Tula Networks
Documentation
Toggle sidebar

Let's Encrypt Automation

Automatic SSL certificate issuance and renewal

Let's Encrypt Automation

Tula integrates with Let's Encrypt to provide fully automated SSL/TLS certificate issuance and renewal. Certificates are obtained free of charge using the ACME (Automatic Certificate Management Environment) protocol, validated automatically, and installed into the load balancer configuration without manual intervention. This eliminates the operational burden of tracking certificate expiry dates and performing manual renewals.

How ACME Certificate Provisioning Works

The ACME protocol automates the process of proving domain ownership (validation) and obtaining a signed certificate from Let's Encrypt's certificate authority. Tula handles the entire lifecycle:

  1. Certificate request. When you enable Let's Encrypt for a VIP, Tula generates a private key and sends a Certificate Signing Request (CSR) to Let's Encrypt.
  2. Domain validation. Let's Encrypt issues a challenge to verify that you control the domain. Tula automatically responds to the challenge (see validation methods below).
  3. Certificate issuance. Upon successful validation, Let's Encrypt signs and returns the certificate along with the full chain of trust.
  4. Installation. Tula installs the certificate into HAProxy's configuration and performs a seamless reload, activating the new certificate with zero downtime.
  5. Renewal. Tula monitors certificate expiry and automatically initiates renewal 30 days before expiration.

HTTP-01 Challenge Validation

The HTTP-01 challenge is the default and most common validation method. Let's Encrypt requests a specific token file at a well-known URL path on your domain:

http://<your-domain>/.well-known/acme-challenge/<token>

Tula automatically configures HAProxy to intercept requests to this path and serve the validation token, regardless of the backend server configuration. This means your backend servers do not need any modification to support Let's Encrypt validation.

Requirements for HTTP-01:

  • The domain must resolve to the load balancer's VIP address (publicly accessible on port 80).
  • Inbound HTTP traffic on port 80 must not be blocked by upstream firewalls or security groups.
  • Each domain in the certificate is validated individually; this method cannot be used for wildcard certificates.

Configuring Let's Encrypt per VIP

To enable Let's Encrypt for a Layer 7 Virtual IP:

  1. Navigate to Load Balancing > L7 Virtual IPs and select the VIP.
  2. In the SSL section, select Let's Encrypt as the certificate source.
  3. Enter the domain name(s) for the certificate. You can include multiple Subject Alternative Names (SANs) to cover several domains in a single certificate.
  4. Provide a valid email address for Let's Encrypt registration. This address receives expiry warnings as a safety net, though Tula handles renewals automatically.
  5. Save and apply the configuration.

Tula initiates the certificate request immediately. The process typically completes within 30 seconds. Monitor progress in SSL > Certificates, where the certificate status will change from "Pending" to "Active" upon successful issuance.

Automatic Renewal

Tula checks certificate expiry dates daily and initiates renewal when a certificate is within 30 days of expiring. Let's Encrypt certificates have a 90-day validity period, so renewal occurs approximately every 60 days.

The renewal process is identical to the initial issuance: a new CSR is generated, the domain is revalidated, a fresh certificate is obtained, and HAProxy is reloaded seamlessly. If a renewal attempt fails -- due to a DNS misconfiguration or network issue, for example -- Tula retries daily until successful, and logs each attempt for troubleshooting.

Wildcard Certificates (DNS-01 Challenge)

Wildcard certificates (e.g., *.example.com) require the DNS-01 challenge method, which proves domain ownership by creating a specific TXT record in your domain's DNS zone:

_acme-challenge.example.com. IN TXT "<validation-token>"

To use DNS-01 validation, you must configure a supported DNS provider integration so Tula can programmatically create and remove the required TXT records. Tula supports common DNS providers through API integration.

DNS-01 advantages:

  • Supports wildcard certificates covering all subdomains.
  • Does not require inbound HTTP access on port 80.
  • Can validate domains before they are pointed at the load balancer.

Troubleshooting Common Issues

Certificate request fails with "DNS problem: NXDOMAIN". The domain does not resolve in public DNS. Ensure an A or CNAME record exists pointing the domain to your VIP's public IP address.

Certificate request fails with "Connection refused" or "Timeout". Let's Encrypt cannot reach port 80 on your VIP. Check that HTTP traffic is allowed through all firewalls, security groups, and network ACLs between the internet and your load balancer.

Certificate request fails with "Too many certificates already issued". Let's Encrypt enforces rate limits: 50 certificates per registered domain per week. This typically only affects testing. Use the Let's Encrypt staging environment for development and testing to avoid hitting production rate limits.

Renewal fails after infrastructure change. If your VIP's IP address changed or DNS records were modified, the HTTP-01 challenge may fail. Verify that the domain still resolves to the VIP and that port 80 is accessible.

Certificate issued but browser shows untrusted. The certificate chain may be incomplete. Tula automatically includes the full chain, but verify under SSL > Certificates that the chain status shows as complete. If issues persist, check that your HAProxy configuration has not been manually modified outside of Tula.

Check the Tula system log under System > Logs for detailed ACME transaction logs, including the full challenge and response cycle, to diagnose any issues.