14

Load balancer wildcard SSL


Avatar
Liam Mclaney

At the moment it's not possible to install a wildcard SSL on the load balancer.

This makes it impossible to use a load balancer for multi tenant platforms that have a unique sub-domains per account.

We either need to be able to create or upload a wildcard SSL to the load balancer, like how we can on the site level.

A

Activity Newest / Oldest

R

Richard Gustin

Hey Dennis, Is there any news on when this is going to be implemented?


  • R
M

Md Ziaoul Hoque

Is there any updated that when Wildcard SSL for Load Balancer will be ready?


  • P
C

Christoph Heich

Hey Dennis, i don't wanna force you but is there an ETA when this will be implemented? We need this for our multi tenant scenario.


  • P
Avatar

Dennis

Sorry for my late reply! We hope to support this at the end of this month/start of february.


  • P
P

philipp

Hi Dennis,
Sorry for pushing, just building another workaround and wonder if this is worth the effort or if the wildcard support is still planned for the near future? Thanks!


Avatar

Liam Mclaney

Our workaround for this was to not use the load balancer or SSL in Ploi. Instead, we manage it all through AWS directly and use ALB for load balancing - works really nicely and no worries about maintenance of additional servers and software as ALB is a fully managed service.


  • P
P

philipp

Sure, this is a valid solution, too. In my case only European Hosting Companies are allowed, so AWS is not an option.


  • P
P

philipp

I am sorry for spamming & pushing, but I assume the following can be of help as finding a workaround for the lack of wildcard certificates forced me to deep-dive into the world of HAProxy and for now I understand the following as a critical integration of Ploi.io:

1.) Obvious is the missing Wildcard support ;)
2.) The haproxy config is only extendable, but not editable as whole. See the next issue, as fixing/changing that would allow Ploi to make the whole config file editable.
3.) Every attached domain path is added to /etc/haproxy/haproxy.cfg. Imagine that for 50 domains or even 100.

THERE IS A NEAT SOLUTION for this since version 2.1 & 2.2 called "Dynamic SSL Certificate Storage" (www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/). I tested it and it works as expected, the only issue I have is that Ploi saves each certificate in a separate folder "/etc/ssl/domain.com/domain.com.pem". But HAProxy expects all certiticates in the same directory.
However I assume that this makes SSL handling much easier.
All certificate files would be stored in "/etc/ssl/" and the only line for handling all certs is: "bind *:443 ssl crt /etc/ssl/"

To be able to update to HAProxy 2.2, you will need to use "add-apt-repository ppa:vbernat/haproxy-2.2 --yes".

I really hope that you can have a look at this sooner than later. Thanks!


  • P
P

philipp

I am doing progress to find a workaround untill the LB supports wildcart certificates natively. The idea is to keep the wildcard certificate on the backend server and let HAProxy passthrough the TCP connection for validation: serverfault.com/questions/1036927/haproxy-ssl-termination-with-exception-for-a-specific-domain-wildcard-ssl-certi

EDIT:
This somehow works but produces issues as port 443 plays ping-pong. Do not use it, currently the only solution would be eaither Wildcard support for the LB or the possibility to edit the HAProxy config without using the edits when settings are daved in Ploi or a new cert is added...


  • P
P

philipp

Hi Dennis,
can you give any ETA for this? Would be very useful to add Wildcard Certs to Load Balancers.


  • P
Avatar

Dennis

Status changed to: Planned