LoadMaster fully integrates the Let’s Encrypt automated enrollment and renewal processes without requiring an external webserver.
Why you should automate certificate renewal
Certificate expiration causes an embarrassing sort of downtime.
Though your website is still up, users are met with a message in their Internet browser along the lines of “Your connection is not private,” accompanied with a large button that says, “Take me back.” Some turn back, some click through the message, and run the risk of sending their data through an unencrypted channel. In 2017, LinkedIn’s country subdomain SSL certificate expired, impacting users across the US. The company reaped some criticism at the time, only to face an even bigger backlash two years later when the scenario repeated.
Indeed, allowing a certificate to expire is poor security practice that will erode trust in your company, especially when you handle user data (which you rarely don’t). But you can easily null the menace of cert expiration with automated renewal. There are a number of ways of ensuring this, such as taking advantage of the Let’s Encrypt initiative. Indeed, allowing a certificate to expire is poor security practice that will erode trust in your company, especially when you handle user data (which you rarely don’t).
What is Let’s Encrypt
Let’s Encrypt is a free and open certificate authority (CA) run by the Internet Security Research Group (ISRG) to promote TLS best security practices and provide the digital certificates trusted by all the major browsers. Any owner of a domain name can use it to obtain a certificate at zero cost.
The automatic issuance and renewal protocol is published as an open standard for anyone to adopt. Software running on your web server can then interact with Let’s Encrypt to obtain a certificate, configure it for use, and automatically take care of renewal.
Manage your certs from your LoadMaster
Because Kemp load balancers act as a gateway sitting between your applications and the rest of the world, they are in a good position to handle the automatic SSL certificate enrollment and renewal.
As of version 7.2.53, Kemp LoadMaster integrates with Let’s Encrypt to deliver the following functionalities:
- Initial account creation and syncing to existing accounts
- Certificate signing request (CSR) generation and certificate request submission
- Automated and manual certificate renewal
- HTTP-01 domain validation
- Automated and manual updating of load balancer certificates
All you need to do is link the LoadMaster with your Let’s Encrypt account (if you don’t have one, you can create one from the LoadMaster UI), set up the renewal period, and request a new certificate. After that, you are all set. Your SSL certificates will automatically renew after the renewal period has expired.
It is worth noting that when requesting a new certificate, you must select an existing virtual service that can have sub-virtual services. This means the parent VS cannot have real servers attached but it can have subVSs with real servers. You can easily convert your VS to one with subVSs from the UI under Virtual Services > View/Modify Services.
Keep your padlocks closed
You can find the full feature description including instructions on how to enable Let’s Encrypt automated certificate renewal on your LoadMaster here. And as always, be sure to upgrade your LoadMaster to the latest version.
If you need any assistance, contact Kemp Support.