LoadMaster fully integrates the Let’s Encrypt automated enrollment and renewal processes without requiring an external webserver.
Certificate expiration causes an embarrassing sort of downtime.
Though your website is still up, users are met with a message in their Internet browser along the lines of “Your connection is not private,” accompanied with a large button that says, “Take me back.” Some turn back, some click through the message, and run the risk of sending their data through an unencrypted channel. In 2017, LinkedIn’s country subdomain SSL certificate expired, impacting users across the US. The company reaped some criticism at the time, only to face an even bigger backlash two years later when the scenario repeated.
Indeed, allowing a certificate to expire is poor security practice that will erode trust in your company, especially when you handle user data (which you rarely don’t). But you can easily null the menace of cert expiration with automated renewal. There are a number of ways of ensuring this, such as taking advantage of the Let’s Encrypt initiative. Indeed, allowing a certificate to expire is poor security practice that will erode trust in your company, especially when you handle user data (which you rarely don’t).
Let’s Encrypt is a free and open certificate authority (CA) run by the Internet Security Research Group (ISRG) to promote TLS best security practices and provide the digital certificates trusted by all the major browsers. Any owner of a domain name can use it to obtain a certificate at zero cost.
The automatic issuance and renewal protocol is published as an open standard for anyone to adopt. Software running on your web server can then interact with Let’s Encrypt to obtain a certificate, configure it for use, and automatically take care of renewal.
Because Kemp load balancers act as a gateway sitting between your applications and the rest of the world, they are in a good position to handle the automatic SSL certificate enrollment and renewal.
As of version 7.2.53, Kemp LoadMaster integrates with Let’s Encrypt to deliver the following functionalities:
All you need to do is link the LoadMaster with your Let’s Encrypt account (if you don’t have one, you can create one from the LoadMaster UI), set up the renewal period, and request a new certificate. After that, you are all set. Your SSL certificates will automatically renew after the renewal period has expired.
It is worth noting that when requesting a new certificate, you must select an existing virtual service that can have sub-virtual services. This means the parent VS cannot have real servers attached but it can have subVSs with real servers. You can easily convert your VS to one with subVSs from the UI under Virtual Services > View/Modify Services.
You can find the full feature description including instructions on how to enable Let’s Encrypt automated certificate renewal on your LoadMaster here. And as always, be sure to upgrade your LoadMaster to the latest version.
If you need any assistance, contact Kemp Support.