cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Ismael_Goncalves
F5 Employee
F5 Employee

F5 Distributed Cloud supports automatic TLS certificate generation and renewal using Let's Encrypt for its HTTP load balancers. We will provide here a quick step by step guide using the non-delegated domains option. 

 

1. Configuring HTTP Load Balancer

1.1. Initial Configuration 

On the HTTP Load Balancers menu, add an HTTP Load Balancer and configure the desired domain for the application. In this example the domain is demo.f5pslab.com. Select HTTPS with Automatic Certificate option for the Type of Load Balancer as the following:

 

image2022-3-10_15-19-36.png

Conclude the remaining configuration such as Origin Pool, WAF policies etc. and click on Save and Exit.

1.2. Obtaining Auto Certificate DNS Information  

After the HTTP Load Balancer is created the GUI will display a blank information in the Certificate Status column:

 

image2022-3-10_15-26-14.png

Click on the three dot menu, then Manage Configuration. Browse to the bottom of the HTTP Load Balancer object configuration to the Auto Cert Information section:

 

image2022-3-10_15-28-31.png

This section display the DNS record of type CNAME that needs to be created on the Customer's DNS as well as the expected value for the record. 

In the case above a DNS record named _acme-challenge.demo.f5lab.com should be created with a CNAME value of debcb0c54cc3410784c8d284400b84d2.autocerts.ves.volterra.io.

Observe the DNS record is formed by the _acme-challenge + domain name of the application. 

Let's Encrypt will query this record in order to verify ownership of the domain. Here you can find additional information about this process from Let's Encrypt. 

 

2. Configuring DNS 

2.1. Configuring CNAME record for the Let's Encrypt ACME challenge

Now it's time to modify our DNS configuration by creating a CNAME record for the target zone:

 

image2022-3-10_15-37-51.png

Verifying the correct DNS resolution. First you can observe the CNAME resolution that points to F5 Distributed Cloud domain. In the screenshot below there is also a TXT record resolution from F5 Distributed Cloud. This TXT record contains the Let's Encrypt ACME challenge response and Let's Encrypt follows the CNAME to obtain it. Once Let's Encrypt confirms the challenge response, the TLS certificate is issued. 

image2022-3-10_15-42-28.png

 

2.2. Configuring DNS CNAME for the Virtual Host

This step is not related with the Automatic Certificate generation but as the next step for our configuration we would need to configure the application domain with a CNAME pointing to the HTTP Load Balancer in the F5 Distributed cloud.

Browse to Manage Configuration in the HTTP Load Balancer and obtain the Host Name for the Load Balancer on the Metadata tab:

image2022-3-10_15-48-54.png

 

Let's adjust our DNS configuration in our DNS provider:

image2022-3-10_15-51-13.png 

3. Validating the New Certificate

3.1. Verifying the certificate in the HTTP Load Balancer configuration 

Once the TLS certificate is issued you will notice the column Certificate Status showing Valid:

 

image2022-3-10_15-53-37.png

Click on the three dot menu, then Manage Configuration. Browse to the bottom of the HTTP Load Balancer object configuration to the Auto Cert Information section:

 

image2022-3-10_15-56-35.png

The Auto generated TLS certificate details are available in this section. The TLS certificate is valid for 90 days and it will be renewed automatically by the F5 Distributed Cloud.

3.2. Verifying the application in the browser

Finally, access the application in the browser and verify the auto generated TLS certificate by F5 Distributed Cloud:

 

image2022-3-10_16-0-6.png

4. Conclusion

This article demonstrated how it is quick and easy to setup F5 Distributed Cloud to generate your TLS certificates automatically using a Non-delegated DNS zone.

Version history
Last update:
‎18-Apr-2022 00:04
Updated by: