Introduction
This article is about using automatic certificate allocation on cloud Load Balancers with externally provided domains.
Prerequisites
- A top-level domain, e.g.
example.com
- DNS hoster with the possibility to create
NS
records - A cloud Load Balancer
Step 1 - Creating the Hetzner DNS zone
This step explains how to create a DNS zone for the domain example.com
in the Hetzner DNS Console. Later, the Load Balancer will use this zone to process the _acme-challenge
.
You can create a new DNS zone at dns.hetzner.com.
To do this, simply specify the name of the domain and disable automatic scanning.
The created DNS zone should now look like this:
You do not need the marked entries and should therefore delete them.
Step 2 - External DNS configuration
Now we have to redirect the DNS zone _acme-challenge.example.com
of the external domain to the Hetzner DNS zone.
To do this, you need to create several NS
entries at the respective DNS hoster.
These are structured as follows:
_acme-challenge.example.com IN NS hydrogen.ns.hetzner.com.
You can take the DNS servers from the Hetzner DNS zone.
You should create a NS
record for each DNS server at the external DNS hoster.
For Cloudflare, the configuration would look something like this:
Step 3 - Setting up the Load Balancer
You must now set up a TLS termination
service in the Load Balancer.
Open the Hetzner Cloud Console, navigate to your Load Balancer and select "Services". Next, click on Add service
» TLS Termination
.
Note how the traffic is forwarded from the Load Balancer to the cloud server. The default setting here is unencrypted transmission via
HTTP
and the public interface of the server. Here it would be urgently advisable to deposit a self-signed certificate on the service and to configure the Load Balancer toHTTPS
toHTTPS
. In addition, you can also route the traffic over a private network, which must be configured first.
During service creation, select CERTIFICATES
» + Add certificates
and click on Create certificate
. For more information about the difference between Create certificate
and Upload cerificate
, you can see this FAQ entry.
Next, enter a name and select your DNS zone. Select the DNS zone created above.
You can issue either single sub-domains (
ssl.example.com
) or wildcard certificates (*.example.com
). In the example above, it is a wildcard certificate.
After that, the certificate setup is complete. Now, you can go back to the Hetzner DNS Console and create the DNS entries required for the respective service. To do this, simply create a new A
record that points your (sub-)domain at the Load Balancer. For example:
Type | Name | Value |
---|---|---|
A | ssl.example.com | <load-balancer-ip> |
After that, the service will run under the TLS certificate.
Conclusion
This article showed how to use the Let's Encrypt feature of the Load Balancers with an external domain, without having to move the domain completely.