Nova allows you to automatically provision and renewal Let's Encrypt SSL certificates on your ADCs, ensuring that SSL is easy to manage and deploy, and saving you money.
You must already be pointing your domain name to the Nova node(s) before deploying the ADC! It has to validate the Let's Encrypt request which will go to the domain name! In addition, TCP port 80 must be open, as Let's Encrypt uses this to validate domains.
How it Works
Let's Encrypt is a CA (certificate authority) that allows you to provision valid SSL certificates for free. The Nova implementation requires HTTP validation in order to receive and renew a certificate.
What this means is that we send Let's Encrypt a request for a certificate for a given domain, e.g. test.nova-adc.com. Let's Encrypt then says okay, we must first verify you own that, and they send a request directly to test.nova-adc.com with information we intercept on the ADC, and submit back to them.
In this way they know that we are allowed to get a certificate for test.nova-adc.com, because the traffic is coming to us. This means that importantly you must set up your DNS records to point to your Nova before you apply for a Let's Encrypt certificate on it, or validation will fail!
Let's Encrypt Setup
To use Let's Encrypt you need to edit an SSL ADC and change the Certificate dropdown to Let's Encrypt. You will then be provided with a set of options. We automatically provide HTTP verification for the certificates, and manage the renewals and issuing of them.
Let's Encrypt Terms: you must accept the terms and conditions from Let's Encrypt in order to use their service. You may read them here, and then select Accept once you are happy.
Let's Encrypt Status: Enable Let's Encrypt on this specific ADC. This will allow the ADC to intercept Let's Encrypt requests, and authorize certificates.
Let's Encrypt Domains: a space seperated list of domains we should get certificates for. You must ensure that these domains point to the Nova before submitting this otherwise the authorization will fail.
Let's Encrypt Limitations
- Let's Encrypt validations and outbound sessions must use the same IP address. If you are redirecting (NAT'ing) traffic in you must have the load balancer exit the network on the same IP as validations come in on (your hostname). This is not a problem if you are using public IPs on the Node.
- Let's Encrypt does not currently work with Nova Autoscalers. If you are using autoscalers you must have a traditional SSL certificate uploaded.
- Let's Encrypt is only supported for single Node deployments of ADCs. For multi-node ADCs you need a traditional SSL certificate.