I am having problems with my Load Balancer's certificate

I’m experiencing DNS errors when adding an SSL/TLS certificateLink to this anchor

You may be trying to create or upload a certificate for your Load Balancer, and receive the following error message:

invalid argument(s): dns_name does not respect constraint, <domain> does not resolve to your Load Balancer IP

CauseLink to this anchor

The domain name specified does not resolve to the Load Balancer’s public IP address.

SolutionLink to this anchor

Try the following steps:

• Ensure that a DNS record exists, pointing this domain to the Load Balancer’s public IP address.
• Ensure that you have correctly typed the domain name, with no typos or errors.
• If you created the DNS record very recently, DNS propagation might not yet be complete. Wait for 30-60 minutes and try again, to see if the issue resolves itself.
• If you are trying to upload a custom certificate:
  • Check the certificate’s validity dates and ensure it’s not expired or not yet valid.
  • If the certificate has wildcards, ensure it covers the correct domain and subdomains. For example, if your certificate covers *.example.com, you can use it to secure subdomain.example.com but not sub.subdomain.example.com. Check the IETF documentation.
• If the error persists, check the DNS entry using a tool like dig, to ensure it is resolving correctly.

I am experiencing HTTP errors when generating a Let’s Encrypt SSL/TLS certificateLink to this anchor

You may be trying to generate a Let’s Encrypt certificate for your Load Balancer, and receive the following error message:

HTTP error 400: The port 80 frontend must be associated to an HTTP backend

CauseLink to this anchor

Let’s Encrypt certificates cannot be created for Load Balancers which have a frontend listening on port 80, but are attached to a TCP backend. This is because the Let’s Encrypt challenge would fail.

Solution:Link to this anchor

Ensure that your Load Balancer has either:

• An HTTP-protocol-backend attached to a frontend listening on port 80, or
• A TCP-protocol-backend attached to a frontend listening on a port other than 80

Alternatively, create and import your own custom certificate for your Load Balancer, rather than generating a Let’s Encrypt certificate via Scaleway.

I added a certificate to my Kubernetes Load Balancer via the Scaleway console, but it is not working correctlyLink to this anchor

You may have used the Scaleway console attach a certificate to your Kubernetes Kapsule Load Balancer, and then find that the SSL certificate does not work as expected afterwards, with connections lost and HTTPS traffic dropped.

CauseLink to this anchor

Kubernetes Kapsule is a managed service, as are the Load Balancers created as part of the cluster. Modifying a Kubernetes Load Balancer via the Scaleway console results in non-permanent modifications which are not known to the Kubernetes Kapsule service, and therefore end up being overwritten.

SolutionLink to this anchor

Always modify Kubernetes Load Balancers via the cluster’s Cloud Controller Manager (CCM), using Load Balancer annotations.

The specific annotation to use can be found in the Scaleway CCM documentation.

I have a different problem related to my Load Balancer SSL/TLS certificateLink to this anchor

Check the following documentation:

• How to add an SSL/TLS certificate
• Setting up SSL bridging, offloading or passthrough
• Load Balancer API Documentation: Certificates
• Load Balancer Terraform Documentation: Certificates