How to use Let’s Encrypt with Google HTTPS Load Balancer and managed instance groups

google-cloud-platformgoogle-compute-enginelets-encrypt

I'm trying to understand how to use auto-scaling with an HTTPS Regional Load Balancer on Google Cloud. Their documentation recommends having the connection to the backend services (from the proxy) also be HTTPS. This makes me think I need:

An instance template that contains an SSL certificate and Nginx configured to receive HTTPS traffic.
Managed instance groups configured to receive traffic from the load balancer.
A load balancer configured with a valid SSL certificate that receives incoming traffic and forwards it to the appropriate regional instance group (and also triggers scaling, according to Google's documentation).

I can't wrap my mind around how the SSL certificates should work with this setup, in spite of reading Google's SSL Certificates documentation and their various documentation pages about load balancers.

Assuming I would like to use Let's Encrypt and automate the renewal of the SSL certificates every 45 days, here are the questions I have:

What does the instance template need to do in order to have a valid certificate? Or can I used self-signed certificates on the VMs? I'm using Docker on the instance template and struggling to generate a valid self-signed certificate when I spin up an instance on an ephemeral IP address.
Does the instance template need a cron job and/or to use certbot to renew the SSL certificate every 45 days?
Does Google provide a way to automate the renewal of SSL certificates that it manages on the HTTPS Load Balancer?

Finally:

Is there a better way to be thinking about this problem or an easier solution to consider?

Best Answer

You can use self-signed certificates on the VMs. In fact, the self-signed certs I'm using with NGINX on my VMs all expired about 8 months ago. I don't believe the load balancer does any validation on the cert itself--it is just a necessary part of the SSL handshake.

You could attempt to generate something in the instance startup for its own IP, and a cron job to renew it. As above, I don't think it's necessary.

Google does not automate the replacement of the cert, but you can script it. The gcloud command-line utility has commands for creating and updating most resources including certificates and load balancers.

Manual plugin

You can either perform a manual verification - with the manual plugin.

certbot -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns certonly

Certbot will then provide you instructions to manually update a TXT record for the domain in order to proceed with the validation.

Please deploy a DNS TXT record under the name
_acme-challenge.bristol3.pki.enigmabridge.com with the following value:

667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc

Once this is deployed,
Press ENTER to continue

Once you have updated the DNS record, press Enter, certbot will continue and if the LetsEncrypt CA verifies the challenge, the certificate is issued as normally.

You may also use a command with more options to minimize interactivity and answering certbot questions. Note that the manual plugin does not yet support non-interactive mode.

certbot --text --agree-tos --email you@example.com -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns --expand --renew-by-default  --manual-public-ip-logging-ok certonly

Renewal does not work with the manual plugin as it runs in non-interactive mode. More info in the official certbot documentation.

Update: manual hooks

In the new certbot version you can use hooks, e.g., --manual-auth-hook, --manual-cleanup-hook. The hooks are external scripts executed by certbot to perform the task.

Information is passed in environment variables - e.g., domain to validate, challenge token. Vars: CERTBOT_DOMAIN, CERTBOT_VALIDATION, CERTBOT_TOKEN.

certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh -d secure.example.com

You can write your own handler or use already existing ones. There are many available, e.g., for Cloudflare DNS.

More info on official certbot hooks documentation.

Automation, Renewal, Scripting

~~If you would like to automate DNS challenge validation it is not currently possible with vanilla certbot.~~ Update: some automation is possible with the certbot hooks.

We thus created a simple plugin that supports scripting with DNS automation. It's available as certbot-external-auth.

pip install certbot-external-auth

It supports the DNS, HTTP, TLS-SNI validation methods. You can either use it in handler mode or in JSON output mode.

Handler mode

In handler mode, the certbot + plugin calls external hooks (a program, shell script, Python, ...) to perform the validation and installation. In practice you write a simple handler/shell script which gets the input arguments - domain, token and makes the change in DNS. When the handler finishes, certbot proceeds with validation as usual.

This gives you extra flexibility, renewal is also possible.

Handler mode is also compatible with Dehydrated DNS hooks (former letsencrypt.sh). There are already many DNS hooks for common providers (e.g., CloudFlare, GoDaddy, AWS). In the repository there is a README with extensive examples and example handlers.

Example with Dehydrated DNS hook:

certbot \
    --text --agree-tos --email you@example.com \
    --expand --renew-by-default \
    --configurator certbot-external-auth:out \
    --certbot-external-auth:out-public-ip-logging-ok \
    -d "bristol3.pki.enigmabridge.com" \
    --preferred-challenges dns \
    --certbot-external-auth:out-handler ./dehydrated-example.sh \
    --certbot-external-auth:out-dehydrated-dns \
    run

JSON mode

Another plugin mode is JSON mode. It produces one JSON object per line. This enables a more complicated integration - e.g., when Ansible or some deployment manager is calling certbot. Communication is performed via STDOUT and STDIN. Cerbot produces JSON objects with data to perform the validation, for example:

certbot \
    --text --agree-tos --email you@example.com \
    --expand --renew-by-default \
    --configurator certbot-external-auth:out \
    --certbot-external-auth:out-public-ip-logging-ok \
    -d "bristol3.pki.enigmabridge.com" \
    --preferred-challenges dns \
    certonly 2>/dev/null

{"cmd": "perform_challenge", "type": "dns-01", "domain": "bs3.pki.enigmabridge.com", "token": "3gJ87yANDpmuuKVL2ktfQ0_qURQ3mN0IfqgbTU_AGS4", "validation": "ejEDZXYEeYHUxqBAiX4csh8GKkeVX7utK6BBOBshZ1Y", "txt_domain": "_acme-challenge.bs3.pki.enigmabridge.com", "key_auth": "3gJ87yANDpmuuKVL2ktfQ0_qURQ3mN0IfqgbTU_AGS4.tRQM98JsABZRm5-NiotcgD212RAUPPbyeDP30Ob_7-0"}

Once DNS is updated, the caller sends the new-line character to STDIN of certbot to signal it can continue with validation.

This enables automation and certificate management from the central management server. For installation you can deploy certificates over SSH.

For more info please refer to the readme and examples on certbot-external-auth GitHub.

EDIT: There is also a new blog post describing the DNS validation problem and the plugin usage.

EDIT: We currently work on Ansible 2-step validation, will be soon off.

Ssl – Let’s Encrypt certbot validation over HTTPS

As reported in https://community.letsencrypt.org/t/shouldnt-verification-via-dns-record-be-a-priority/604/47 the letsencrypt.sh updater supports validation via DNS. Few updater scripts seem to have implemented this. However, the HTTP method is the simplest to implement for initial configuration.

The script you have may use TNS SNI or Proof of Possession of a Prior Key for renewals. Specification can be found at https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-01#section-7.5. If this is the case you won't need to have HTTP enabled.