Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

Setting up a Let's Encrypt certificate on cloud Load Balancers with external domain

profile picture
Author
Markus
Published
2021-05-14
Time to read
4 minutes reading time
Table of Contents

Introduction

This article is about using automatic certificate allocation on cloud Load Balancers with externally provided domains.

Prerequisites

  • A top-level domain, e.g. example.com
  • DNS hoster with the possibility to create NS records
  • A cloud Load Balancer

Step 1 - Creating the Hetzner DNS zone

This step explains how to create a DNS zone for the domain example.com in the Hetzner DNS Console. Later, the Load Balancer will use this zone to process the _acme-challenge.

You can create a new DNS zone at dns.hetzner.com.

createDNSZone

To do this, simply specify the name of the domain and disable automatic scanning.

The created DNS zone should now look like this:

beforeDelete

You do not need the marked entries and should therefore delete them.

Step 2 - External DNS configuration

Now we have to redirect the DNS zone _acme-challenge.example.com of the external domain to the Hetzner DNS zone.

To do this, you need to create several NS entries at the respective DNS hoster.

These are structured as follows:

_acme-challenge.example.com	IN	NS	hydrogen.ns.hetzner.com.

You can take the DNS servers from the Hetzner DNS zone.

You should create a NS record for each DNS server at the external DNS hoster.

For Cloudflare, the configuration would look something like this:

cloudflare

Step 3 - Setting up the Load Balancer

You must now set up a TLS termination service in the Load Balancer.

Open the Hetzner Cloud Console, navigate to your Load Balancer and select "Services". Next, click on Add service » TLS Termination.

load balancer

Note how the traffic is forwarded from the Load Balancer to the cloud server. The default setting here is unencrypted transmission via HTTP and the public interface of the server. Here it would be urgently advisable to deposit a self-signed certificate on the service and to configure the Load Balancer to HTTPS to HTTPS. In addition, you can also route the traffic over a private network, which must be configured first.

During service creation, select CERTIFICATES » + Add certificates and click on Create certificate. For more information about the difference between Create certificate and Upload cerificate, you can see this FAQ entry.

Next, enter a name and select your DNS zone. Select the DNS zone created above.

create cert

You can issue either single sub-domains (ssl.example.com) or wildcard certificates (*.example.com). In the example above, it is a wildcard certificate.

After that, the certificate setup is complete. Now, you can go back to the Hetzner DNS Console and create the DNS entries required for the respective service. To do this, simply create a new A record that points your (sub-)domain at the Load Balancer. For example:

Type Name Value
A ssl.example.com <load-balancer-ip>

After that, the service will run under the TLS certificate.

https

Conclusion

This article showed how to use the Let's Encrypt feature of the Load Balancers with an external domain, without having to move the domain completely.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue

Discover our

Load Balancer

Distribute traffic between multiple targets and avoid having a single point of failure.

Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue