14
votes

I've setup my Google Cloud Project to use a load balancer in combination with auto scaling instance templates. Currently the instance group only has one instance.

My domain name successfully refers to the load balancers IP. Till these steps everything is working correctly.

Now I want to setup SSL for this project. I would like to do this with the Letsencrypt service, however I'm having no success when trying to set this up.

In the Google Cloud Engine load balancer window there is an option to setup an earlier created certificate with Google Cloud shell to the load balancer frontend. Unfortunately I can only create a .csr and .key file with the Google Cloud Shell. Furthermore, I can create an unsafe ssl certificate and get the .cert file from it, but I would like to create a safe SSL cert file using letsencrypt. The Letsencrypt services requires direct access to the domain from to command line interface the commando was executed on, this is probably the reason why I’m getting an error indicating the domain name cannot be retrieved.

I’m looking for a way to install the Letsencrypt certificate on the loadbalancer using Google Cloud. Is there a way how I can manually create a .cert file with letsencrypt instead of installing this directly? If not is there another way or service to create a .cert file from a .csr and .key file?

4

4 Answers

6
votes

You can use sslforfree.com, which calls LetsEncrypt for you and gives you the keys for downloading. It can also remind you to renew your certs. (There's currently no way to auto-renew certs in Google LB)

4
votes

You can use certbot

Here is an example of how to create only the certificates

$ ./certbot-auto certonly --standalone --email [email protected] -d example.com -d www.example.com
2
votes

If you use Kubernetes on top of Google Compute Engine, a good solution is cert-manager, which is a successor of kube-lego. Both can automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt:

Features

  • Recognizes the need of a new certificate for this cases:
    • No certificate existing
    • Existing certificate is not containing all domain names
    • Existing certificate is expired or near to its expiry date (cf. option LEGO_MINIMUM_VALIDITY)
    • Existing certificate is unparseable, invalid or not matching the secret key
  • Creates a user account (incl. private key) for Let's Encrypt and stores it in Kubernetes secrets (secret name is configurable via LEGO_SECRET_NAME)
  • Obtains the missing certificates from Let's Encrypt and authorizes the request with the HTTP-01 challenge
  • Makes sure that the specific Kubernetes objects (Services, Ingress) contain the rights configuration for the HTTP-01 challenge to succeed
  • Official Kubernetes Helm chart for simplistic deployment.

A step-by-step tutorial for GCE is available.

1
votes

A good way to achieve your goal is cloud function + cloud scheduler + https://github.com/bloomapi/letsencrypt-gcloud-balancer