Setting up Let’s Encrypt to Work With a Linode NodeBalancer

Hey everyone,

I've written a blog post on how I got Let's Encrypt SSL certificates working on my load-balanced setup using a NodeBalancer. It's been working out pretty well for me so far.

  • https://feliciano.tech/blog/setting-let … ebalancer/">https://feliciano.tech/blog/setting-lets-encrypt-work-linode-nodebalancer/

Let me know if anyone has any questions or complications.

8)

11 Replies

A few things I'd like to add:

1) The images on your blog post appear broken to me (Error 0004. Unable to load the image.)

2) The official Let's Encrypt client is horrible with memory usage and cumbersome. It is strongly advised to use the dehydrated client, which is a simple bash script, very lightweight and with all the features:

https://github.com/lukas2511/dehydrated/

3) Linode's NodeBalancer does not support multiple certificates (SNI). If you are only using one certificate, then its fine. Otherwise, you need to configure the NodeBalancer to use plain TCP forwarding, then you let the web server do the SSL/TLS negotiation with SNI.

4) Another alternative, is to use a normal Linode 2048 server, running a plain CentOS 7 distro (or your preferred one), with haproxy. Haproxy is one of the best software load balancers and can do everything the Linode NodeBalancer does plus tons of extra features not available elsewhere. At the end of the day, you also pay the same amount of money but you end up with a real server that may also run other things as well :)

I hope the above is of some help to others. I'd appreciate your comments about your experience in traffic balancers.

1) They were broken for everyone. Converted my blog over from WordPress to Hugo and there's some pieces still broken. Thanks for the heads up, fixed.

4) Except with a single 2048 Linode running your own load-balancer, you don't have redundancy for the LB as you would with a NodeBalancer. Something to keep in mind.

True, running a single haproxy loses the redundancy offered by Linode's NodeBalancer! Nicely pointed out.

@IfThenElse

4) Another alternative, is to use a normal Linode 2048 server

And then once in a time you will need to install security update (new kernel) for your linode 2048 server and all your XX nodes behind Haproxy will be down while server reboots…

And then once in a time you will need to install security update (new kernel) for your linode 2048 server and all your XX nodes behind Haproxy will be down while server reboots…

Good point. OTOH you can just bring up a new instance with the up to date software, swap IP and then discard the old one. But it's definitely something you have to think about.

Is there a way to automate this with certbot renewals via one of the backends? I actually haven't looked the Linode API - but if that's possible this could be a winner.

We're running HA proxy on a Docker Swarm, so we can still update one node at a time keeping things up, but no automation with certbot was the reason we didn't use a NodeBalancer.

Answering my own question - yes, it will be possible if you're willing to write your own code via the docs here: https://developers.linode.com/api/v4/

I created a Docker image to install and auto-renew a letsencrypt certificate, as well as to forward HTTP traffic to HTTPS. See it on Github.

Thanks @ianepperson. In the end I simply wrote a docker container with HAProxy and Certbot - and that dynamically generates and pushes certs into the container in the build pipelines which gets deployed on the Swarm, so I did not use a Node Balancer after all.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct