It’s a System Admins worst nightmare. There you are at your desk. Everything is calm for once, and you can finally catch up on all those things you have wanted to tweak. The sun is shining. The coffee is good. This is not a bad job after all.
Then someone on the support help desk shouts across the office to you. “Johnny. Is the billing system down?”
What? You look at the monitoring dashboard, and all the servers are up. There are no outages reported from the Cloud dashboard either. Then you see an email pop up from the CFO’s assistant with the title: Are the servers down?
Here we go again! You dive into the billing system servers to see what’s wrong. And after a while, you have a thought, check the certificates, and low and behold, the TLS Certificate on the web servers expired at 10.11 am today. Oops. You quickly renew the certificate, upload the new one and restart the relevant services, and everything is back to normal.
Just the small matter of explaining what happened to the CFO left to do! As you prepare for that, you can take some solace from the fact that even the world’s largest tech companies have had service outages due to failure to renew certificates.
LoadMaster Can Now Auto-Renew Your Certificates
Wouldn’t it be great if security certificates auto-renewed? Now they can. In the latest LoadMaster 22.214.171.124 GA release that arrived at the end of March, one of the new headline features is the ability to auto-renew Let’s Encrypt issued certificates. The new functionality covers obtaining, managing, and automatically renewing certificates from the Let’s Encrypt Certificate Authority. The support is on a per device basis for now, but it is hoped to make it a global feature in the future.
The Let’s Encrypt Feature List
Support for obtaining, managing, and automatically renewing certificates from the Let’s Encrypt Certificate Authority (CA). In the UI, navigate to the Certificates & Security > Let’s Encrypt Certs page. The main capabilities are:
- A built-in LoadMaster ACME protocol client.
- Client supports obtaining a certificate from Let’s Encrypt (LE) servers, as well as user-driven certificate renewal.
- Users can create a new LE account via LoadMaster or use an already obtained account key. The key can have been previously obtained using another ACME client.
- LoadMaster automatically configure a SubVS (and content rules) to automatically respond to the required domain ownership challenge from the LE server. Note that only the HTTP-01 method of validating FQDN ownership is currently supported.
- Certificates obtained using the LM ACME client are managed on a new UI page, and assigned to Virtual Services on the existing Manage Certificates page. They can be used for:
- VS Decryption
- VS Re-encryption
- Administrative Login
- Up to 10 SANs (Subject Alternative Names) can be specified per certificate request.