-ref <certificate_uuid> \
<listener>Specify:
<certificate_uuid>
— Certificate ID. You can look in control panel: under Cloud Platform → Secrets Manager → Certificates tab → select Copy UUID from the ( ) certificate menu;<listener>
— listener ID or name, can be viewed withopenstack loadbalancer listener list