Google Cloud Platform – Using Let’s Encrypt TLS with Google Load Balancer

gogoogle-cloud-platformgoogle-kubernetes-enginelets-encryptssl

I've been trying to test out Kubernetes on Google Cloud, but would need HTTPS/TLS (only) exposed on the deployed application. To start, I just followed this tutorial, which worked fine for plain HTTP over port 80: https://cloud.google.com/kubernetes-engine/docs/quickstart

To get TLS support working with Let's Encrypt, I've tried (without success):

Ended up with "CIPHER MISMATCH" errors when serving via the Golang
application itself (then just doing a generic TCP load balancer for the node cluster) …
https://godoc.org/golang.org/x/crypto/acme/autocert
This method didn't work either: https://github.com/ahmetb/gke-letsencrypt 🤔

… Does anyone have any suggestions on how to serve just HTTPS for the original tutorial? No need for plain HTTP unless it's a freebie, but I'm really scratching my head on this one since I haven't worked with Kubernetes before and I haven't been able to get Let's Encrypt working at all here.

Best Answer

So, it turns out that you can just add TLS directly on the load balancer now, and it'll issue a Let's Encrypt certificate automatically. This is doable via Cloud Console:

No clue why this isn't more well-known.

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

I have written a pair of how-tos for running Let's Encrypt SSL certs on CentOS: initial setup & cronning it.

And my per-domain (I use the file naming convention of z-<[sub-]domain-tld>.conf) Apache config files look like this:

<VirtualHost *:80>
ServerName domain.tld
Redirect permanent / https://domain.tld/
</VirtualHost>

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>

</VirtualHost>

And my ssl.conf looks like this:

#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup file:/dev/urandom  1024
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLCompression          off
SSLHonorCipherOrder     on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Using Let's Encrypt to get SSL certs (and get your site up to an "A" rating from SSL Labs) is pretty straight-forward - once you get past some of the arcana of the Apache configs and LE command-line arguments.

How to use Let’s Encrypt with Google HTTPS Load Balancer and managed instance groups

You can use self-signed certificates on the VMs. In fact, the self-signed certs I'm using with NGINX on my VMs all expired about 8 months ago. I don't believe the load balancer does any validation on the cert itself--it is just a necessary part of the SSL handshake.

You could attempt to generate something in the instance startup for its own IP, and a cron job to renew it. As above, I don't think it's necessary.

Google does not automate the replacement of the cert, but you can script it. The gcloud command-line utility has commands for creating and updating most resources including certificates and load balancers.

Best Answer

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

How to use Let’s Encrypt with Google HTTPS Load Balancer and managed instance groups

Related Topic