F5 Distributed Cloud - Automatic TLS Certificate Generation - Non-Delegated DNS Zone

F5 Distributed Cloud supports automatic TLS certificate generation and renewal using Let's Encrypt for its HTTP load balancers. We will provide here a quick step by step guide using the non-delegated domains option. 

1. Configuring HTTP Load Balancer

1.1. Initial Configuration 

On the HTTP Load Balancers menu, add an HTTP Load Balancer and configure the desired domain for the application. In this example the domain is demo.f5pslab.com. Select HTTPS with Automatic Certificate option for the Type of Load Balancer as the following:

 

Conclude the remaining configuration such as Origin Pool, WAF policies etc. and click on Save and Exit.

1.2. Obtaining Auto Certificate DNS Information  

After the HTTP Load Balancer is created the GUI will display a blank information in the Certificate Status column:

 

Click on the three dot menu, then Manage Configuration. Browse to the bottom of the HTTP Load Balancer object configuration to the Auto Cert Information section:

 

This section display the DNS record of type CNAME that needs to be created on the Customer's DNS as well as the expected value for the record. 

In the case above a DNS record named _acme-challenge.demo.f5lab.com should be created with a CNAME value of debcb0c54cc3410784c8d284400b84d2.autocerts.ves.volterra.io.

Observe the DNS record is formed by the _acme-challenge + domain name of the application. 

Let's Encrypt will query this record in order to verify ownership of the domain. Here you can find additional information about this process from Let's Encrypt. 

 

2. Configuring DNS 

2.1. Configuring CNAME record for the Let's Encrypt ACME challenge

Now it's time to modify our DNS configuration by creating a CNAME record for the target zone:

 

Verifying the correct DNS resolution. First you can observe the CNAME resolution that points to F5 Distributed Cloud domain. In the screenshot below there is also a TXT record resolution from F5 Distributed Cloud. This TXT record contains the Let's Encrypt ACME challenge response and Let's Encrypt follows the CNAME to obtain it. Once Let's Encrypt confirms the challenge response, the TLS certificate is issued. 

 

2.2. Configuring DNS CNAME for the Virtual Host

This step is not related with the Automatic Certificate generation but as the next step for our configuration we would need to configure the application domain with a CNAME pointing to the HTTP Load Balancer in the F5 Distributed cloud.

Browse to Manage Configuration in the HTTP Load Balancer and obtain the Host Name for the Load Balancer on the Metadata tab:

 

Let's adjust our DNS configuration in our DNS provider:

 

3. Validating the New Certificate

3.1. Verifying the certificate in the HTTP Load Balancer configuration 

Once the TLS certificate is issued you will notice the column Certificate Status showing Valid:

 

Click on the three dot menu, then Manage Configuration. Browse to the bottom of the HTTP Load Balancer object configuration to the Auto Cert Information section:

 

The Auto generated TLS certificate details are available in this section. The TLS certificate is valid for 90 days and it will be renewed automatically by the F5 Distributed Cloud.

3.2. Verifying the application in the browser

Finally, access the application in the browser and verify the auto generated TLS certificate by F5 Distributed Cloud:

 

4. Conclusion

This article demonstrated how it is quick and easy to setup F5 Distributed Cloud to generate your TLS certificates automatically using a Non-delegated DNS zone.

Updated Nov 15, 2022
Version 3.0